KitKat is out, but a lot of Android users won't get it

some people may never get to use the enhancements in KitKat until they replace their phone

Google has added lots of nifty features in the latest version of Android. Unfortunately, for most users of the mobile operating system, they'll have to buy a new mobile phone if they want to get the latest and greatest technology.

[Experts weigh in with wish lists for Android 4.4 KitKat security]

Google released Android 4.4 KitKat last Thursday, but how soon users will get the OS will very much depend on either their wireless carrier or the device manufacturer, which tend to move slowly. As a result, some people may never get to use the enhancements in KitKat until they replace their phone.

The update problem has existed with Android since the beginning and most experts agree it presents the biggest security risk to users. Updates always include patches for vulnerabilities, and once the fixes are available, hackers are able to analyze them to find and exploit the flaws.

"We see exploits available in a matter of days after a patch has been disclosed," Adi Sharabani, chief executive and co-founder of mobile security vendor Skycure said. "Attackers are creating these exploits to attack users who haven't updated their devices."

The risk of not having regular updates was cited a couple of months ago in a memo the FBI and Department of Homeland Security sent to police and fire departments. The warning said SMS Trojans, rootkits and fake Google Play domains were the top security threats to out-of-date Android devices.

While experts universally agree that the lack of timely updates is a major security problem, there is no easy solution. That's because Google lets anyone modify Android to fit the needs of their business, which means there are as many ways to update Android as there are flavors of the operating system.

[The Department of Homeland Security and its obsolete Android OS problem]

Sharabani would like to see Google make structural changes to the Android codebase, so there are application programming interfaces (APIs) available to update the core OS without damaging whatever software is running on top of it, such as the user interface.

While that sounds reasonable, Tielei Wang, mobile security researcher at the Georgia Institute of Technology, points out that depending on the amount of customization, updating without breaking may be difficult.

"(Even with the APIs) it may not be easy to merge Google's code changes," Wang said.

Sharabani also suggests that Google launch a certification program for companies using Android. Those businesses that integrate Google's update mechanism into their platform would be certified as such. In addition, Google could impose other requirements, such as sending out patches in between OS updates for previously unknown vulnerabilities that hackers are exploiting.

Again, such a program sounds like a good idea, but managing and controlling it would be hard. Android has become the leading mobile OS because Google made it easy for carriers and manufacturers to use it. Changing that model would likely lead to serious discontent.

"Currently, it's almost impossible for Google to ban major manufacturers," Wang said.

Besides the technical difficulties, carriers have a business interest in not making Android updates a priority, Bogdan Botezatu, senior e-threat analyst for Bitdefender, said. Rather than update software, carriers would prefer to have subscribers buy a new phone.

"Instead of delivering fixes, phone manufacturers would rather spend their resources on developing new devices to deliver along with the latest version of Android," Botezatu said.

So for now, Android fans who want the latest update will have to be technically advanced enough to root their smartphone in order to install KitKat. For those who want regular updates in the future, they can buy their phone directly from Google.

Anything more universal won't come easily.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile

More about FBIGeorgia Institute of TechnologyGoogleTechnologyWang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place