Old Androids Never Die, They Just Become Bots

Spider

Administrator
Staff member
Mar 24, 2011
15,781
1,812

Android Security Problems?


Another overwrought “security vulnerability” story rippled the news cycle recently. As DigitalTrends put it: “Researchers at IBM have published a report detailing a serious vulnerability in the KeyStore that affects 86 percent of Android devices.”

Only that isn’t true. It’s really just 10 percent of Android devices that are vulnerable; specifically, devices running Android v4.3 (Jelly Bean). But DigitalTrends, like a lot of other tech FUD/news sites, hasn’t corrected that error as of this writing.

Furthermore, “serious vulnerability” is a serious misstatement. The bug is a buffer-overflow vulnerability which a hacker can exploit to gain administrator-level control over a device, but only if the hacker can get through all of the anti-tampering safeguards built into Android. It’s about as serious as leaving a door open in the basement of Fort Knox.
android-security-problems.jpg


That said, this tempest in a teapot highlights a different problem with Android, which pundits refer to as "Android fragmentation." In a nutshell, it means there are too many versions, and not enough support.

Google fixed this bug only in the latest v4.4 (KitKat), leaving all earlier versions unpatched. (Of course, only v4.3 needs patching; versions prior to that don’t have this vulnerability.)

A related symptom of the “too many versions” problem is Google Wear, the company’s latest OS for wearable devices such as smartwatches, health monitors, etc. Apps that work with Wear will not run on any Android version lower than 4.3, leaving about 75 percent of active Android devices to Wear nothing. Naked Androids? Run for the hills!

Why Can't I Upgrade?

Why are there so many obsolete versions of Android still in use? Why don’t those users upgrade their operating systems, as I’ve constantly exhorted desktop OS users to do? Well, for once users can’t be blamed; most Android devices cannot be upgraded to the latest OS version by users alone.

You can’t just go to the Android website and download the latest version to install on your device. That’s because the pristine Android OS won’t do what your Android device is designed to do. The Android running on your phone or tablet has been heavily customized by the device maker to take full advantage of the particular hardware platform that the manufacturer has designed. You have to get that customized device-specific Android software from the device maker.

So why don’t manufacturers make their custom versions of Android available to customers as soon as a new version of “original” Android is released? Because that new version would have to be customized again, and that is a herculean, expensive, lengthy undertaking. By the time a customized Android upgrade was ready, the hardware that consumers expect would be radically different and the upgrade would not enable all of the hardware’s new features, if the upgrade ran at all.

Carriers like Verizon, AT&T, T-mobile, and Sprint contribute to the obsolete OS problem by binding customers to two-year contracts and lengthy phone-upgrade eligibility periods. Few customers are going to take the financial hit of ditching a months-old phone just to get the latest hardware and operating system version. We’re seeing some erosion of this barrier to upgrading, but it’s still pretty high.

I will say that Verizon has been pretty good about providing Android upgrades, at least for the popular Samsung Galaxy models that I've had in the past couple years. My Galaxy S4 received the KitKat (v4.4) upgrade back in May. If you have a less popular or low-end Android device, you've probably not seen an Android OS update since you got your phone or tablet.

But is not having the latest version of Android a real problem or a psychological one? Your lawn mower probably isn’t state-of-the-art. Does that cause you any angst? Do you expect the maker to send you an upgrade kit every time a new model comes out? Most people are perfectly happy if a lawn mower just cuts the grass quickly enough with a tolerable amount of effort.

“But... but... SECURITY VULNERABILTIES!” As I explained above, very few hysterically reported security holes matter at all. Those that do matter get patched in older versions of operating systems. Those that don’t matter are simply closed in the next full release.

Old Androids Never Die, They Just Become Bots
 
My main reason for posting this was the "Why Can't I Upgrade?" section. It answers that question pretty well for people new to the Android operating system.
 
Back
Top