The trouble with Android…

Is that its security is a mess.

Here is a sad fact: If you are a Zimbabwean reading this from your Android device there is a 99% probability ( ok I just made that number up but you get the idea) that you are doing so from a vulnerable device that has not been updated in a long time if ever.

The most probable reason why no one has hacked your device yet is perhaps simply because you are not worth the bother, no one cares you exist and down to dumb luck rather than your vigilant security.

In fact, about the most effective form of defence and security for people who use Android like me at the moment is that our internet sucks.

This limits our exposure to the malware on the internet as our internet usage tends to be self-rationed. For most people, this means checking and updating their social media pages and an internet experience limited to WhatsApp. This is however going to change as more and more of our join the broadband bandwagon with the rise of affordable packages like Fibre to the Home.

This is however going to change as more and more of our join the broadband bandwagon with the rise of affordable packages like Fibre to the Home.

In theory, because Android is Free and Open Source Software (FOSS) it means anyone can look at its code and submit patches. Most Android Original Equipment Manufacturers (OEMs) pull the latest code from the Android repository, make minor modifications to the code, add proprietary devices and code of their own to the kernel following agreed standards.

Others, like the folks at Amazon, for example,  don’t follow the practices. Chief amongst these standards is the inviolable commandment: Thou shall not hack the core. The OEMs then compile these concoctions (called ROMs) and ship them in their own devices.

This is a highly effective and democratic system that allows OEMs to quickly build their own Android devices without fear that their proprietary innovations will be stolen as they can keep it closed source.

To unburden themselves of potential problems arising from having to support a gazillion different devices, the Android project has left the task of updating individual devices not in the user’s hands, or the project’s hands but in the hands of the OEM manufacturers and their Mobile Network Operator (MNO) partners.

At the surface, this makes sense. A security vulnerability is discovered in the Android code (loads of vulnerabilities that affect almost all Android devices have been discovered this year alone with their proof of concepts often being publicly demonstrated).

Once the vulnerability is discovered it is patched, OEMs then pull the patched code from the Android repository, add their own drivers and compile it and make their own updates which they can then push onto customer’s devices, in partnership with their MNOs.

This model works well in the developed world where users sign contracts with MNOs to receive subsidised handsets and devices in return for them exclusively using that device on the respective MNO’s network. It also works well where the OEM is a reputable firm with a large market share and cares about their image and reputation for example businesses like LG, HTC and Samsung.

It does not work well when the OEM is some guy in Guanzhong Province who is trying to make a quick buck by selling as many MTK devices as possible. These devices (Zhing Zhongs) constitute a huge number of the devices that are currently in the hands of Zimbabwean consumers on the street. I may not have the statistics at hand but a cursory observation of what the shops are selling and people on the streets are using makes it look that way.

If there is a lesson to be learnt from the recent industrial explosion that killed over 100 people and injured close to 700, is that most Chinese industries will not let anything as insignificant as ethics block their way to making profit.

I remember the first tablet I bought from China several years ago. The battery was rubbish, I never used the squeaky earphones and after about a year one day for no apparent reason the screen just cracked. The simple fact is that anyone who bought their tablet/phone from China can rest assured that despite numerous Android patches that  have recently been  made, they will not be receiving any “updates available” popups ever.

The MNOs are no better than their Chinese OEM buddies either. Despite serious flaws in Android and the fact that some of them actually sell handsets I do not recall ever receiving an SMS warning customers about these latest vulnerabilities.

Instead, almost every morning like clock work I receive “spammy” SMSes telling me to make sure that I don’t get left out of some deal that I am not even interested in and has nothing of value to offer me; another case of fellas out to make a quick buck while giving as little as possible in return.

In my opinion, The guys at Android need to adopt the old Linux Distro philosophy to updates here. They will have to separate the common code from OEM specific code as they have already done.

They will then create an APT like repository that will allow people to use their internet connections to update their devices using an update manager that regularly checks the repositories for updates and prompts the user if any are available.

OEMs will continue to ship their drivers as closed source as usual or make use of a Personal Package Archive (PPA) like section of the repository to push their own driver updates. MNOs can then host mirrors of the official repositories and allow people to update their devices quickly at subsidized costs. Meanwhile, user apps will continue to be access via the markets as is already the case.

I can see several people moaning and angrily waving their fists at me because of the complications that might arise of out of such an arrangement.

There’s the possibility, for example, of a security patch breaking some OEM’s driver and breaking the device or the complexity of having to deal with devices that have different specifications that the Android teams have no way of knowing beforehand.

I believe however that my proposal is justified. First OEMs, MNOs and the Android team are better equipped to deal with the technical complexities than consumers.

Secondly, at the moment a lot of Android users out there are working under the assumption that just because their devices work they are safe. Finally, I believe with the utmost sincerity that security should never be sacrificed for convenience which is the trouble with OSes like Windows.

In fact Android is worse that Windows when it comes to security. Despite its popularity there is no mechanism to ensure that security patches reach the consumer. No concerted efforts from those who benefit the most in the ecosystem at all. The consumer is left to fend for themselves and if this continues we are still to see the worst of Android’s hacks.

Android’s security arrangement as it currently stands is one huge mess. A clusterf**k.

7 comments

  1. The N

    Hence the reason why we inevitably need more penetration testers in ZImbabwe. Our country has some of the fastest internet speeds anywhere. our average speed is even faster than south africa. More of our systems are slowly being exposed to potential hackers and as a young and developing country, measures must be taken to secure these systems. People should be informed on simple information gathering attacks such as social engineering, reconnaissance and footprinting.

  2. Kungurirai

    updates are good, but hey some apps have to be updated frequently making it a data burden to some of us

  3. macd chip

    Lets clear this mentality:

    “..These devices (Zhing Zhongs) constitute a huge number of the devices that are currently in the hands of Zimbabwean consumers on the street..”

    China makes products which fits every market. If you go to China and you want to maximise your returns, you buy cheap(which most Zimbos do) that means you get substandard products.

    Then come back to Zim and sell the same substandard at even higher than quality products. This has distorted the real value and view of Chinese products here.

    I buy a lot of PCs, servers, memory, ssd, nas boxes for production and its not hard to guess where they are manufactured.

    So before we play the blame game, lets look at ourselves first.

    1. macd chip

      Otherwise l like the story, l have been waiting and considering the Ubuntu phone, bt not sure though about the update model

      1. Garikai Dzoma

        The truth is that it would not matter where you bought your phone if you could update most of the material yourself. Let’s be honest it does not matter what we do, people are not going to be flocking to buy Samsung Galaxies with the economy what it is.

  4. Tapiwa✓

    The dire security situation is a likely contributing factor to Google why Google started AndroidOne[1]. With AndroidOne Google partners with OEMs to manufacture devices with near-stock Android, and all updates are directly handled by Google.

    1.https://en.wikipedia.org/wiki/Android_One

  5. Kr4f+

    Using APT with Android will never happen. Seems like this Author is out of his damn mind. For a fully open source android os one should consider Replica

Join Waitlist We will inform you when the product arrives in stock. Please leave your valid email address below.
Exit mobile version