Skip to Content

The Security Flaw Google Built Into Android

Google compromised the security of its Android operating system by giving up the ability to push out security patches.
July 27, 2015

Millions of phones running Google’s Android operating system can be hijacked by a malicious text message, we learned today. It’s a reminder of something that became clear a long time ago: Google made a mistake when it created Android that endangers the security of people who entrust their personal lives to devices running it.

The problem is not that Android has security holes: all software does. The problem is that Google lacks an effective way to fix them. (We’ve noted this before; see “Browser Exploit for Android Highlights Google’s Update Problem”).

When security problems are discovered in Microsoft’s Windows operating system, or Apple’s mobile or desktop equivalents, those companies can push out an update to affected computers. You get a message telling you to install the update, direct from the company who made the software. In the case of Microsoft’s Windows 10, being released Wednesday, such updates are automatic and mandatory for home users. (This model doesn’t always work perfectly—Apple, for example, has been accused of being too slow to roll out important security patches.)

Google can’t push you an update for Android. It hands out the operating system to device manufacturers for free. They get to tinker with it to add features or apps of their own and are the only ones—along with cellular carriers in some cases—that can push updates to the devices they sell. Google does bind companies that use Android with some restrictions (for example to do with using its app store) but doesn’t require them to push out security updates quickly.

That leaves users of Android devices unable to avail themselves of what security experts say is the most important strategy for staying safe, at least according to researchers at none other than Google itself. They reported last week on a survey that asked computer security pros how they stay safe. Applying security updates emerged as the experts’ number one priority.

Google has lately come up with workarounds for Android’s flawed security model. It has shunted many key functions into apps that it can push updates to via its app store. But that doesn’t cover all of Android, and the app store doesn’t have a way to signal to you whether an app wants to update for security reasons or just to add new features.

The text message vulnerability revealed today can’t be fully fixed by upgrading apps. And it’s not unlikely that most vulnerable phones will never get the security patches for Android that Google has developed and will offer up to manufacturers and cellular operators. Joshua Drake, the researcher who discovered the text message flaw, guesses that between 20 and 50 percent of devices will receive the update, based on his past experience with Android updates.

Google’s desktop operating system, Chrome OS, has a much smarter design when it comes to security updates. They download in the background and install themselves. Many security engineers at Google surely wish they could do the same with Android. But the way Google has established Android’s business model makes that unlikely. Device makers and carriers appear to prioritize their own businesses and independence from Google above keeping their customers’ devices secure. Expect more news of worrying Android security holes that won’t be fixed.

Keep Reading

Most Popular

Russian servicemen take part in a military drills
Russian servicemen take part in a military drills

How a Russian cyberwar in Ukraine could ripple out globally

Soldiers and tanks may care about national borders. Cyber doesn't.

Death and Jeff Bezos
Death and Jeff Bezos

Meet Altos Labs, Silicon Valley’s latest wild bet on living forever

Funders of a deep-pocketed new "rejuvenation" startup are said to include Jeff Bezos and Yuri Milner.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

ai learning to multitask concept
ai learning to multitask concept

Meta’s new learning algorithm can teach AI to multi-task

The single technique for teaching neural networks multiple skills is a step towards general-purpose AI.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.