In the rush to critique Google for its inability to patch older and some current versions of Android at all or promptly--a rush I was absolutely part of--it's good to not ignore the baggage we're carrying around as well. Google was rightly criticized for the tradeoffs it made starting with the release of Android 1.0 to allow handset makers and cellular carriers to control, more or less, what went onto Android handsets.
This included alternate user interfaces and bloatware, but also prevented a quick path for security updates and software flaws. The only exceptions are Google-released flagship phone models for which the company controls the destiny, and phones sold with or rooted to run CyanogenMod, a venture-capital-backed Android fork designed to put the OS's updates and behavior in the hands of a device's owner.
But Apple is leaving its users behind in iOS, too, although less rapidly than it was just a couple of years ago. The reason Google gets the opprobrium isn't bias so much as the number of devices affected and the rapidity of change. This gives crackers smaller windows of access to exploit flaws that are likely less valuable. But bluntly, developing malware for Android has a better chance of paying out and continuing to pay out, than malware for iOS.
Let a thousand versions bloom
"Fragmentation" has been the watchword of critics of Google's approach, and a word I've often used. It mostly affects developers, who with some releases and features have had to do an inordinate amount of work compared to monolithic iOS to get their apps to work correctly on the majority of active Android devices. But it's also relevant to security.
Google's statistics about Android devices checking into its Google Play Store show that only about 18 percent are running a version of Android 5; the majority run a 4.x release. When the Stagefright exploit was revealed more than two weeks ago, the estimate was that even though the exploit had been disclosed to Google and patched in its internal code base, over 95 percent of phones were vulnerable to a simple MMS-based attack. Carriers have worked at the network level and with MMS settings they can change remotely to reduce the risk. But from 20 to 50 percent of Android phones will never receive a patch.
Contrast that with the news of an attack in the wild that's fairly serious and affects iOS devices, but you may not have heard of. It's a variation of the previously discovered Masque Attack, which I wrote about last November. This exploit allows an app to be replaced with one that has certain identical attributes, but originally required a user to trust an enterprise certificate, or carry out another step to accept an app.
Sign up for CIO Asia eNewsletters.