A host of rather catastrophic vulnerabilities have been recently discovered in the Android operating system. Perhaps the most scary of those is Stagefright which allows a hacker to remotely execute malicious code by simply sending a MMS to the target device. As a user there isn’t much you can do to not get messed up by this vulnerability due to the deep rooted technical nature of it. Here is a synopsis of what this is and for details you can refer the link here – 950 million Android phones can be hijacked by malicious text messages | Ars Technica
Perhaps much more scary than the vulnerability itself is the fact that in the broken Android ecosystem there really isn’t a consolidated way to update the millions of devices that run Android. When Google released Android it’s main aim was adoption and penetration and it was only too happy to relinquish control to OEMs and Carriers if it meant that these parties can drive the Android adoption. Looking at the percentage share of the market as captured by Android (~80%) there isn’t an iota of doubt here that Google’s strategy worked flawlessly. However it also meant that Google gave everyone a seat at the table whether they deserved it or not and that strategy has backfired mercilessly for the consumers of the Android devices. As of today only about 2.6% of the Android devices “might” get an udpate that patches the Stagefright bug. It is only a matter of time when the world sees a true malware apocalypse on the Android platform. To understand why here’s the detailed explanation – Waiting for Android’s inevitable security Armageddon | Ars Technica
“There’s too much disregard for the customer in the Android ecosystem to expect any of this get fixed proactively. Carriers and OEMs don’t want to be relegated to the user space, and right now there are no repercussions for their self-centered actions. But consequences are coming. When the big Android malwarepocalypse does arrive, users won’t care about the “two-year flagship” limit on patches if their phones stop working or their data gets stolen.
The Android update machine is broken, and in order to rebuild it in a way that works, we need to burn it down. Anyone have a match?”
With more and more focus on BYOD and a shift from Enterprise owned and controlled Blackberry model to opening up core enterprise applications on devices controlled by end users it does makes us stop and think if we are heading in the wrong direction. A quick look around the social media landscape would tell you the monumental demand that the Engineering organization within the enterprises such as banks faces to enable support for more and more devices for corporate applications. These devices not only run all flavours of Android but they are manufactured by OEMs dotted around the world often at times being very regional to the market that they operate in (Micromax, Genie for India as e.g.). We can’t really fault the users for asking for support on the devices that they own, it is only natural that they would do so. Further as the emerging markets catch up on the whole Smartphone euphoria there is only going to be increased proliferation of more and more regional OEMs who start taking a majority chunk of the mobile market that they operate in. While it wouldn’t be quite right to compare them with Samsungs and Sonys of the world in terms of their support model for devices they manufacture, at the same time it wouldn’t be an unjust assumption if we expect that as new comers in the market their focus would be predominantly increasing their share of the market by introducing a diverge range of form factors catering to various user segments as opposed to focussing on building a base line model to retrospectively patch the already shipped devices in case something like Stagefright comes along. How then we as as an organization quantify this threat, how do we determine what manufacturers we want to support and from those manufacturers what form factors we should support? If we certify the manufacturers and models too eagerly then we are increasing our risk exposure to the whole broken Android ecosystem while at the same time if we wait for too long we only inhibit our people to be productive to their best capabilities.