No, this isn’t another Zombie film starring Brad Pitt killing digital zombies (though I would totally watch that); this Zompocalypse deals with a new security flaw discovered in the Android operating system just a few days ago. This flaw is particularly bad in that in affects all version of Android going all the way back to first smartphone release.
The way it works is by allowing a hacker to modify an application’s code without touching its signature, making it seem to the device and the app store to be perfectly legitimate. Once installed, the app can essentially rove around doing whatever it wants pulling data, harvesting passwords, tracking user locations, or even using the phone as a zombie to attack others on the net. Read more about the specifics from our friends at Appleinsider.com
No Global Updates
As long as there have been OS’s like Mac OS or Windows, there have been security updates, software enhancements, and other periodic improvements. The good thing is that those updates come directly from Apple and Microsoft.
Unfortunately for Google, there’s no centralized upgrade process of which they can issue an update for Android. This impossibility exists because of how Google created the operating system and the desire to be open to customization for manufacturers. All the major players in the Android world create their own experience known as interface layers. HTC has Sense, Samsung has TouchWiz, Motorola has MOTOBLUR, and there are many more that are always changing.
The Role of the Manufacturer
The people that are actually responsible to issue the software update are either the carrier or manufacturer, and not Google. The only caveat to this being if you have a Google branded phone or tablet. This creates a difficult problem in casting out updates through the user base of Android devices. It is not up to Google when an update is pushed to the users, it is up to the manufacturer to take the new update, change it to their liking and push it to their devices.
Compare this to iOS. As of June, currently 93% of iPhone users are updated to the latest software: iOS 6. Only 33% of Android users are on Jelly Bean (the last major revision) and only 4% are on the latest version of that. Keep in mind that any stat that states a certain percentage of Android users run “Jelly Bean” (or whatever version) is inaccurate as that percentage is made up from multiple customized versions simply based on “Jelly Bean”.
There is no incentive for the manufacturer to update their smartphones; they have already sold their product and are working on better, more lucrative devices to sell once again to make money.
Even if Google created a global security fix for all past versions of Android, they would have to convince the manufacturers and carriers to spend the time programming, testing, and creating an update for all phones and all iterations ever made.
This would inevitably undercut the bottom line, and thus many devices become unsupported and obsolete within roughly eight months of release. Updates stop coming and the user is left with an older Android version, and will not likely receive an updated version of Android until their next phone purchase or unless they take it upon themselves to root their phone.
A Hacker’s Paradise
This lack of updates and an infrastructure that doesn’t allow for a global update to be pushed to devices creates gaping security holes that cannot be patched. On iOS, once an exploit is identified and posted on the Internet, it is a race against the clock for hackers to use it to their advantage before Apple releases a patch, narrowing the amount of people the infection can reach, like a rapid first responder team. On Android it is not a lack of concern, but literally a lack of capability to contain the infection. Google immediately patches their software, but it can be years before a user buys a new phone and would receive it, leaving the user vulnerable for any malicious app to exploit that flaw.
The bottom line is, without a major overhaul in the Android update ecosystem, these issues are never going to be alleviated, and will constantly plague its users. Manufacturer customizations need to be applied on top of the base code, allowing for updates to be sent by Google that don’t disrupt the custom interfaces. How can you protect users with code that was developed over a year ago? The simple answer is, you can’t.
Apple and Microsoft are Doing it Right
The two most dominant companies in building OS’s knew how to build a structure that allows for centralized updating. As Android’s history is written, it will likely be noted that allowing for multiple variants of Android to go in the wild, and rely on what is essentially a customized version of Android per vendor and per carrier, was a monumentally bad decision.
Google must be lamenting their initial “open software” call, which caused this massive fragmentation, which lead to the massively insecure mobile operating environment. What are they to do? Well, they could try to do some form of centralized updating structure in the future, but that would take years to get out as everyone needs to live the possible zombie in the pocket.
It’s Not All Google’s Fault
Before anyone gets to Google-bashing, let’s keep in mind it’s not entirely their fault. They built it, but it’s also the carriers and manufacturers that build custom versions of Android and refuse or cannot properly support the software they made for the smartphones they’ve sold. There’s definitely some blame to share.
With so much of our digital lives and info existing on smartphones, we as consumers need to demand better from those who provide these devices and the software that runs them. Voting with your pocketbook is usually the most effective means of protest.