A new kernel privilege escalation flaw discovered in the Linux kernel requires server operators to install a patch, but is not going to be fixed for the majority of Android users. After record numbers switched to iOS last quarter, Google's inability to update its user base is inciting switchers to move to iPhones even faster.
A new 0-Day flaw discovered by Perception Point Research has existed since 2012, long enough to have to spread vulnerability across "tens of millions of Linux PCs and servers, and 66 percent of all Android devices."
As noted in a report by Dan Goodin of Ars, the flaw allows unprivileged apps to "gain nearly unfettered root access," including access to camera, microphone, GPS location and personal data.
Having been discovered, the flaw is relatively easy to fix for most desktop and server users, but requires a kernel patch on Android that most users of phones, tablets and other devices are unlikely to ever get.
Despite releasing a new version of Android last fall alongside iOS 9, Google still only reports that a tiny fraction of its installed base has gained access to it— in stark contrast to the 75 percent majority of iOS users who are now on the latest software from Apple.
Android's problem caused by the fragmented accountability of carriers, hardware makers and Google itself to create, test and distribute updates for their customers after the initial sale.
Android's problem is even more serious in China, where reportedly just 20 percent of the installed base has upgraded to software newer than 2014, despite high volume sales of new hardware. Even Android licensees in the U.S. frequently sell outdated hardware with old versions of Android installed on them, with no plans to ever service users with necessary updates and security patches.
"Android/Google needs to fix their update model," wrote a 'reader favorite' commenter at Ars. "Most Android phones with this bug will never be fixed. It is getting more and more difficult to not actively recommend that people avoid Android for Windows Phone and Apple iOS."
"It's really irresponsible to have no way to quickly roll out fixes to your customers"
Another stated, "I really really really wish Google would solve the Android update problem. These bugs will happen, and it's impossible to ask developers to always create perfectly secure code. It's really irresponsible to have no way to quickly roll out fixes to your customers. There have been so many security issues with my Android phone, and none of them would be a big deal at all if they could just roll out a fix quickly! Instead I just feel frustrated."
Google did make an attempt to address the issue in the Android Update Alliance, an initiative from 2011 to get hardware makers to commit to at least a year and a half of software update support for their new phones. But it couldn't even win that minor concession from its partners. Hardware makers are actually incentivized not to update old products because this could make their new offerings less attractive (and less necessary to buy).
When Samsung released its Knox software aimed at securing Android enough to sell to enterprise buyers, it only distributed on its newest and most expensive models.
"I can't take it anymore"
Last summer at the outbreak of Stagefright (a flaw that enabled attackers to compromise Android devices by simply sending a text message), Android enthusiast Lorenzo Franceschi-Bicchierai wrote "In many ways, Android is great. I love its open source ethos and the ability one has to customize it. But I can't take it anymore for one simple, but really fundamental, reason.
"Google still has very little control over software updates, and Android users are basically at the mercy of their carriers and phone manufacturers when it comes to getting updates or new operating system versions."
He cited a tweet by security researcher Nicholas Weaver: "Imagine if Windows patches had to pass through Dell and your ISP before they came to you? And neither cared? That is called Android."
In November, Chris Soghioan, the principal technologist for the American Civil Liberties Union, described Google's lack of updates— combined with its lack of user privacy and data collection— as a "digital security divide," adding that "the security people I know at Google are embarrassed by Android."
Apple has long pursued security and the rapid distribution of free updates of iOS as a differentiating feature. Android switchers are increasing. Tim Cook noted in the company's last earnings call that switchers from Android now account for 30 percent of new sales— the highest quarterly rate of switchers ever.
Data from Ericsson noted that iOS has a regular net influx of switchers that surges with each new iPhone release.