Google’s Android boss: updates are Android’s “weakest link” on security

Google has an Android patching problem and it has hatched a plan pressure Android partners into resolving it.

If Google has its way, the frequency of security and feature updates will become a differentiator for Android device owners.

Android, like any other piece of software, is riddled with bugs that require fixing on end-user devices.

The problem for owners of Android devices is that they often don’t receive patches when bugs are discovered and Google fixes them.

Android chief Hiroshi Lockheimer told Bloomberg that the lack of updates was "the weakest link on security on Android."

In a sense, Android has normalised what could be in store for end-users as more connected devices are introduced to homes, cars and bodies. Nearly eight months after Google released Android 6.0 Marshmallow, it runs just 7.5 percent of over one billion, according to Google's figures.

Google provides security updates for versions of Android three generations back, but whether end-user devices receive them often depends on the device maker and the carrier that sold the phone.

Updates are just one sign of the Android fragmentation problem affecting a a hugely diverse ecosystem of devices. Google reported in its Android Security 2015 Year in Review report that Android supported over 60,000 different device models.

Google argued in the report that that the “diversity of devices is a security strength unique to the Android ecosystem”. But strengths can also be weaknesses, depending on who’s looking at them.

According to two Bloomberg sources, Google has shown its Android partners a list that ranks the best vendors “by how up-to-date their handsets are, based on security patches and operating system versions”.

Google is also considering whether or not publicise “proactive manufacturers and shame tardy vendors through omission from the list,” according to the sources.

Such an effort would help Google distribute new features and patch vulnerabilities.

In a sense, Google has already made this system of naming and shaming public as part of its monthly Android security updates, which until April were targeted for Google’s Nexus devices.

In April, Google renamed the “Nexus security bulletin” public notification to the “Android security bulletin”, which implied that each bulletin would reveal vulnerabilities that could affect not just Nexus devices but also other Android devices.

“To reflect a broader focus, we renamed this bulletin (and all following in the series) to the Android Security Bulletin. These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices,” it said.

That’s gradually been communicated to end-users through the “Android Security Patch Level”, which users can see in system settings on Android.

For example, the most recent update that Android devices should see is “Android Security Patch Level May 1”.

The monthly security update was Google’s response to the high risk Stagefright bugs, which came to light last July and affected 95 percent of Android devices.

Google shares those security issues with Android partners at least one month in advance of publishing them. But, as Google highlighted in its latest Android security report, Samsung, LG and Blackberry are the only three out of hundreds of Android OEMs that have publicly stated a commitment to monthly updates.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchingAndroidpatch managementStagefright bugsupdatesSamsung LGAndroid 6.0BloombergGoogle NexusBlackberryGooglemobile securitybugs and security failures

More about BloombergGoogleLGSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts