It turns out that Microsoft has been right all along, at least when it comes to software updates. Android has it very, very wrong. And Apple, in its quest to rule everything, got it right out of sheer monopolistic will.
Troubling news surrounding Android this week reveals that an estimated 950 million Android phones are susceptible to an attack. The attack focuses on Android’s Stagefright subsystem, which is responsible for rendering video from a variety of formats. A carefully crafted message sent through MMS to an unsuspecting user could launch code remotely on the user’s phone. The remotely executed code could interfere with the operation of the phone and perhaps reveal the user’s private data to the attacker. All phones running versions of Android since 2.2 are vulnerable.
The vexing problem here isn’t that the vulnerability exists. Almost all code contains flaws that can be exploited. Instead, the problem is that the vast majority of Android phone and tablet users are not going to be able to access a fix for the problem any time soon. In fact, many will never see a patch for it. That means the vulnerability will continue to exist, and it is only a matter of time before attacks against Stagefright escalate into a crippling crisis.
It’s not that Google, the maker of Android, isn’t patching the operating system that runs 78% of all phones sold. It is frequently updating the Android code base, fixing flaws as they see them. The problem is that Google, in its quest to make its operating system available quickly, gave way too much ground to third-party players to customize the operating system. Every Android device manufacturer can tweak aspects of the Android operating system to yield its own, market-recognizable custom version. Further, every major carrier can likewise customize the operating system in limited ways. And every carrier can control whether, when, and how users receive critical updates to Android, and they can do this based on phone model. It is to the manufacturers’ and carriers’ advantage to control the update cycles for Android, because they can perpetuate a “replace your phone very two years” mentality among their customers by denying access to the latest and greatest versions of Android. So what we have today is a highly fragmented Android ecosystem. There are hundreds of differently customized versions of Android, contributed by numerous device manufacture – cell carrier combinations. And there is no direct way for Google to get critical updates, such as the code fix for Stagefright – to the end users.
Alas, this is a thoroughly broken security model.
It is interesting to contrast how Google handled the Android rollout with how Microsoft handled Windows at its launch. Microsoft likewise wanted to get Windows into every office and home, and so it decided to let any hardware manufacturer make computers and peripherals that would run Windows. But Microsoft maintained sole control of the operating system. IBM, Dell, and HP couldn’t create its own interpretations of Windows; they had to run the Windows operating system as Microsoft intended it. Of course, individual hardware manufacturers could – and certainly do – add their own applications (the much derided “bloatware”), but those are user-run applications, not components of the operating system. So, when it is necessary to issue a patch to fix a security vulnerability or other kind of bug, Microsoft can push those updates to every computer running one of the four or five Microsoft-supported versions of Windows, and it will work. That ability to send fixes directly to the user has enabled Microsoft to respond to the constantly evolving cyber threat rather gracefully. Microsoft controls the updates, and the hardware manufacturers and Internet service providers have nothing to do with issuing them.
Of course, Apple chose a completely different approach. They make the hardware and the software. Nobody but Apple makes a device that will run an Apple operating system. They have full control of the Apple ecosystem. So, the challenge they face in keeping their devices secure is far, far less. I don’t believe for a minute that Apple did this because they knew a decade ago that this would give them a better security posture. Instead, they wanted to control the market and exploit profit margins in both hardware and software. But the unexpected benefit of their greed and parochialism is a much easier to maintain security front.
Google gave away far too much control in its quest to get Android onto as many devices and carriers as possible. It is now going to pay the price for that shortsightedness. And so will we.