Android security is a mess. While device manufacturers and wireless carriers rack up profits, Google seems to be the only company with its hands in the Android pie that is working to fend off hackers.
What's wrong
Smartphone makers and carriers are more interested in selling product and services than pushing out updates that would patch vulnerabilities. As Kaspersky Lab points out, more than 25 percent of Android smartphones in use today are still running version 2.3, which was released years ago.
While manufacturers and carriers sacrifice customers to the profit gods, Google is improving security. Android 4.4 KitKat, released last week, will warn people when a certificate authority is added to the device. This is a nifty defense against man-in-the-middle attacks (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) when people are on public Wi-Fi networks.
And that's not all. KitKat also makes it harder for technically advanced attackers to intercept traffic between the smartphone or tablet and Google services. This is done by only allowing whitelisted certificates to connect to Google domains that use HTTPS, a secure communications protocol for the Internet.
Google has also hardened the Android operating system against attacks. KitKat uses a mandatory access control (MAC) system called SELinux, that makes it a lot more difficult for malware writers to gain administrative permissions that would allow them to control a device. SELinux is built into the Android kernel.
Google has added other security improvements, but those are some of the important ones. Unfortunately, very few Android users will actually get the additional protection, because carriers and manufacturers have placed a low priority on building a system for timely automatic updates.
Instead, they prefer to do nothing, so customers will have to replace their outdated devices sooner.
Gets Worse
Android users who believe things couldn't get much worse, don't appreciate the incompetence of manufacturers when it comes to security.
A research team at North Carolina State University analyzed the preloaded apps manufacturers customize in order to make their devices stand out in the market. On average, 60 percent of the exploitable flaws they found in the 10 devices they evaluated were in the tailored apps from Samsung, HTC, LG, Sony and Google, which owns smartphone maker Motorola.
Even sleazier, 85 percent of the customized apps on average were over-privileged, which means the manufacturers asked to have access to services on the phone the apps did not need. The developers must be laying the groundwork for using those services later.
The researchers looked at an Android 2.x phone and a version 4.x phone from each manufacturer and found no significant difference in the number of vulnerabilities, which means they haven't cared enough to improve security over the years.
HTC was the one exception. It's new phone was significantly more secure than the older model. But before we give 'em an attaboy, lets not forget that the Federal Trade Commission in February brought the hammer down on HTC for its dirtbag behavior.
The FTC found a number of egregious security problems on HTC smartphones that placed customers's personal data and privacy at risk. In settling the FTC complaint, the company agreed to fix reported vulnerabilities and to make security part of the design process for new phones.
I believe the FTC should take that settlement and apply it to all manufacturers. But if that isn't what smartphone makers want, then I suggest they enter into serious negotiations with carriers to fix the update problem.
With so many unpatched vulnerabilities, manufacturers and carriers have to negotiate a deal in which the former prepares the updates quickly and the latter moves them to customers. This will cost money, so they have to decide whether to absorb the expense or pass it on to buyers.
Either way, something needs to be done.