Android Security – Culture vulture

Reply to this post

RFM AvatarSmall

 

 

 

 

 

Security issues highlight more pressing problems. 

  • Google is trying hard to fix the endemic security issues that continue to plague Android devices but unfortunately it is making almost no progress.
  • Since August 2015, Google has been releasing monthly security updates to address the security flaws but there are two big problems.
    • First. Any security patches that Google makes to Android only apply to its own Nexus devices.
    • These devices make up an insignificant proportion of the Android device population meaning that almost no-one receives the updates.
    • Second. The updates themselves have yet to address all of the known security issues in Android.
    • For example, despite monthly updates the mediaserver (finds and indexes media on the device) remains critically flawed.
    • Google is playing a horrible game of whack-a-mole with this component as every time it fixes one flaw, another pops up.
  • I have long believed that Google’s inability to effectively manage Android security and its updates is rooted in its history as a server company.
  • When Google wants to update its search algorithms it simply updates the code on the server and the job is done.
  • Because devices run their own software, they have to be individually updated and it this is very different to the way Google has operated for many years.
  • Consequently, it has taken Google a very long time to come to grips with this problem and I am far from convinced that the issue is close from being resolved.
  • To be effective, all Android devices need to receive these updates which brings in two more big problems.
    • First. Most Android devices are not updatable.
    • Android is a commoditised, brutally competitive market meaning that in the mid-range every cent of cost matters.
    • Making a device updateable means that extra resources have to be added to the device which are never reflected in the price.
    • Consequently, the vast majority of Android devices are not updateable to later versions of Android as there is no incentive for the device maker to add this capability.
    • Second. Google has no control over the update process for any of the devices that run its services.
    • It can update Google Mobile Services (GMS) from Google Play but lower level system updates (Android) are controlled by either the maker of the device or the mobile operator.
  • Consequently, I think that Google has to take control of Android because in its current state, it is very unsecure with no scope for improvement.
  • I continue to believe that this may happen in 2017 as Oracle has provided Google with the perfect excuse to do so (see here).
  • This would result in a series of proprietary ecosystems based on an Android kernel of which GMS, Cyanogen and MIUI would be three.
  • Google still has another good year ahead of it thanks to the underlying growth of Android users, but the medium term urgently requires for this problem to be fixed.
  • I prefer Samsung and Microsoft to Alphabet in the long-term, although the immediate term for Alphabet continues to look good with absolute user numbers still growing very nicely.

RICHARD WINDSOR

Richard is founder, owner of research company, Radio Free Mobile. He has 16 years of experience working in sell side equity research. During his 11 year tenure at Nomura Securities, he focused on the equity coverage of the Global Technology sector.