OWC Blog - blog.macsales.com

Welcome to the Digi-Zompocalypse

Monday, July 8th, 2013 | Author:

ZombiePhoneNo, this isn’t another Zombie film starring Brad Pitt killing digital zombies (though I would totally watch that); this Zompocalypse deals with a new security flaw discovered in the Android operating system just a few days ago. This flaw is particularly bad in that in affects all version of Android going all the way back to first smartphone release.

Security Flaw

The way it works is by allowing a hacker to modify an application’s code without touching its signature, making it seem to the device and the app store to be perfectly legitimate. Once installed, the app can essentially rove around doing whatever it wants pulling data, harvesting passwords, tracking user locations, or even using the phone as a zombie to attack others on the net. Read more about the specifics from our friends at Appleinsider.com

No Global Updates

As long as there have been OS’s like Mac OS or Windows, there have been security updates, software enhancements, and other periodic improvements. The good thing is that those updates come directly from Apple and Microsoft.

Unfortunately for Google, there’s no centralized upgrade process of which they can issue an update for Android. This impossibility exists because of how Google created the operating system and the desire to be open to customization for manufacturers. All the major players in the Android world create their own experience known as interface layers. HTC has Sense, Samsung has TouchWiz, Motorola has MOTOBLUR, and there are many more that are always changing.

The Role of the Manufacturer

The people that are actually responsible to issue the software update are either the carrier or manufacturer, and not Google. The only caveat to this being if you have a Google branded phone or tablet. This creates a difficult problem in casting out updates through the user base of Android devices. It is not up to Google when an update is pushed to the users, it is up to the manufacturer to take the new update, change it to their liking and push it to their devices.

Compare this to iOS. As of June, currently 93% of iPhone users are updated to the latest software: iOS 6. Only 33% of Android users are on Jelly Bean (the last major revision) and only 4% are on the latest version of that. Keep in mind that any stat that states a certain percentage of Android users run “Jelly Bean” (or whatever version) is inaccurate as that percentage is made up from multiple customized versions simply based on “Jelly Bean”.

There is no incentive for the manufacturer to update their smartphones; they have already sold their product and are working on better, more lucrative devices to sell once again to make money.

Even if Google created a global security fix for all past versions of Android, they would have to convince the manufacturers and carriers to spend the time programming, testing, and creating an update for all phones and all iterations ever made.

This would inevitably undercut the bottom line, and thus many devices become unsupported and obsolete within roughly eight months of release. Updates stop coming and the user is left with an older Android version, and will not likely receive an updated version of Android until their next phone purchase or unless they take it upon themselves to root their phone.

A Hacker’s Paradise

This lack of updates and an infrastructure that doesn’t allow for a global update to be pushed to devices creates gaping security holes that cannot be patched. On iOS, once an exploit is identified and posted on the Internet, it is a race against the clock for hackers to use it to their advantage before Apple releases a patch, narrowing the amount of people the infection can reach, like a rapid first responder team. On Android it is not a lack of concern, but literally a lack of capability to contain the infection. Google immediately patches their software, but it can be years before a user buys a new phone and would receive it, leaving the user vulnerable for any malicious app to exploit that flaw.

The bottom line is, without a major overhaul in the Android update ecosystem, these issues are never going to be alleviated, and will constantly plague its users. Manufacturer customizations need to be applied on top of the base code, allowing for updates to be sent by Google that don’t disrupt the custom interfaces. How can you protect users with code that was developed over a year ago? The simple answer is, you can’t.

Apple and Microsoft are Doing it Right

The two most dominant companies in building OS’s knew how to build a structure that allows for centralized updating. As Android’s history is written, it will likely be noted that allowing for multiple variants of Android to go in the wild, and rely on what is essentially a customized version of Android per vendor and per carrier, was a monumentally bad decision.

Google must be lamenting their initial “open software” call, which caused this massive fragmentation, which lead to the massively insecure mobile operating environment. What are they to do? Well, they could try to do some form of centralized updating structure in the future, but that would take years to get out as everyone needs to live the possible zombie in the pocket.

It’s Not All Google’s Fault

Before anyone gets to Google-bashing, let’s keep in mind it’s not entirely their fault. They built it, but it’s also the carriers and manufacturers that build custom versions of Android and refuse or cannot properly support the software they made for the smartphones they’ve sold. There’s definitely some blame to share.

With so much of our digital lives and info existing on smartphones, we as consumers need to demand better from those who provide these devices and the software that runs them. Voting with your pocketbook is usually the most effective means of protest.

Be Sociable, Share!
    Category: Industry News
    You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
    1. Brian Willoughby says:

      There are a couple of problems with the business logic cited here.

      Microsoft, at least for DOS and Windows, allowed the same vendor customizations as Android, such that each hardware vendor can have their own OS version. Granted, there is still a central update available from Microsoft, and I suppose they have a mechanism to keep the custom parts separated from the universal OS pieces that get updated.

      Also, one could argue that Apple has no incentive to support my iPhone 3GS because they’re more interested in selling me a brand new iPhone 5. Yet Apple still bothers to make iOS 5 and iOS 6 updates available to me. The hardware is quite different from one iPhone to the next, especially for major revisions, but perhaps Android hardware varies more. My point is that if Apple supports ancient hardware, despite the extra effort, then other cell phone manufacturers can provide the same support. It seems that there is no fundamental difference that requires companies competing with Apple to do such a poor job.

      • Doug says:

        The fundamental difference is that Apple care about customers and quality at least as much as they care about profit margin

        Others care most about profit and market share

    Leave a Comment

    * Copy This Password *

    * Type Or Paste Password Here *

    Please note that comment approval and/or replies to approved comments may take up to 72 business hours.
    If you require more immediate and specific technical support assistance to resolve a matter you are currently
    experiencing, we encourage you to contact our technical support department via:
    • Live Chat (linked to on top of the OWC web site)
    • E-mail
    • By telephone at 1-800-275-4576 | 1-815-338-8685
    Want an Avatar? Learn more by reading our post here.