The Android operating system update process consistently leaves Android users waiting months to receive much needed security updates. Google must share some of the blame, Android is their product. But the majority of the blame lies with device manufacturers and mobile service providers who hold updates hostage while they customize the OS and install unnecessary proprietary applications.
One of the few news items on April 1st that wasn't a hoax was the new figures for Android OS distribution. Five months after Google released Android OS 4.4 (KitKat) the adoption figures have now skyrocketed to an amazing 5.3%(sarcasm alarm bells should be ringing). In a similar amount of time Apple iOS 7 has been adopted by 74% iPhone users.
This incredibly low rate of OS adoption for Android poses a significant risk to users. Android OS updates contain more than new bells and whistles, they contain important security updates to newly discovered vulnerabilities. A prime example of one such vulnerability is 'master key' discovered in July, 2013. The master key vulnerability allows cybercriminals to inject malicious code into legitimate applications that will go unnoticed by Android security features. A detailed description of the Android master key vulnerability can be found on the official Armor for Android Protection Center blog.
The mastery key vulnerability is incredibly dangerous and affected 99% of Android devices at the time it was discovered, approximately 900 million android devices worldwide. There was widespread media coverage and considerable concern among the Android community. Within weeks Google developed and released Android OS version 4.3 which included a security patch to fix the master key vulnerability. To date, only 14.2% of Android device have update to, or beyond, Android 4.3, leaving a whopping 85.8% of Android users vulnerable to master key malware. The reason behind this poor adoption rate is device manufacturers and service providers holding updates captive.
It has been nearly eight months since the patch to the master key vulnerability was released and this update is still in third party development limbo. Technically inclined Android users can side-load the OS update onto their devices, but the rest of Android users are left to sit and wait.
The Android OS update process is in dire need of an overhaul. If Android wants to be the computing platform of the future then they will need to address this mess, or fall by the wayside as more secure platforms pass them by. It is only a matter of time until the shambles that is the Android update process leads to a large scale data leak or cyber attack, the question is will Google address the problem before this happens.
Because Android is so fragmented Android users must take steps to protect themselves from malware. There are three simple things that you can do to keep your android device, and the sensitive information that it contains, safe and secure.
- Install and use an Antivirus application.
- Read user reviews and visit application developers' websites before download to establish credibility.
- Do not install applications from untrustworthy sources.♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com, Twitter: @James_AfA