2015 was an interesting year for smartphone owners, because it was the year we had a large number of security stories circulating the Internet. Hundreds of people had their private and intimate photographs exposed after Apple experienced a wide scale data hack through insecure passwords, Snapchat experienced a number of data losses partially through customers using less protected third party services, and then there was the Stagefright critical vulnerability. Stagefright is the name given to a component of Android devices that was introduced with version 2.2 FroYo and continues on today: it was discovered that there was a deep vulnerability in the code that could allow an attacker to silently take control of a given Android device leaving no visible clues for the customer.
Google quickly patched Android in order to protect customers, but left it up to individual manufacturers if they should patch their customer devices. Sadly, with around a billion devices potentially vulnerable to the Stagefright critical weakness, only a relatively small number of customers received the necessary security patch. Depending on the source, it is possible that 850 million Android devices are still vulnerable to Stagefright. Over the last year we have seen a number of other security weaknesses or exploits published in the media and Google has steadily been incorporating patches – replacement code that removes the vulnerability from the operating system – that may be taken by the manufacturers and rolled out to customer devices. And again unfortunately, not all manufacturers are willing or even able to patch their own portfolio of devices with these updates. Ultimately, this probably comes down to money: patching a smartphone these days requires amending the code and then submitting it to Google and carriers for testing and approval. With so many layers in the update code and the promise that a customer might simply decide to turn in their two or three year old device for a shiny new one, many manufacturers take the view that they are better off supporting their newer (and often flagship) devices instead. Google’s practice of releasing monthly updates is helping but according to a University of Cambridge report issued at the end of 2015, some 87% of Android devices were considered vulnerable to malicious attacks.
Of today’s Android smartphone manufacturers, only three spring to mind as working hard to bring monthly security updates to customers – BlackBerry, LG and Samsung. BlackBerry have today released a blog extolling the virtues of keeping the software up to date, as it ensures critical vulnerabilities are fixed as soon as Google can. Indeed, BlackBerry went on to explain that their commitment is to continue to “consistently deploy security patches as soon as they become available.” It’s a promise they have made good so far: quite often, the single Android-powered BlackBerry device, the PRIV, has received its security patch updates faster than Nexus devices. The BlackBerry PRIV has not suffered from the discovered vulnerabilities we’ve reported on in recent months, such as the ability for a hacker to bypass Android full disk encryption and part of the reason for this is because BlackBerry make the necessary changes to the operating system as soon as they are able to. In BlackBerry’s words, they are making good on their promise to only sell a secure solution to customers.
Google is slowly pushing Android towards a more secure base. Devices launching with Android 7.0 Nougat should include seamless updating as standard, which should greatly simplify the process of updating and keeping up to date the scores of Android-powered devices that are released. It may not mean an end to the scores of devices that are sold effectively unsupported by the manufacturer: those smartphones or tablets that are unlikely to ever see a software update in their life. Here, the best remedy is for customers to vote with their feet. However, it seems that for security to be taken seriously by ordinary people, the Android world may need a significant scare. Perhaps the big scare might involve those 850 million devices potentially vulnerable to Stagefright being taken over by malware and doing something destructive?