Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Tom Simonite

A View from Tom Simonite

The Security Flaw Google Built Into Android

Google compromised the security of its Android operating system by giving up the ability to push out security patches.

  • July 27, 2015

Millions of phones running Google’s Android operating system can be hijacked by a malicious text message, we learned today. It’s a reminder of something that became clear a long time ago: Google made a mistake when it created Android that endangers the security of people who entrust their personal lives to devices running it.

The problem is not that Android has security holes: all software does. The problem is that Google lacks an effective way to fix them. (We’ve noted this before; see “Browser Exploit for Android Highlights Google’s Update Problem”).

When security problems are discovered in Microsoft’s Windows operating system, or Apple’s mobile or desktop equivalents, those companies can push out an update to affected computers. You get a message telling you to install the update, direct from the company who made the software. In the case of Microsoft’s Windows 10, being released Wednesday, such updates are automatic and mandatory for home users. (This model doesn’t always work perfectly—Apple, for example, has been accused of being too slow to roll out important security patches.)

Google can’t push you an update for Android. It hands out the operating system to device manufacturers for free. They get to tinker with it to add features or apps of their own and are the only ones—along with cellular carriers in some cases—that can push updates to the devices they sell. Google does bind companies that use Android with some restrictions (for example to do with using its app store) but doesn’t require them to push out security updates quickly.

That leaves users of Android devices unable to avail themselves of what security experts say is the most important strategy for staying safe, at least according to researchers at none other than Google itself. They reported last week on a survey that asked computer security pros how they stay safe. Applying security updates emerged as the experts’ number one priority.

Google has lately come up with workarounds for Android’s flawed security model. It has shunted many key functions into apps that it can push updates to via its app store. But that doesn’t cover all of Android, and the app store doesn’t have a way to signal to you whether an app wants to update for security reasons or just to add new features.

The text message vulnerability revealed today can’t be fully fixed by upgrading apps. And it’s not unlikely that most vulnerable phones will never get the security patches for Android that Google has developed and will offer up to manufacturers and cellular operators. Joshua Drake, the researcher who discovered the text message flaw, guesses that between 20 and 50 percent of devices will receive the update, based on his past experience with Android updates.

Google’s desktop operating system, Chrome OS, has a much smarter design when it comes to security updates. They download in the background and install themselves. Many security engineers at Google surely wish they could do the same with Android. But the way Google has established Android’s business model makes that unlikely. Device makers and carriers appear to prioritize their own businesses and independence from Google above keeping their customers’ devices secure. Expect more news of worrying Android security holes that won’t be fixed.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.