Skip to content

Bit9

← Back to Blog
21 Nov 2011

Ginger What? How Android is Left Orphaned and Alone by Manufacturers

Jon Cilley

Cupcake, Donut, Éclair, Froyo, Gingerbread, what’s your flavor? The majority of smartphone users now have one of these dessert renditions of Android running on them, but did you ever stop and wonder how not having the most fully baked version of Gingerbread could be compromising yourself or your company’s security? Many people do not take security into account when purchasing a device and most of them may not even know that the software on their Android device is out-of-date – sometimes right out of the box.

In fact, almost every Android phone purchased – no matter how new or old – on the market today does not have the most recent version: 2.3.7. Some are a full year behind the update schedule dictated by Google, which means security vulnerabilities are not being maintained, bugs are not being patched, and loopholes in your system are being left open. To drive home the point, out of all 150 plus Android phones on the market today, only one phone has version 2.3.7 running on it: The Nexus S 4G. And with Ice Cream Sandwich (4.0) weeks away from implementation, who will get updated and when? On Dec. 7, 2010, Gingerbread (2.3) was released. Since then, there has only been a 44.4 percent adoption rate among all Android devices that have received Gingerbread within the range of 2.3 to 2.3.7. I’m sorry, but to me this just seems ridiculous doesn’t it?

Sure you have a dual processor, a front-facing camera, or an HD display, but behind all that hardware lies serious weaknesses in the software.  To the consumer we only care about features will never receive, programs we can’t install, and bug fixes we’ll never get, but to companies the problems get much larger.

Many companies do not take mobile security into effect either because of laziness or ignorance, but they should. Juniper Systems noticed a 400 percent increase in malware on the Android platform from the summer of 2010 to 2011. That’s pretty big. During this same timeframe, 52 percent of all devices purchased have been of the Android variety, with all of them (barring the Nexus phones) out-of-date at one time or another.

The reason why I stress the software update ecosystem of Android, is because it prevents Google from being proactive about security. To steal a quote from my friend Harry Sverdlove here at Bit9, “It’s like watching someone steal their car from the seventh floor at Google headquarters.” They can witness it happen, but there’s virtually nothing they can do about it. This is what happens when you put the manufacturers in charge of deciding what devices get what flavor of Android and when they will push it out to consumers. Don’t even get me started on the carriers.

This system gives the power to the manufacturers, while hobbling Google from giving updates to their customers. Google does a great job of resolving problems, but because of its open nature, it’s up to HTC, Motorola, Samsung, etc., to implement the changes to their devices. And because manufacturers are obsessed with getting you from device to device, software updates are not a priority.

So what does this all mean to your security? Well, when Microsoft has a vulnerability, loophole or bug, the company can push updates to all consumers because their updates are centrally managed. No waiting for Dell, HP or Toshiba, it just gets there. With Android, manufacturers give halfhearted efforts to differentiate the free and open Android. Because of this, they then have to tinker with their modulated software, sometimes causing more bugs than fixes – if the updates happen at all. While the consumer is waiting for any of this to happen, malware is embedding itself on the individuals device, connecting to their company’s network, and possibly stealing intellectual property or information.

So how do we stop it? Demand more. Consumers speak with their pocketbooks. So demand a device that has a better update schedule. The reason why the Nexus phones get updated on schedule is because they are centrally managed by Google. The Galaxy Nexus being the newest rendition to launch in the coming weeks. Having a mobile device connect to your company’s network is just as bad if not worse than connecting a personal laptop to a company network. Be mindful and informed, and always demand more to protect your personal and corporate security.

So where’s Apple in all of this? So for those of you who ask: “Ginger-what?” When trying to make sense of all of these version names and numbers. Let me explain. Like the iPhone’s iOS which numbers each new version sequentially (1.0, 2.0, 3.0, 4.0), Google also arranges new software in this fashion, but also linking an adjacent alphabetized dessert name in relation to each improvement to the OS (Cupcake 1.5, Donut 1.6, Éclair 2.1, Froyo 2.2, Gingerbread 2.3, and Honeycomb 3.0 – for tablets). Apple centrally manages everything, so unless you do not dock your phone to iTunes – which happens more than you think – you have the latest security fixes for the iPhone 3GS, 4 and 4S.

For more information regarding our report, please visit: Report.

If you like this blog post, please follow us on Twitter @Bit9Facebook and Google+.

* All information provided is accurate as of Nov. 3, 2011. As you can imagine, this information is constantly evolving and subject to change.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US