Last week, a rather interesting complaint was filed before the Federal Trade Commission. In a 16-page complaint, the American Civil Liberties Union described the lack of updates for many Android devices as “unfair and deceptive business practices”. The complaint went on to ask the respondents (the top four wireless carriers in the United States) to let customers with unpatched (and vulnerable) devices out of their contracts early.
We will note that recently the FTC settled with HTC just two months ago over the Carrier IQ controversy. Unpatched vulnerabilities were a key part of the settlement; HTC agreed to patch the vulnerabilities within 30 days. While the action of ordering the patches fixed was laudable, it wasn’t exactly timely: Carrier IQ came into the limelight in late 2011.
What the lawsuit does do is highlight the Android update problem beyond just tech industry circles and into the hands of regulators. Two years ago, at Google I/O, the Android Update Alliance was unveiled. Google promised to work with both carriers and device manufacturers to keep devices updated for 18 months after they were released. Unfortunately, almost nothing has not been heard from the alliance since then.
Let’s consider Google’s own statistics. The most common version of Android in use is… Android 2.3 (Gingerbread), which was last updated in September 2011. The percentage of users on the latest version, Android 4.2 (Jelly Bean), is… 2%. It is rumored that the next version of Android, codenamed Key Lime Pie, will be released as soon as this May. It’s quite possible that 4.2 will not even hit double digit percentages by the time its successor is released.
To contrast this, Apple was able to get more than 20 percent of iOS users on iOS 6.1 – within 36 hours of launch. Information from developers suggests that the vast majority of iOS devices in use – almost 90% – run up-to-date versions.
The fundamental problem is that the way Android devices are updated is very different from how iOS and Windows systems are updated. In both Windows and iOS, a single company is responsible for pushing updates to end users. With Android, the main developer (Google) can develop and release updates, but ultimately getting it out to end users is up to the device manufacturers and carriers. The graph below illustrates the added complexity of this situation.
For end users, this might sound like a trivial thing – but it isn’t. Each Android version brings with it security improvements and new features that are valuable in the long term. If this cycle of delayed updates continues, then what will happen is that many, many users will be left with less-than-state-of-the-art protection and OS hardening. This very situation is present in Windows, with resultant consequences.
It’s not clear when – or if – this problem can be resolved. There are many parties involved, which all have interests that don’t necessarily align with each other. Unfortunately, this means that users cannot expect a solution to arrive anytime soon. It’s up to users to make vendors listen so that they make it in their interests to update devices.
Users should make the probability of updates a factor in their buying decisions – it’s been demonstrated that not all carriers or OEMS are made equal when it comes to updates. If it’s clear that users will buy a phone that gets updates quickly over a phone that doesn’t, OEMs and carriers may make patching a priority, after all.
As we noted in our 2012 roundup, Android may be the new Windows due to its popularity. Now, it seems, it’s gathering some very similar problems as well.
For an easier grasp on how the Android update process works and other interesting facts about the platform, you may refer to our infographic Are You Missing Out From Your Android Device? for more details.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.