So many Android devices. Too few updates.

Only 25 percent of Android handsets have Jelly Bean installed, according to developer.android.com. But nearly ten months after its initial release, shouldn't that adoption figure for Google's latest and most secure Android OS be much higher, especially given all the malware now targeting Androids?  Like most things it's complicated.

Unlike the typical PC ecosystem, the mobile ecosystem is much more fractured. In both worlds, you have hardware and OS, but in the mobile world you also have the carrier. Each player has the opportunity to tweak something. So that makes it hard for Google Android to adopt Microsoft's Patch Tuesday model of maintenance and security.

Most PCs have similar hardware, and I'll go so far as to say most PCs run Windows. If you're Microsoft, it is possible to create and test an update or even a full-scale service patch that will work on a vast majority of the Windows systems in the world today. With mobile (yes, even the iPhone) it's not so easy.

Mobile handsets vary, using various chipsets such as Motorola, ARM, and Qualcomm. Each of these have features that can be turned on or off by the handset maker. Then you have the OS. While a majority of the mobile phones today run Android, many are forked versions, that is the handset maker has created and maintained its own version of the open source OS. Even if it's not a forked version, handset makers tweak the OS, enabling different features.

On the other side of the isle, new iOS version adoption is much better, but still not 100 percent

Then there's the carrier, which the PC doesn't have. Imagine if your ISP changed the version of Windows on your PC to work with their network. Carriers add their own interfaces and also their own apps, again asking that features within the chipsets and OS be configured to their specs.

This creates a bottleneck. Google creates a new version of Android, say 4.2, which is designed to fix all the known vulnerabilities within 4.1 and before but version 4.2 also introduces new features. The handset manufacturer have to look at it first, then the carriers have to look at it. This sometimes takes months.

In February, a Washington D.C.-based privacy researcher Chris Soghoian sounded the alarm about the lack of updates on most Android mobile phones, warning that not only did malware find a place on these vulnerable devices, there are potential privacy issues since personal information can be leached off the vulnerable phones remotely. The reality is a lot of people do use older smartphones and having different Android versions is a problem, because there are old vulnerabilities that the bad guys can exploit. Thus the Android malware problem continues to grow.

More frequent updates will have negative affects for handset makers, however— for example, some consumers upgrade handsets to get the latest versions of Android and iOS. When the carriers start providing timely updates, the incentive to change handsets will decline. Then there's end of life—handset manufacturers discontinue their phones around 18 months, so should they continue to support OS updates on those older models? If so, how long should that support continue?

Think back to the early 2000s when Microsoft was dealing with email viruses like ILOVEYOU. It took Microsoft a while, but they started pushing out regular updates (at first as needed, then in 2004, Patch Tuesday was born, with every second Tuesday delivering new updates to your Windows machine).  Google is attempting address this but there's no coordinated update schedule. At least not yet.

Apple, with its tight control of hardware and software, also has problems. Just because version 6.1 of their iOS is available doesn't guarantee that all users have clicked and installed it. Version 6 was initially hindered by the lack of Google Maps—adoption improved dramatically once the Google Maps app appeared on the iTunes store.

Google, with its loose control of Android suppliers, has attempted to bring everyone in the Android ecosystem together. In 2011, Google announced the Android Upgrade Alliance and cited a mix of manufacturers such as HTC, Samsung, Sony Ericsson, LG, and Motorola, and carriers all working together. That was nearly two years ago. Only now are we seeing updates passing through, however there's yet another bottle neck: In most cases, the user has to accept the update and initiate the process, which can take up to 20 minutes for the new software to download and install on the phone.

Thus, adoption is still not what it should be for the latest version of Android. As a result, Google is pushing off the release of Key Lime Pie, the next version of Android, until a significant number of carriers push out Jelly Bean to the end user. Perhaps withholding the latest and greatest version of Android is enough to finally push adoption. Perhaps.

Don't know if your phone is running Jelly Bean?  JR Rapheal's Android Power blog maintains an  upgrade update site to see when your particular phone will get its Jelly Bean update.

The views and opinions expressed in this post are those of the author and not necessarily those of the author's employer. The author has no direct financial interest in any product, service or company mentioned in this post.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.