Last week, I was hanging out with some hackers and security experts at a conference in Brooklyn when I took out my Sony phone.
“Oh! The journalist uses Android. That’s secure!” said one guy next to me, in a highly sarcastic tone.
I dismissed his sarcasm, even though, as someone who writes about information security, I knew that deep down he was right. Just a few days later, his joke now seems almost premonitory.
As you might have heard, a security researcher revealed on Monday that a series of bugs deep inside Android’s source code allow hackers to hack and spy on users with a simple multimedia message.
If you’re worried your Android device might be vulnerable to these bugs, collectively known as Stagefright, well, I've got bad news for you. It probably is. In fact, as many as 950 million phones likely are.
“All devices should be assumed to be vulnerable,” said Joshua Drake, the researcher who found the bugs.
I knew Android’s security wasn’t great.
I didn’t know about Stagefright last week, obviously, but I knew Android’s security wasn’t great. Still, I ignored the sarcastic dude because, frankly, I’m a fanboy and a contrarian.
I’ve been antagonistic with Apple products ever since I was a teenager, when Apple used to try to shove its apps down my throat (cough iTunes cough) whenever I just wanted to watch a movie trailer on Quicktime. I never liked Apple’s walled garden and “we-control-everything” approach, and I particularly disliked Apple fanboys’ dumb “oh my god there’s a new iThing coming out” reverence and hysteria.
So when the original iPhone came out a few years ago, I swore in multiple heated discussions with friends and strangers that I’d never buy an iPhone. Since then, I’ve only owned Android phones. First a few HTC ones, now a Sony phone.
Well, I’m sick of it. And I’m ready to go to the dark side.
Don’t get me wrong. In many ways, Android is great. I love its open source ethos and the ability one has to customize it. But I can’t take it anymore for one simple, but really fundamental, reason.
Google still has very little control over software updates, and Android users are basically at the mercy of their carriers and phone manufacturers
Google still has very little control over software updates, and Android users are basically at the mercy of their carriers and phone manufacturers when it comes to getting updates or new operating system versions. For example, it took Sony more than six months to push Android 5.0 Lollipop to its new line of Xperia Z phones, despite the fact that it had promised for a much shorter turnaround after Lollipop was released by Google. Just for comparison’s sake, when Apple released iOS 8 in September of last year, it immediately became available for all iPhone users, even those with an 2011 iPhone 4S.
As security expert Cem Paya put it, that was a conscious decision Google made when it created Android. Paya called it a Faustian deal: “cede control over Android, get market-share against iPhone.” Basically, Google was happy to let carriers put their bloatware on their Android phones in exchange to having a chance to fight Apple in the mobile market. The tradeoff was giving carriers and manufacturers control over their Android releases, leaving Google unable to centrally push out operating system updates.
Some carriers and manufacturers are better than others, it’s true, but they all pretty much suck when it comes to pushing updates. There really isn’t a better way to put it.
As security researcher Nicholas Weaver put it in a (now deleted) tweet, ”Imagine if Windows patches had to pass through Dell and your ISP before they came to you? And neither cared? That is called Android.”
In 2013, the American Civil Liberties Union filed a complaint with the Federal Trade Commission arguing that major wireless carriers were leaving users vulnerable to hackers and cybercriminals by failing to quickly push critical security updates to their customers’ Android phones.
Things have changed little since then. Google now has a bit more control over some updates thanks to Google Play Services, a set of APIs that live outside the OS, and which get automatically updated in the background. But security has not improved as much. For example, Google itself refused to fix a security vulnerability affecting 60 percent of Android users, those using the older versions of the OS, just a few months ago. (The bug has not been fixed for those users, and likely never will.)
As one of the people behind that FTC complaint put it, two years later, Android updates “still suck.”
And here’s the worst part of the story. Drake actually first told Google about some of the Stagefright bugs on April 9 (he reported a few more in early May). Google, to its credit, responded quickly and sent out patches to manufacturers almost immediately.
Then it’s all good right? Nope, that doesn’t matter—at all—because as I’ve said earlier, it’s now up to the carriers and manufacturers to actually deliver these patches to you.
Hey, they should recall Android phones too!Thomas Fox-Brewster July 27, 2015
Let me stress this out once more: the patches are ready to go. They were approved by Google months ago. But you won’t get them for another few weeks (if you’re lucky) or months (most likely) or never (a very solid possibility) depending how old your phone is—if it’s too old manufacturers just stop supporting them—and how lackadaisical your manufacturer and carrier are with regards to updates. Given the open nature of Android, pushing out updates, as Android Central put it, is a “messy, unpredictable business” that requires a lot of “moving parts.”
This is the fundamental difference between Android and iPhone. When there’s a bug on iOS, Apple patches it and can push an update to all iPhone users as soon as it’s ready, no questions asked.
When there’s a bug on iOS, Apple patches it and can push an update to all iPhone users as soon as it’s ready, no questions asked.
When the same thing happens with Android, Google patches and then… god knows when the AT&Ts, Verizons, HTCs, and Sonys of the world will decide it’s important enough that they should care and send you the update with the patch (though to their credit, they’re starting to care, mostly because having an updated OS is now seen as a competitive advantage). Hell, even Google-owned Nexus phones, which the company has full control over, haven’t been patched for Stagefright yet.
So what should you do if you own an Android phone? That’s up to you. I can’t tell you what to do with your life, but these are your choices.
You can keep your Android phone with that modified version of Android that your carrier or manufacturer has decided to put on it, and get security updates weeks late, or never (if you have a Nexus you’re better off, but who knows if Google is going to keep making Nexus phones in the future).
Or you can root your phone and install the excellent and more swiftly updated Android-based operating system CyanogenMod on it. This is a good alternative, but it’s not trivial to install CyanogenMod, and updates for certain phones depend on volunteers, so, again, you might not get them as soon as you’d wish.
Or, lastly, you can give up, switch to Apple and buy an iPhone.
As much as my old self will hate me, I’m going to choose the last option.