Google Fixes Most Vulnerabilities In May Android Security Update
Tuesday, May 03, 2016
If you use a mobile device that runs the Google Android operating system, take note. In its May 2016 Android security update, Google fixed many vulnerabilities but several still linger. ZD Net reported:
"The search and mobile giant on Monday released its monthly round of Android security fixes, with one persistent flaw at the top of the list: a "critical" security vulnerability in mediaserver, a part of Android that finds and indexes media files stored on the device. Almost every month since Google began pushing out monthly security patches, researchers have found a new problem in the bug-ridden Android component."
"Bug-ridden" does not sound good. ZD Net explained:
"According to the bulletin, the two flaws "could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," though the flaw is mitigated slightly because Google Hangouts and Messenger apps can't trigger the flaw. In other words, an attacker can run malware on a device by exploiting the mediaserver, because the service has access to privileged parts of the device which other apps don't have."
Corporate information technology managers at companies with "BYOD" (a//k/a Bring Your Own Device) policies for their employees can't be happy with this security situation. What can consumers make of this security situation? ZD Net explained in May 2015:
"The problem is that most devices are never updated. The one exception is Google's own brand of phones, the Nexus line-up, which remain continually updated with the latest patches and fixes... Android remains the most popular mobile operating system in the world with over 81 percent of the worldwide market share. But only a fraction of Android's share is running the software's latest version, with the latest bug fixes, vulnerability patches, and security updates. Official stats say just shy of 10 percent are using Android 5.0 "Lollipop," with about 39 percent running the second latest version, Android 4.4 "KitKat"... That's because not everyone gets the updates. Some Android devices aren't deemed compatible. That includes updates that include incremental security fixes (and features) known to mitigate malware threats and data leaks. And it's not Google that determines who gets an upgrade. Google leaves it up to the carriers. Carriers argue they need to test Android updates to determine whether or not a device will get an upgrade. When it's not the carriers, it's the phone makers..."
So, security takes a backseat to profits. Shop wisely for a device (and wireless provider) that includes all security updates.
And it isn't even Google's profits that our the disincentive to the distribution of updates to Android, or it at least, according to Google, it is willing to accept updating Android, which it should, as a cost of doing business; it is that for the system of entities, by which vast majority of Android devices would be updated, updating Android devices is only a cost with no compensating benefit. So, unlike Google, neither the cell phone carriers or the device manufacturers make any money, or they make too little money, on Android devices, after the first sale, so they have no incentive to update Android devices and have a disincentive to not update Android devices. So the problem for Google is that Android's business model of multifaceted entities is financial irrational for updating Android devices.
And then there is the problem that there isn't one entity with its own servers that can make and then push security updates to all Android devices.
Then there is the problem of manufacturers implementing Android in hardware or with modifications of its code and features or both that will be incompatible with security updates or other updates. And Google couldn't test for these incompatibilities, even it wished to do so, because: (1) It doesn't even know about many of them, and (2) even when it knows about hardware and software incompatibilities, they are too many for its engineers to be able to test, and the process of designing and maintaining updates for all of those incompatible devices would be too expensive. So designing updates for incompatible Android devices is practically impossible.
So Google's problem is that its update process are at least three: (1) It is economically irrational for updating Android devices, because updates are nothing but a costs for nearly all the entities need to update an Android device; (2) Google has no unified physical infrastructure of server and networks for distributing updates to its Android devices, and (3) even without the first two problems, supra, the design and manufacturer of Android devices' hardware and software frequently departs from Google's reference standards for hardware and software, even though that may violate Google licensing agreement for use of Google's trademarks, updates, and its Google Play application store, which Google can't do much about, because Android itself is open-source code, which is another irrationality that would take much longer to explain the implications of.
Apple doesn't have any of those problems. Apple makes the whole devices, hardware and software, that are consistent with its standards for hardware and software; its hardware and software is proprietary to Apple, and Apple has its own servers for updating its iOS devices over the Internet and cell carriers networks, so Apple can design, test, and issues security updates and enhancements to it iOS, which is the operating system for iPhone, iPad, and Apple TV, and it has its unified server farms at Tim Cook's command to push those security updates and enhancements over the Internet and cell phone networks. And being a unified entity, Apple has the incentive to bear the costs of updates, security and otherwise, to maintain its reputation and long-term relationship with its customers, because Apple has an ongoing and lucrative relationship with its iOS-device customers, at least outside of China. Therefore, Apple can design, test, issue, and distribute its updates to its iOS devices, unless the user were to block updates on his iOS devices.
What can Alphabet's Google division do to correct these fundamental problems so that it can design, test, and distribute/push security and other updates to its Android devices? That is a good question, and is one to which no one, not even Google, appears to have a practical answer.
And yet with no answer, Google expropriates, as a matter of right, our most intimate and confidential personal information from its Android devices, its search engine, and by other devices and means for its profitable uses, and now proposes to develop an even greater system of ubiquitous and nearly constant surveillance of us to collect every bit of our information, i.e., every bit of us, for storage and use on its servers, when it can’t even secure its own Android devices and when that information would be subject to seizure by the government and private lawyers through court process.
I thought that, somewhere in its corporate charter, the original Google asserted, at least as an aspiration, that it would do no evil. I humbly suggests that, in light of how its present practice and business model is so contrary to that aspiration, it should amend its organizing documents to remove that aspiration, if it has not already done so.
Posted by: Chanson de Roland | Tuesday, May 03, 2016 at 04:24 PM