I agree with nearly everything written here, and I'd add another concern. The security FAQ (http://developer.android.com/resources/faq/ security.html) doesn't describe how Google decides which versions of Android OS to patch. If someone reports a flaw tomorrow, will it be fixed in 1.6? 2.1? 2.3? 3.0? Does Google release fixes for anything other than the current (or next) major version? If so, where's the End Of Life schedule?
Last November flaws in 2.2 were reported and Google's response was not merely that they would not fix the then-current 2.2 release, but also that it was too late to be fixed in 2.3.0 (http://www.h-online.com/ open/news/item/Android-vulnerability-permits-data-theft-1141200.html). I can understand why Google might prefer not to patch older releases -- it reduces development and QA costs to orphan an OS version the moment a new release comes out. But it would be (is??) terrible for end users. One infosec-minded Twitter user at schmoocon last week described the mobile malware situation as a "powderkeg," and if my fears about Google abandoning old versions of Android are correct, then he's absolutely right. Here's a nice metasploit blog post about that data theft problem that I just stumbled on, in which the author opines that "If the situation is not resolved, I fear the Android device pool could become a seething cesspool of malicious code... " http://blog.metasploit.com/2011/01/mobile-device-security-and-android-file.html Exactly. -Peter On Jan 13, 10:24 pm, R_NZ <[email protected]> wrote: > I love my Android phone, but one of my concerns about the Android > platform is the lack of a clear end-to-end process for distribution of > security patches and bugfixes. > At present this seems to be a haphazard and unreliable process. > If Google can't build their own update service, then can they at least > require those OEMS that are certified 'With Google' to disseminate > critical patches and fixes with a minimum period after the fix has > been released? > In practice it looks like no-one has cared about it since day one. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
