Under Pressure, Google Promises To Update Android Security Regularly
This post was updated at 4:14 p.m. ET.
Google is making big promises to fix its Android operating system. The company recently came under sharp criticism after researchers found a major flaw in Android would let hackers take over smartphones, with just a text message.
Now, Google tells NPR and writes in a blog post, it'll work with other phone makers to fix that bug. And, going one step further, Google is rolling out a brand new system to protect smartphones regularly — not just once in a while.
Adrian Ludwig, lead engineer for Android security, spoke Wednesday at Black Hat, a cybersecurity conference in Las Vegas. He covered a few topics, starting with the bug called Stagefright.
Last week researchers with Zimperium, a mobile security firm, said they'd discovered major flaws in the heart of the Android operating system (in a library called "libstagefright"). This bug would allow hackers to take over nearly 1 billion phones, just by sending an infected text message. To fix the problem, Zimperium says, smartphones need firmware updates that reconfigure the entire operating system. It's the software version of open heart surgery.
While Google agrees this bug is serious, the company disputes how widespread it is. Ludwig says that currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue.
Clearly there's a difference of opinion. Still, Google is agreeing that it needs to take decisive action. The company makes Nexus smartphones. Ludwig announced that Nexus owners will get patches starting this week.
He also spoke on behalf of other Android manufacturers. He's promising that this month, the most popular Android devices are getting the fix. The list includes:
-- Samsung: Galaxy S6, Galaxy S6 Edge, Galaxy S5, Note 4, Note Edge;
-- HTC: One M7, One M8, One M9;
-- LG Electronics: G2, G3, G4; and
-- Sony: Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Compact.
Also Wednesday, Samsung described a new Android update process that "fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month."
A New Industry Standard?
Ludwig made another announcement: Nexus devices will receive monthly updates that are "purely focused" on security to keep users safe. (The company states in its blog post that the devices "will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.")
"People have been looking for clear communication about Android from a security standpoint," Ludwig said. "It now exists. This is really a watershed moment for us as an industry."
For three years, Google has given Android manufacturers regular updates about flaws that need to be fixed. But whether they act on that information is not in Google's hands.
Nexus is. Granted, the brand is a much smaller share of the market than Samsung, but if Google keeps its promise and executes well, the company could be creating a new industry standard for smartphones — at least on the Android side. Apple, which controls both the hardware and software of its devices, regularly rolls out updates to its iOS that are quickly adopted by users.
Bryan Glancey, a security researcher with Optio Labs, used to work for Samsung. He says a coordinated system for Android security is long overdue.
"If you fix a problem on Apple, it goes to all Apple devices and you've done it one time. But if you want to fix a problem on Android, you've got to fix every variant," he said.
And to do that, Google must coordinate with many manufacturers. Glancey says by doing so, the company hopes to decrease the public perception that Android phones are less safe than iPhones.
It'll be interesting to see if other Android manufacturers and phone carriers, which are often a bottleneck to updates, follow Google's lead.
Copyright 2021 NPR. To see more, visit https://www.npr.org.