Google’s Android boss: updates are Android’s “weakest link” on security

Google has an Android patching problem and it has hatched a plan pressure Android partners into resolving it.

If Google has its way, the frequency of security and feature updates will become a differentiator for Android device owners.

Android, like any other piece of software, is riddled with bugs that require fixing on end-user devices.

The problem for owners of Android devices is that they often don’t receive patches when bugs are discovered and Google fixes them.

Android chief Hiroshi Lockheimer told Bloomberg that the lack of updates was "the weakest link on security on Android."

In a sense, Android has normalised what could be in store for end-users as more connected devices are introduced to homes, cars and bodies. Nearly eight months after Google released Android 6.0 Marshmallow, it runs just 7.5 percent of over one billion, according to Google's figures.

Google provides security updates for versions of Android three generations back, but whether end-user devices receive them often depends on the device maker and the carrier that sold the phone.

Updates are just one sign of the Android fragmentation problem affecting a a hugely diverse ecosystem of devices. Google reported in its Android Security 2015 Year in Review report that Android supported over 60,000 different device models.

Google argued in the report that that the “diversity of devices is a security strength unique to the Android ecosystem”. But strengths can also be weaknesses, depending on who’s looking at them.

According to two Bloomberg sources, Google has shown its Android partners a list that ranks the best vendors “by how up-to-date their handsets are, based on security patches and operating system versions”.

Google is also considering whether or not publicise “proactive manufacturers and shame tardy vendors through omission from the list,” according to the sources.

Such an effort would help Google distribute new features and patch vulnerabilities.

In a sense, Google has already made this system of naming and shaming public as part of its monthly Android security updates, which until April were targeted for Google’s Nexus devices.

In April, Google renamed the “Nexus security bulletin” public notification to the “Android security bulletin”, which implied that each bulletin would reveal vulnerabilities that could affect not just Nexus devices but also other Android devices.

“To reflect a broader focus, we renamed this bulletin (and all following in the series) to the Android Security Bulletin. These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices,” it said.

That’s gradually been communicated to end-users through the “Android Security Patch Level”, which users can see in system settings on Android.

For example, the most recent update that Android devices should see is “Android Security Patch Level May 1”.

The monthly security update was Google’s response to the high risk Stagefright bugs, which came to light last July and affected 95 percent of Android devices.

Google shares those security issues with Android partners at least one month in advance of publishing them. But, as Google highlighted in its latest Android security report, Samsung, LG and Blackberry are the only three out of hundreds of Android OEMs that have publicly stated a commitment to monthly updates.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchingAndroidpatch managementStagefright bugsupdatesSamsung LGAndroid 6.0BloombergGoogle NexusBlackberryGooglemobile securitybugs and security failures

More about BloombergGoogleLGSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts