Skip the navigation

Kenneth Van Wyk: The security implications of being stuck with an old Android OS

Vendors of Android smartphones have been slow in pushing updates to users. It's a weakness in Google's decentralized approach.

By Kenneth van Wyk
November 15, 2011 11:49 AM ET

Computerworld - There's been some disturbing news about Android security recently. It appears that many shipped Android-based devices are simply not getting system updates. Apart from getting righteously frustrated as consumers, we should also understand the short- and long-term effects this has on security.

According to Michael DeGusta's research, which he explained on his blog, TheUnderstatement, Android product vendors have pretty much gone with a practice of releasing their devices with a fairly current version of Android, and then releasing just one or two system updates in subsequent yearsat best.

Thus, most Android handsets today are running Version 2.2.x or 2.3.x of Android, though Google just released 4.0 (a.k.a. "Ice Cream Sandwich"). To be fair, that sounds worse than it really is, since the 3.x branch was primarily for tablet-based systems, and much of the reason for 4.x is to unify the platform among smartphones and tablets better, which would be a very good thing.

Still, the majority of shipped Android devices that are still under warranty or two-year commitments with their service providers are running Android versions that are quite old and aren't likely to be updated anytime sooneven while still under active contract.

There are various reasons for this. Chief among them is the "fragmentation" of the Android ecosystem. Google releases code that is in turn adapted by hardware manufacturers, and that in turn is adapted by various service providers. The software release latency from Google to device is long in the best of situations, and insurmountably long in many others.

That's in stark contrast to Apple's more centralized approach. Indeed, iPhone devices from the 3Gs (as well as every iPad shipped) and newer can all run the latest iOS update, 5.0.1and a staggering number of iOS users actually take Apple up on those free updates.

So what's the big deal? In the short term, consumers are forced to rely on products that lack security features that could well help to protect their data. Full disk encryption was introduced as a user option in the Android 3.x code base, for example. And then there's hardware data encryption, secure keychains and such that have been added over time.

Many of these security features are compelling, and we're all better off if our systems make use of them.

But there's the double whammy of these slow updating practices. Software developers are pragmatists in many ways. They write their software based on market share (among other things). So, despite the fact that Ice Cream Sandwich is sporting a bunch of really nice security features, the market share of users running it just doesn't validate building code for 4.x code base yet.



Our Commenting Policies