The Real Android Security Issue

A new text message vulnerability has been discovered. Sending a maliciously formed video through multimedia messaging service (MMS) an attacker can compromise a device running Android. This shouldn’t be a notable problem because Google has already pushed out a fix. But it is a notable problem because there’s no guarantee device manufacturers will push the fix to their users:

If you’re an Android user, you’d better hope that a stranger doesn’t send you a video message in the near future — it might compromise your phone. Security researchers at Zimperium have discovered an exploit that lets attackers take control if they send a malware-laden MMS video. The kicker is that you may not even need to do anything to trigger the payload, depending on your text messaging app of choice. While the stock Messenger app won’t do anything until you see the message, Hangouts’ pre-processing for media attachments could put you at risk before you’re even aware that there’s a message waiting.

Google is already on top of the flaw, and has pushed out a fix to its hardware partners. However, whether or not you’ll get that fix will depend on your phone’s manufacturer. Zimperium tells Forbes that the Nexus 6 and Blackphone are already safe against some of the related flaws (other Nexus devices are likely in a similar boat), but more common third-party phones from Samsung, HTC and others are typically still vulnerable.

There is a lot of heated debate over whether iOS or Android is more secure. Overall I think both operating systems have a decent reputations for security but Android gets a bad rap because Google doesn’t control the update channel for all Android devices. Google has already pushed the fix out to its device and some manufacturers have pushed the fixes to their users. But each manufacturer gets a great deal of leeway over what they can do with Android and many have opted to make their devices rely on their update channel instead of Google’s. This means updates may not arrive in a timely manner or at all.

iOS has an advantage when it comes to security because Apple controls the hardware and software. When a vulnerability is fixed Apple can guarantee everybody using a currently support version of iOS gets the update.

Google would do well to require device manufacturers to use its official Android update channel in order to use its proprietary apps (which is the only real pull Google has since Android is an open source operating system). Since most Android users rely on Google’s proprietary apps that would be a powerful incentive for handset manufacturers to utilize the official Android update channel instead of rolling their own. Until that is done I fear a lot of Android users will continue being vulnerable to exploits that have already been discovered and patched.