Tuesday, January 10, 2017

Android vulnerabilities and market fragmentation

Earlier this week I came across this article and it brought back some of my concerns about the Android ecosystem. The key piece that caught my attention was essentially in the first two lines:
Attackers can pwn 60% of Android phones using critical flaw.
And don't expect a fix anytime soon.
I love (and respect) Android as a platform. I've been using Android phones for a number of years now. Google did an excellent job developing this platform. However, the way how software updates (including security fixes!) are handled by the ecosystem as a whole is just terrible.

A group of researchers measured a data sample of 500,000 Android phones to see if they were affected by the recently disclosed QSEE vulnerability. This vulnerability was published on the 6th of January 2016 and fixed by Google in the January 2016 monthly security update.

From that sample 80% of the Android phones were based on a Qualcomm chipset (the one affected by this vulnerability). And only 25% of these phones had a fix applied, leaving the remaining 60% of all Android phones vulnerable.

The problem with the Android ecosystem is that it is too fragmented. When Google releases a new version of Android (or a fix) it can push/apply it to their own phones but other vendors (Samsung, LG etc) take time to (thoroughly) test the latest code on their phone models to make sure everything works as expected. Many manufacturers/OEMs don't run "clean" Android, instead they (advantages of open source!) make modifications to adjust/tweak some aspects of the Android OS to their needs. The result is - it takes time (weeks, months) for the new version of Android (or a particular fix) to be made available by the OEM.

Then things get even worse - telcos/carriers/mobile network operators ALSO take time to test updates coming from the OEMs on their networks (no one wants to be in the situation when an update kills the ability to call 000 or introduces another serious bug).

As an example, Telstra does a good job updating their customers on the progress of when/how they are going to roll out the "new" versions of Android to various phones:

I have captured this screenshot in May. 8 months later the situation is getting better but I can see that mainly security fixes get prioritised for delivery. This is good! In fact, it is much better than what it used to be. But on the other hand, customer still have to wait for non-security updates, improved functionality etc, and it probably still contributes to market fragmentation (more Android variations to support).

I think most of the manufacturers and carriers are stuck with the mentality that people buy phones on a 2 year plan, use this model for 2 years and then upgrade to the next model. They are not software companies (i.e. they don't understand or don't have capacity to implement/follow the fast software release cycles). I guess it's OK to work on a new hardware model for a year. But it's a crime in a modern software agile world. And on top of that there is no incentive to update to the newer versions - OEMs have already received money for the phone (hardware) and the carriers are guaranteed to receive a certain amount every month for 2 years in most cases.

All of this is the main reason why I've been using Google Nexus phones for several years straight (from the 2011 Google Nexus model all the way to Nexus 6P). These are Google's flagship phones and I agree with the Amazon's 4.5 stars rating. These phones are produced by different manufacturers. As an example - Nexus 6P was made by Huawei, while the previous Nexus 6 version was manufactured by Motorola. But hardware design, specs, and software updates are all controlled by Google. Once a new version of Android is ready, unlocked (i.e. not sold by a particular carrier with a SIM card locked to that particular provider) Google phones receive them first. This is a guaranteed fastest way to receive the update - a matter of a few days maximum. For other phones it may take weeks or even months. Or they may never receive an update leaving these models permanently vulnerable. This is the reason for the 60% mentioned at the beginning.

I am sure Google engineers are aware of this challenge and doing their best to improve it. I can certainly see positive changes already taking place. From the late 2015 Google started publishing monthly security bulletins. These updates get pushed to the Nexus phones straight away. This is a massive improvement compared to the situation when we had to wait for months for these fixes to be incorporated into the next version of Android (leaving all phones vulnerable).

The newest Google phones - Pixel and Pixel XL - is the continuation of the Nexus theme but with even more (end to end) control from Google. This is a great way to reduce market fragmentation. I am surprised by the average ratings on Amazon. I loved every Nexus phone I had. And I am sure Pixel won't disappoint too. If you are thinking of getting a new phone and if you care about security - give it a go. You will get great hardware, modern mobile OS and the best security of the Android ecosystem.

If you are an Android user - which phones do you use and would also recommend to your friends? If you use an iPhone - would you consider Google Nexus or Pixel phones after reading this blog post?

Please leave your comments below and I promise I will answer all of your questions


  1. I would love to have Pixel, but cannot justify spending 1K+ so instead this yr I decided to buy LG G5...

  2. Yes, with Pixel you get a premium phone for a premium price. One of the very compelling reasons to have Nexus phones a couple of generations before (Nexus 4, Nexus 5) was their price. For around $400-$500 you were getting an amazing phone that was on par with the flagship devices from Samsung and Apple. It gives me an idea to write a blog post about decent Android phones in the $500 price range.