Android security is a mess. While device manufacturers and wireless carriers rack up profits, Google seems to be the only company with its hands in the Android pie that is working to fend off hackers.
Smartphone makers and carriers are more interested in selling product and services than pushing out updates that would patch vulnerabilities. As Kaspersky Lab points out, more than 25 percent of Android smartphones in use today are still running version 2.3, which was released years ago.
While manufacturers and carriers sacrifice customers to the profit gods, Google is improving security. Android 4.4 KitKat, released last week, will warn people when a certificate authority is added to the device. This is a nifty defense against man-in-the-middle attacks when people are on public Wi-Fi networks.
And that's not all. KitKat also makes it harder for technically advanced attackers to intercept traffic between the smartphone or tablet and Google services. This is done by only allowing whitelisted certificates to connect to Google domains that use HTTPS, a secure communications protocol for the Internet.
Google has also hardened the Android operating system against attacks. KitKat uses a mandatory access control (MAC) system called SELinux, that makes it a lot more difficult for malware writers to gain administrative permissions that would allow them to control a device. SELinux is built into the Android kernel.
Google has added other security improvements, but those are some of the important ones. Unfortunately, very few Android users will actually get the additional protection, because carriers and manufacturers have placed a low priority on building a system for timely automatic updates.
Instead, they prefer to do nothing, so customers will have to replace their outdated devices sooner.
Android users who believe things couldn't get much worse, don't appreciate the incompetence of manufacturers when it comes to security.
A research team at North Carolina State University analyzed the preloaded apps manufacturers customize in order to make their devices stand out in the market. On average, 60 percent of the exploitable flaws they found in the 10 devices they evaluated were in the tailored apps from Samsung, HTC, LG, Sony and Google, which owns smartphone maker Motorola.
Even sleazier, 85 percent of the customized apps on average were over-privileged, which means the manufacturers asked to have access to services on the phone the apps did not need. The developers must be laying the groundwork for using those services later.
The researchers looked at an Android 2.x phone and a version 4.x phone from each manufacturer and found no significant difference in the number of vulnerabilities, which means they haven't cared enough to improve security over the years.
Sign up for CIO Asia eNewsletters.