jrjBlog

Android Security

Android Stagecraft Vulnerability Shines Light on Carriers and OEMs

Android users need to do some serious soul searching about security, because wireless carriers and device OEMs aren't helping...

Lorenzo Franceschi-Bicchierai, who covers the security beat for Vice/Motherboard, is reluctantly moving away from Android in response to the latest security vulnerability in Google’s mobile operating system. I can’t blame him: absent rapid security updates in response to issues like this, no operating system can remain secure in the face of the modern security climate. I think his piece is a must-read for anyone who uses an Android device.

The latest “Stagecraft” vulnerability is just the latest and loudest, but the concept is nothing new. The lack of security updates made available to Android users is a serious problem in the face of modern vulnerabilities and exploits. (Singular exception: Nexus devices purchased directly from Google.)

The wireless carriers are the primary obstacle, but they’re not the only problem. OEMs, who are far more interested in selling you a new phone than updating your old one deserve some of your scorn as well.

There are four parties involved, and all of them have to come together to update a phone:

  1. Google has to update the OS. (They are VERY good about doing this– they are quick to respond to security vulnerabilities, and do a good job, but none of that matters without the other 3.)
  2. Device manufacturers (OEMs) have to take Google’s update and apply it to the image associated with specific device models. With new devices devices most do a reasonable (not great) job with this, but with phones more than 12 months old they tend to conveniently forget they exist.
  3. On the off chance your device’s OEM steps up and provides an update, carriers have to “certify” it before it can be made available to consumers. Carriers are awful about this, and the few updates they do certify lag by 6-9 months or more. It’s inexcusable.
  4. End users need to apply updates when they are made available. Users aren’t great at doing this in a timely fashion, but they are nowhere near being the long pole in this scenario.

Or, you could buy an iPhone and get updates on day one. It sucks that those are your options, but there’s no denying that, unless something changes, Android users are going to remain at risk as new vulnerabilities are discovered.