Suddenly the big beasts of Android are taking the platform's security very seriously. Recent weeks have seen a number of significant security flaws, including a particularly alarming one called Stagefright that could be used against almost every Android user on the planet with very little difficulty.
Google suddenly appears to be less laid back than usual about this, announcing within days of Stagefright that from this month its own Nexus devices will receive at least monthly Over-The-Air (OTA) updates offering security fixes. Samsung, the biggest hardware partner, has said it will feed this through to Galaxy smartphones and tablets, also from this month, although the timing will for specific fixes will still depend on coordination with mobile carriers.
What prompted the change? Numbers from Danish vulnerability management firm Secunia show that 80 flaws have been found in Apple's iOS so far in 2015 compared to an apparently modest 10 in Android. These numbers are deceptive; what matters with mobile operating systems is how serious the flaws are, how easy they are to fix and how quickly that happens. Apple has direct control over that process, Google (with the exception of Nexus devices) doesn't. If Google either produces a patch that must be applied by carriers or phone makers, or the flaw exists in a third-party plug-in that is part of the ecosystem not controlled by Google, it could be weeks, months or never before handsets receive an update.
Worries about Android's fragmentation and its effect on security are nothing new but anxieties about the way the platform handles security speak run deeper. There was a time when Windows PCs were only updated for security issues on an occasional basis but by 2003 Microsoft had realised that this was no longer sufficient. Android is now going through much the same growing up process.
Depending on the nature of the flaw (i.e. whether it is buried in Android itself or a third-party component) Google always produces the first fix. But consumers still rely on carriers and manufacturers to apply it, and much the same may apply to enterprises. The fact that a large organisation manages its Android devices using Samsung's Knox security platform for BYOD or a third-party Mobile device Management (MDM) system is irrelevant if no patch is available for the flaw in question.
The 'Certifi-Gate' mRST flaw
Revealed on this week by Check Point, this is a weakness in the certificate two mobile Remote Support Tool (mRST) plug-ins called Rsupport and TemaViewer, used by a large number of handset makers for remote support. In essence, the weakness allows an attacker to use a malicious app piggyback on the certificates and permissions given to these apps, taking control of the device.
Sign up for CIO Asia eNewsletters.