Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Tom Simonite

A View from Tom Simonite

The Security Flaw Google Built Into Android

Google compromised the security of its Android operating system by giving up the ability to push out security patches.

  • July 27, 2015

Millions of phones running Google’s Android operating system can be hijacked by a malicious text message, we learned today. It’s a reminder of something that became clear a long time ago: Google made a mistake when it created Android that endangers the security of people who entrust their personal lives to devices running it.

The problem is not that Android has security holes: all software does. The problem is that Google lacks an effective way to fix them. (We’ve noted this before; see “Browser Exploit for Android Highlights Google’s Update Problem”).

When security problems are discovered in Microsoft’s Windows operating system, or Apple’s mobile or desktop equivalents, those companies can push out an update to affected computers. You get a message telling you to install the update, direct from the company who made the software. In the case of Microsoft’s Windows 10, being released Wednesday, such updates are automatic and mandatory for home users. (This model doesn’t always work perfectly—Apple, for example, has been accused of being too slow to roll out important security patches.)

Google can’t push you an update for Android. It hands out the operating system to device manufacturers for free. They get to tinker with it to add features or apps of their own and are the only ones—along with cellular carriers in some cases—that can push updates to the devices they sell. Google does bind companies that use Android with some restrictions (for example to do with using its app store) but doesn’t require them to push out security updates quickly.

That leaves users of Android devices unable to avail themselves of what security experts say is the most important strategy for staying safe, at least according to researchers at none other than Google itself. They reported last week on a survey that asked computer security pros how they stay safe. Applying security updates emerged as the experts’ number one priority.

Google has lately come up with workarounds for Android’s flawed security model. It has shunted many key functions into apps that it can push updates to via its app store. But that doesn’t cover all of Android, and the app store doesn’t have a way to signal to you whether an app wants to update for security reasons or just to add new features.

The text message vulnerability revealed today can’t be fully fixed by upgrading apps. And it’s not unlikely that most vulnerable phones will never get the security patches for Android that Google has developed and will offer up to manufacturers and cellular operators. Joshua Drake, the researcher who discovered the text message flaw, guesses that between 20 and 50 percent of devices will receive the update, based on his past experience with Android updates.

Google’s desktop operating system, Chrome OS, has a much smarter design when it comes to security updates. They download in the background and install themselves. Many security engineers at Google surely wish they could do the same with Android. But the way Google has established Android’s business model makes that unlikely. Device makers and carriers appear to prioritize their own businesses and independence from Google above keeping their customers’ devices secure. Expect more news of worrying Android security holes that won’t be fixed.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Online Only.
  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.