SAN JUAN, Puerto Rico — Activist Chris Soghoian, whom in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices.
The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. Today during a session at the Kaspersky Lab Security Analyst Summit, Soghoian made a call for legislators to get involved in calling AT&T, Verizon, TMobile and Sprint on the carpet for their practices, or cede control to Google for providing regular updates to devices.
Unlike with Apple, which wields considerable influence with the carriers because all of them want a share of the iPhone market, Soghoian said Google has relatively little power in its relationship. Google gives up the Android operating system for free and carriers and handset vendors have control over update distribution.
“With Android, the situation is worse than a joke, it’s a crisis,” said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. “With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.”
Android malware skyrocketed over the last 12 months. Researchers at Kaspersky Lab said that 99 percent of mobile malware detected monthly was targeting Android; in May 2012, there 7,000 unique attacks detected for the platform. Android has the largest mobile device market share, yet users are vulnerable to a number of attacks, the most prevalent being SMS attacks that run up premium calling charges. Malicious applications that drop malware are also rampant on the Google Play marketplace, despite the introduction of the Google Bouncer malware scanner.
While the carriers and Google engage in a bit of finger-wagging at each other over who is to blame, consumers remain in the crosshairs of attackers because they are not getting the updates they are essentially promised with the purchase of a device. Soghoian showed some numbers backing up his premise; some LG Android devices were up to 16 months behind, while Samsung devices were up to 13 months in arrears. Also, according to the Google Android Developers Dashboard, 50 percent of devices are running the Gingerbread version of Android, which was released in 2010.
“You don’t need a zero-day to attack Android if consumers are running 13-month-old software,” Soghoian said.
Soghoian was clear too in pointing out that Google is quick to patch vulnerabilities and makes those patches available to its hardware partners. Those fixes, however, are not getting downstream to consumers, he said. The most egregious example he provided was an update that would block a stolen Gmail digital certificate compromised in the DigiNotar certificate authority breach. Soghoian said that in his opinion Google won’t heavily market its Google Nexus devices, which get regular security updates because Google controls those updates, in order to maintain some peace in its relationships with the carriers and hardware vendors.
Most concerning is the default Android Web browser, which unlike Chrome and Firefox desktop browsers that are on six-week update cycles, the Android browser is two years behind in updates. Soghoian said browser updates are available only when the manufacturers send complete updates; browser updates are not available in the Google Play store.
“Outside the geek space, consumers don’t know the problem exists,” Soghoian said. “They may realize they’re not getting feature updates, but they may think security updates are happening in the background, or they don’t realize security updates are important.”
Soghoian added that the carriers have been leveraging their influence for some time. He offered three examples where carriers would block features on devices that conflicted with the carriers’ business models, including Bluetooth, tethering and Near Field Communication.
“When faced with a choice of providing a full set of features users wanted, the carriers would cripple those services because they threatened the carriers’ business model,” Soghoian said.