Late last month, security researcher Joshua Drake informed the world about an Android exploit known as Stagefright. Google was informed about the vulnerability months in advance, but this was the first time the public was hearing about a security hole that could theoretically affect 95% of all the Android devices in the world.
On Wednesday, Google teamed up with its Android partners on order to announce a fix that would be distributed to vulnerable devices, but as Ron Amadeo of Ars Technica points out, the update is only going to be available to a sliver of the Android community.
“In a perfect world,” Amadeo writes, “the inability to update billions of potentially pwnable Android handsets would be enough to get Google, the OEMs, and the carriers to all sit down, set aside their branding guidelines and marketing department-enforced differences, and say, ‘We need to fix this.’ But we don’t live in a perfect world.”
Amadeo knows that smartphone owners like to compare Android to iOS, but the two couldn’t be further apart when it comes to dealing with manufacturers and issuing updates to a wide variety of devices.
Rather, Android is more comparable to Windows, and although the Android OS will never be as closed off as Windows, Google is going to have to reclaim some of the access that it has freely given to carriers and OEMs in the past if it wants to provide effective safeguards against these kind of vulnerabilities in the future.
Here are Amadeo’s closing thoughts:
There’s too much disregard for the customer in the Android ecosystem to expect any of this get fixed proactively. Carriers and OEMs don’t want to be relegated to the user space, and right now there are no repercussions for their self-centered actions. But consequences are coming. When the big Android malwarepocalypse does arrive, users won’t care about the “two-year flagship” limit on patches if their phones stop working or their data gets stolen.
Users have been (rightly) complaining about the ridiculous degree of fragmentation in the Android ecosystem for years, but there’s nothing they can do until Google takes the issue seriously. Be sure to read the full piece on Ars Technica.