Steve Kovach August 05, 2015 at 06:44PM
It's turning out to be a disastrous week for Android.
A few days ago, we learned about Stagefright, a vulnerability in practically all Android devices that can be exploited with a simple text message. All someone has to do is get a person's phone number and send a certain type of message in order to take over the device. The affected user doesn't even need to open the message. Receiving it does the trick.
After that, Stagefright essentially gives the attacker control over the victim's Android device.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited," the security firm Zimperium Mobile Security, which discovered the flaw, said on its website.
So far, there haven't been any solid reports of people affected by Stagefright, but the fact that the vulnerability affects a large majority of smartphone users around the world is reason enough to be worried. Stagefright can attack phones running Android version 2.2 and higher, making an estimated 950 million devices vulnerable, Zimperium warns. Google denies that many devices are affected. It says that 90% of Android phones have a protection against Stagefright.
But it's easy to remain skeptical of Google's claim that most devices are safe since the company and its partners are scrambling to fix Stagefright and assure some users frequent security updates are coming to Android.
On Wednesday, Google, wireless carriers, and phone makers announced major moves to protect users against Stagefright and future vulnerabilities. In a strange way, Stagefright has been a good thing. It's finally mobilized the fragmented system of Android developers, device manufacturers, and carrier partners to take a unified stance and start working together.
Deutsche Telekom, the German wireless carrier, announced that it would be shutting off its multimedia messaging service (MMS) in order to protect users from Stagefright. Google will start issuing monthly security updates to its Nexus line of Android devices moving forward as a way to protect users from future bugs. Samsung will also release monthly security updates for select devices. AT&T and Sprint will help push Samsung's security updates. It's unclear how other carriers will help out, but Samsung will need their support too.
In statements to Tech Insider, LG, Motorola, and HTC all made promises to fix the Stagefright bug and ensure that future devices won't be affected.
But it's not going to be enough. Android is the world's largest operating system, but it's run by a wild network of players. Google has little to no control over Android. If there's a vulnerability that affects its massive user base, it has to wrangle literally hundreds of players together to fix the problem. It's an impossible task.
Wednesday's moves are great for many users, but there are still hundreds of millions of Android users in the world that will remain vulnerable to Stagefright and/or whatever the next Android security flaw is. The promises we have from manufacturers and Google to update devices only apply to certain flagship phones or new phones that were recently released. It's unclear if and when older and cheaper Android devices, which make up most of the Android ecosystem, will be updated or get the monthly security updates promised to some users on Wednesday.
It also highlights the biggest problem with Android: Fragmentation.
Android is an open source operating system, meaning anyone can take the software and put it on their phone or tablet. Most manufacturers change Android by adding their own designs, apps, and other special features. But because each manufacturer's version of Android is slightly different, most devices don't get new software updates as soon as they're available.
That's particularly bad when someone discovers a security vulnerability in Android. It's a major challenge to make sure all users get software updates to fix it.
Android isn't the only mobile platform that's vulnerable to attacks. For example, in a separate event in May, a string of characters texted to Apple devices would cause the Messages app to crash. But we learned the benefit of owning an Apple device when that flaw was discovered. Apple was able to push out a fix to all of its devices because they're all running the same software.
The problem we're seeing with Android now is that with so many different devices on so many different carriers running so many variations of Android, it's nearly impossible to make sure most users are safe. Google and its partners made a good first step by promising monthly security updates for some devices, but it's not even close to good enough.
Join the conversation about this story »
NOW WATCH: Here’s the newest phone from Xiaomi — the company that’s outselling Apple and Samsung in China
Android faces an improbable challenge from Business Insider: Steve Kovach
No comments:
Post a Comment