Stagefright might help fix one of Android's biggest flaws
Last week, the Android world woke up to quite a scare. Imagine a vulnerability where you don't have to do anything at all. You just need to receive an MMS (multimedia message) and you're done for. That was Stagefright. And while Google was said to have responded quickly, revelation of the security hole also put one of Android's biggest warts under a spotlight once more. No matter how swiftly Google acts, updates don't come as fast. Now, however, Stagefright might ironically be helping change that, slowly but, hopefully, surely.
The Scare
Stagefright's power comes from a combination of a vulnerability in Android's code itself as well as the default behavior of the default messaging app. Android's media library is written in C++ due to performance considerations as C++ is faster than Android's native Java language. However, C++ is also more prone to memory corruption compared to Java, which removes the responsibility of handling memory directly from the programmer. Combine this with the fact that the Android messaging app, by default, retrieves and scans multimedia content in MMS simply upon receiving the message and you've got a recipe for disaster. Alternatively, it could also happen if a user simply goes to a web page that embeds such a malicious multimedia file as well.
The Response
Zimperium, who discovered the vulnerability and broke the news, says that it has alerted Google to the problem way back in April and even provided patches to plug up that hole. To its credit, Google accepted and applied those patches to its canonical copy of Android, according to Zimperium. Sadly, after that things slowed down to a trickle, pushing Zimperium to make some noise more than three months after Google fixed the problem in its internal copy of Android. In a blog post yesterday, Google reveals that every month, it gives its partners, particularly members of the Open Handset Alliance (which mostly means OEMs) security bulletins advising them of critical issues. If so, manufacturers should have at least received the memo by May. So what gives? Stagefright has just unmasked yet again one of Android's most worrying problems: updates.
The Problem
Android is an open platform. That is part and parcel of its essence and what has made it successful. What this means in practice is that once it is out the door, Google no longer has complete control over it. Sure, it dictates what happens in the code before it is released and it has some strategies laid out, particularly through certification and Google Mobile Services, to exert some influence on manufacturers. But, like in the case of Amazon's Fire OS, Nokia's X Platform, or the myriad custom ROMs, Android can still survive without those. In this particular context, it presents one critical problem. Google doesn't have complete control over updates and when they roll out to users.
Responding to criticisms and questions about the rather slow uptake of Android KitKat on its devices, HTC released an infographic in late 2013 that detailed the flow of such updates from Google to end user. Considering security fixes are applied against the base firmware, something like a fix for Stagefright will go through the same process. In a nutshell, everything has to pass from Google to OEM and, in most cases, to carrier, with each stage having its own set of tests and certification processes. This accounts for the delays in getting updates. And that's not even considering whether a device still receives any attention from the OEM or carrier. Android fragmentation at its finest.
This is in stark contrast to how iOS operates. In typical Apple fashion, Cupertino controls everything. In the first place, there is no other OEM to speak of. But even if you were to buy an iPhone from a carrier, Apple is the one that takes charge of providing and pushing system updates and no one else. Naturally, that means that as soon as Apple closes a security hole on its side, users could soon expect an update to happen, usually within days or weeks, not months. That is, of course, when Apple does act promptly. As a closed platform, you're never really sure about that.
The Solution
The status quo has so far worked, though with many bumps along the way, but it can no longer remain so. The number of vulnerabilities being discovered and used is growing at an alarming rate. Being able to respond fast and close up a hole is a major tenet of security. Sadly, that has never been the case for Android in general and things definitely have to change.
Nexus devices have it easy. They are to Google what iPhones are to Apple. Google controls the updates, at least mostly. Strangely, it was only yesterday that Google made available updated images for its supported Nexus devices despite having known of Stagefright since April. It turns out, Google preferred to release the update in a bundle, together with all other security updates until July. To rectify that situation, Google promised monthly security updates for its Nexus devices. Well and good for them, but sadly, majority of the Android world don't have Nexus devices.
Almost ironically, Samsung was one of the first major OEMs to speak publicly about the issue. "Ironic" because it has traditionally been seen as one of the slowest to roll out updates. Most of the time, those manufacturers with more vanilla versions of Android, like Motorola, are able to get updates out first. Samsung doesn't have a concrete plan yet, but it has at least started the ball rolling. It wants to have monthly security updates as well. It's a noble sentiment, but one that is still fraught with difficulties. As such, the OEM is talking with carriers on how to best expedite such updates. Again, nothing concrete yet. But as if on cue, AT&T has released updates for the most recent Samsung Galaxy smartphones to patch the Stagefright bug. Hopefully other OEMs and carriers are doing the same even if only silently.
Final thoughts
Android cannot exist in a walled garden and security through obscurity has long been considered a passé technique. Android needs to remain open but, as any open source community will tell you, that can sometimes lead to fragmentation. It can also lead to silos like this, where one party interacts with another with the bare minimum. Things, however, don't have to be that way.
It might be all talk and promises for now, but Samsung definitely has the right idea. Actually, in this case, talking is indeed the right first step. Google, OEMs, and carriers will need a concrete plan of action on how to address critical situations like this that need a faster response time. Setting a monthly release cadence for security updates could definitely help and could even force all parties to streamline their update processes for such scenarios. Though given custom skins and bloatware, we might be lucky to have bi-monthly updates.
Android may never be fully free of fragmentation, but that doesn't mean nothing can be done to alleviate the pain.