Android Fragmentation Equals Android Insecurity

By  |  Monday, November 21, 2011 at 11:09 am

My recent TIME.com column on Android fragmentation didn’t provide an exhaustive list of reasons to be frustrated by the degree to which the Android ecosystem is dominated by old versions of the software. In fact, I didn’t mention one of the biggest ones: Old versions of Android don’t have the newest security fixes, and are therefore potentially dangerous.

Now a security company called Bit9 has released what it calls the Dirty Dozen List of insecure smartphones. They’re all Android models running old versions:

  1. Samsung Galaxy Mini
  2. HTC Desire
  3. Sony Ericsson Xperia X10
  4. Sanyo Zio
  5. HTC Wildfire
  6. Samsung Epic 4G
  7. LG Optimus S
  8. Samsung Galaxy S
  9. Motorola Droid X
  10. LG Optimus One
  11. Motorola Droid 2
  12. HTC Evo 4G

Bit9 explains its methodology–which looks pretty serious to me–in this PDF.

Whenever I gripe about Android fragmentation, I hear from people who tell me that I’m all worked up over nothing. (Typical comment: “Mr. McCracken, like so many tech journalists, you have totally missed the point here. Believe it or not, Android “fragmentation” is not the massive problem it’s made out to be.”) But I’d like to hear anyone explain to me why this isn’t anything to be concerned about.

 
10 Comments


Read more: , , ,

10 Comments For This Post

  1. MJPollard Says:

    Why should we bother, Harry? You’ve been told time and time again that comparing the ecosystems of iOS and Android is like comparing Apples to oranges, but still the fear-mongering persists. In my opinion, it’s just one more example of the pro-Apple bias that drips off this site like blood down the walls of a haunted house. I can’t take seriously anything you say about Android or iOS.

  2. Harry McCracken Says:

    Hmmmm? I didn’t mention iOS in this post. If Apple didn’t exist, this would still be a problem. Wouldn’t it?

    In case it’s not clear, I like Android and want it to thrive. That’s why I’m frustrated over this.

  3. Mike Says:

    Just FUD because no cell phone has a ‘virus’ problem (maybe only Windows Mobile, not sure)

    http://news.cnet.com/8301-30685_3-57327424-264/go

    No major cell phone has a ‘virus’ problem in the traditional sense that Windows and some Mac machines have seen, there have been some little things, but they haven’t gotten very far due to the user sandboxing models and the nature of the underlying kernels

  4. Harry McCracken Says:

    I know that security isn’t a big issue with smartphones right now. I’m hoping it’ll stay that way. But I worry that lots of phones with unpatched vulnerabilities isn’t going to help matters.

  5. JohnFen Says:

    Security updating is certainly an area where fragmentation may be an issue, but it doesn’t have to be. Some kind of approach does need to be taken, though.

    What I wouldn’t like is for this to be done the was Firefox does it: all-or-none upgrades, combining the security with the feature updates. I really, really, really hate that. With android, like on every other platform, there are lots of really good reasons why people would not want to upgrade anything, but they should still have security updates available.

    Fragmentation may have less of an impact when considering just security updates.

    But, in the end, even the security issue doesn’t rise to anything like crisis-level concern.

  6. The_Heraclitus Says:

    Not really the security issue. The VAST (~80%) of ALL new malware is now of the Trojan Horse type. It is irrelevant what incremental version of an OS you are using as that type of OS patching doesn't help.

    If it is written for an Apple platform it'll install, if it's for Android it will install, same for latest Windows.

    So, in the security scheme of things, a non issue.

  7. Andrew Brandt Says:

    I’ve railed against fragmentation for specifically this very reason for years. There is no more pressing argument for making necessary updates available to mobile users than to make less-secure versions of Android go away. Mobile providers need to pull their heads out of the sand and deal with the issue before a large, high-profile attack drives masses of customers away from the platform altogether.

    There are also security vulnerabilities in third-party software: Versions of, for example, Adobe Flash for Android — real vulnerabilities which mimic those on desktop computers, and could be used in a drive-by download attack against a mobile device.

    My original T-Mobile G1 is one of my Android malware testing platforms now simply because it is too old and outdated; I consider Android 1.6 too insecure for “real” use other than as a streaming music player and occasional news reader. T-Mobile will never issue another update for it.

    Just because we haven’t seen exploits in wide use against Android devices does not mean Android-specific vulnerabilities are incapable of being exploited. At this point, it’s only a matter of time before someone decides it’s worth the effort to target Android on a wider scale.

    As with Windows devices, it’s easier to target the human-in-front-of-the-device than it is to target a weakness in the device’s software. Human software remains vulnerable to social engineering — deception, outright fraud, and bald-faced lies — promulgated and propagated by other humans.

    The last big point I want to make is that rooting your phone — as complex and counterintuitive as it may seem — offers hope to these abandoned masses of Android users. With CyanogenMod and other large projects, users of orphaned devices may still be able to enjoy the benefits of Android’s latest updates–with the side benefit of a complete lack of bundled bloatware and unwanted, unremovable third-party applications that mobile providers insist on cramming into the “official” Android ROMs.

  8. heulenwolf Says:

    I suppose the one upside to Android fragmentation I can think of is it lessens the common attack surface. Wouldn't it make sense that malware developers find it tougher to write one attack to rule them all for the wide variety of versions out there, just as legitimate developers find it tougher to write apps for the same wide set of targets? Part of the reason malware became so successful on the desktop was that a significant portion of the target set used precisely the same version of Windows. When MS finally got their act together regarding Windows security, malware developers shifted to focus to other common targets like IE or MS Office versions common across various Windows versions and Adobe Flash.

    Another thing different about the smartphone security field from the desktop security field is that people tend to replace their phones far more often than they did their computers. There are still boxes out there plugged into the internet running Windows 98, retransmitting every piece of exploit code ever developed as part of the internet background radiation. Since smartphones are charged per connection, when customers upgrade their phones after a year or two, the old ones are turned off, wiped, or, at least, disconnected. This point isn't to say phone security isn't an issue, just that different rules are going to apply.

  9. Thai Tran Says:

    I'm the CEO of Lightbox.com which is building apps exclusively for Android and fragmentation is a real problem for us. My developers keep asking if we can stop supporting Android 2.1 (which is now 3 generations old), but we can't because a significant percentage of our user base (14%) still use it.

    The problem is phone manufacturers aren't motivated to upgrade older phones to the latest OS. Here is a visualization of how Android phones less than 2 years old are getting abandoned:
    http://theunderstatement.com/post/11982112928/and

  10. Guest Says:

    I'm amused that your post was voted to -1 because you admitted, from a professional standpoint, that fragmentation is a problem. I suppose certain people are not yet comfortable accepting others may know better.