Google has an Android security problem

Opinion: Security is everyone's responsibility, not just those with the cash to upgrade.
Written by Zack Whittaker, Contributor
(Image: stock image via CNET/CBS Interactive)

In almost every security disclosure list, you'll usually find one company digging up the dirt on the most recent vulnerabilities: Google. The team, dubbed Project Zero, rips apart software to find and report flaws to the owner. The aim? To make the world a safer place.

And it doesn't always go well. This year alone, Google disclosed two security flaws in Microsoft's software, leaving the software giant fuming. The security team gave Microsoft three months to fix the flaw, or face public shaming. Apple's also been taken to task, with at least three zero-day flaws published ahead of its patching. (The benefit is that companies wake up and fix the flaw sooner rather than later. The obvious risk is that if it's not fixed, it's the user's problem.)

But while Google throws stones at its competitors, it's neglecting its own glass house full of users to protect.

Android remains the most popular mobile operating system in the world with over 81 percent of the worldwide market share. But only a fraction of Android's share is running the software's latest version, with the latest bug fixes, vulnerability patches, and security updates. Official stats say just shy of 10 percent are using Android 5.0 "Lollipop," with about 39 percent running the second latest version, Android 4.4 "KitKat."

That's a huge gap, but not close to even older versions. It's almost exactly split fifty-fifty down the middle between Android 4.3 and earlier -- including some 930 million devices that remain vulnerable to a security flaw Google won't fix, and Android 4.4 and later.

With about two weeks until the next version is announced -- Android "M" -- the fragmentation problem is expected to get worse. And that means security will get worse.

That's because not everyone gets the updates. Some Android devices aren't deemed compatible. That includes updates that include incremental security fixes (and features) known to mitigate malware threats and data leaks.

And it's not Google that determines who gets an upgrade. Google leaves it up to the carriers.

Carriers argue they need to test Android updates to determine whether or not a device will get an upgrade. When it's not the carriers, it's the phone makers. That's a problem because the software path is far quicker than the hardware path. Most devices will need a number of software updates over the course of their lifetimes, which usually last a year or two.

The problem is that most devices are never updated.

The one exception is Google's own brand of phones, the Nexus line-up, which remain continually updated with the latest patches and fixes. That includes the long-awaited device encryption the company promised late last year, along with Apple, in an effort to remove itself from the communications chain when the feds knock at its doors for user data.

That's where Google wins at the expense of the rest of Android's user base. Google is not at the mercy of the carriers, but does let the carriers walk all over it. As a result, Google's policy for a Nexus device versus every other device has created an ecosystem of fragmentation that affects the platform's security.

And that's entirely on Google's head. It's advantageous for the carriers to withhold software updates because they can better tempt users to buy newer devices instead. As for Google's tempting offer of upgradable Nexus devices, the company can pass itself off as a rival phone maker if it sells more than a few handfuls.

But at the end of the day, it's the users that get hurt. Android's reputation resets with the major release cycle while Android's some billion users are stuck on older versions, running buggy and flawed software that can easily be tampered with and targeted by hackers.

Editorial standards