Google Has Lost Control Of Android

Remember Stagefright, the Android vulnerability that affected nearly 1 billion phones running Android versions from 2.2 to 5.1? Well, you may have heard that it’s back — and it’s even nastier than before.

Where the first version of the vulnerability could be accessed via an MMS message, Stagefright 2.0 can travel via specially adapted and apparently innocuous MP3/MP4 files — and those files can be stored inside apps, so just avoiding freebie music or movie files won’t protect you.

The most important thing about Stagefright isn’t what it does or how it travels, though. It’s what it shows. And what it shows is that there is a massive security problem that affects almost every Android device, and Google needs to solve it – because there’s every chance that the next vulnerability will be much more devastating.

All the world’s a Stagefright

Here’s how security vulnerabilities are supposed to be handled. One, a researcher discovers an issue. Two, the people who make the software find a solution. And three, the solution is then made available, ideally by automatic update. That’s what Windows does, and what Apple does. It isn’t always as fast as it should be, but at least once the fix exists it’s available almost instantly.

Here’s how it works with Android.

1. A researcher discovers a vulnerability.

2. Google says “la la la can’t hear you” for a year or so.

3. After lots of media coverage Google says it’ll fix the hole.

4. Google creates a fix and promises to bring it to the Nexus range in two or three months.

5. Google gives the fix to manufacturers who say they’ll roll it out at some point, maybe, when they get round to it.

6. The manufacturers get round to it and submit their version to the phone networks, who say they’ll totally bring it out at some point, oh yes siree!

7. The vulnerability that the fix will eventually fix evolves so that the fix doesn’t fix it any more.

8. Google says “la la la can’t hear you”.

Let’s talk about Steve Jobs because Android fans really like that

Eight years after unveiling the iPhone, Steve Jobs told the D5 conference what he thought of the phone networks, especially US ones. “The carriers now have gained the upper hand in terms of the power of the relationship with the handset manufacturers,” he said. “And they’re starting to tell the handset manufacturers what to build.”

He was right, and that’s the reason for HTC’s recent comments that it couldn’t commit to the monthly software updates Google wants. It’s not that HTC doesn’t want to update its devices. It’s that it can’t guarantee that the carriers will update HTC’s devices.

“We will push for it,” HTC America president Jason Mackenzie said on Twitter, adding later that “Nexus and unlocked is a completely different story. If product requires third-party certification it is not in your full control.”

That isn’t just an HTC problem. It’s an Android problem. And it’s a problem that Apple simply doesn’t have.

‘If you like Apple so much, why don’t you marry it?’

In security terms, Apple has a massive advantage over Android: it doesn’t have to persuade anybody but its users to install a security patch. And most of them d five days after iOS 9 launched, 50% of compatible devices had it (and immediately encountered a host of irritating bugs, although that’s another story). Apple then put out the iOS 9.0.1 update two days later, and we can be pretty confident that most iOS 9 users have it.

That simply doesn’t happen on Android, because no matter how good Google is at issuing patches, it then has to persuade manufacturers, carriers, or both, to issue those patches. And that causes fragmentation, where some people get updates and lots don’t.

In August, Open Signal’s OS analysis found that where 85% of iOS users were on iOS 8, 13% on iOS 7 and just 2% on earlier versions (iOS 9 hadn’t then shipped), just 12.4% of Android users were on Lollipop. 39.2% were on KitKat, 37.4% on Jelly Bean, 5.1% on Ice Cream Sandwich and 5.6% on Gingerbread.

That fragmentation also disproportionately affects budget buyers: when you read the list of devices that’ll be patched in any Android update, the flagships are usually first. Midrange? Maybe, if you’re lucky. But manufacturers and carriers rarely bother with the lower budget models.

Android’s best feature is also its biggest problem

In many respects Google’s lack of control over Android is laudable. It means you can choose from a massive array of devices to suit every kind of person, usually at a range of prices too, and there’s nobody telling you what features you can and can’t have or what apps you can and can’t download.

And that’s great. But the lack of control Google has over Android security is a massive weakness.

It’s clear that some carriers and some manufacturers simply aren’t doing enough to keep Android up to date. Google’s Project Zero team is great at pointing out security issues in rivals’ products, but it’s throwing its stones from inside a glass house. Android users deserve better.