~ MamakTalk ~: Finally! Monthly security updates come to (some) Android devices

2015年8月6日 星期四

Finally! Monthly security updates come to (some) Android devices



nexus7uptodateOne of the big drawbacks to Android smartphones and tablets has been slow delivery of operating system updates. Unlike iOS, in which Apple controls the operating system and update delivery, the transmission of new software and security fixes for Android also involves manufacturers and carriers. Google, the mobile OS’s developer, may put out updates in a timely manner but the bureaucracy of the Android ecosystem slows the process to a crawl. (And for some devices, updates may never come at all!)

But that may be about to change. The Verge reports that reaction to a new exploit dubbed Stagefright has caused both Samsung and Google to announce plans to issue monthly security fixes, similar to the way Microsoft has delivered patches to its Windows desktop operating system.

It’s been 10 days since Zimperium’s Joshua Drake revealed a new Android vulnerability called Stagefright — and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.

But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung’s case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that’s expected to inspire other manufacturers to follow suit. Google has announced a similar program for its own Nexus phones. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.

It’s the simplicity of Stagefright’s attack that has caused Google and Samsung to spring into an action that should have been taken long ago. It doesn’t involve sneaking a Trojan program into the Google Play store, nor does it require tricking a user into visiting a poisoned website. A simple multimedia SMS message can own your phone, and that’s scary.

Google said the Stagefright fix was released to its Nexus devices on Wednesday, with new security fixes to be released every month:

Nexus devices have always been among the first Android devices to receive platform and security updates. From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.

Samsung will do the same, though its statement cautions that it must coordinate the timing with carriers:

Samsung Electronics will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.

Samsung has recently fast tracked security updates to its Galaxy devices with the recent Android Stagefright issues working with the carriers and partners. Acknowledging the importance of time sensitivity in addressing major vulnerabilities, the company plans to further develop this process and implement it as a timely security update practice.

These are only two purveyors of Android devices, but they’re the most important ones. Google is the developer of Android, and its Nexus devices are considered the company’s way of showing phone manufacturers how Android should be done. Samsung is the market share leader by a wide margin. Their example should inspire other manufacturers of Android devices to take similar steps.

But the remaining players in the Android arena are legion, and that’s a big problem. This astonishing post from OpenSignal shows there are 24,093 distinct Android devices offered by a total of 1,294 different hardware makers. The Android fragmentation struggle is real, people.

If you’ve got an Android device from Samsung or Google and you’re notified of an update, don’t delay. And keep an eye out for monthly fixes from here on out.

Exclusive Car Review at www.automoview.com

Share this interesting post: