I agree with pretty much everything written here, and I'd add another concern. The security FAQ (http://developer.android.com/resources/faq/ security.html) does not describe how Google decides which versions of Android OS to patch. If someone reports a flaw tomorrow, will it be fixed in 1.6? 2.1? 2.3? 3.0? Does Google release fixes for anything other than the current (or next) major version? If so, where's the End Of Life schedule?
Last November flaws in 2.2 were reported and Google's response was not merely that they wouldn't fix the then-current 2.2 release, but also that it was too late to be fixed in 2.3.0 (http://www.h-online.com/ open/news/item/Android-vulnerability-permits-data-theft-1141200.html). I can understand why Google might prefer not to patch older releases -- it reduces development and QA costs to EOL an OS version the moment a new release comes out. But it would be (is??) terrible for end users. It doesn't do users of Motorola Devour phones (released a year ago) any good if Motorola won't upgrade past Android 1.6 and Google won't release fixes for 1.6. Don't tell me the fix is in the new 2.3.x source tree -- handset vendors have embraced Android in part because of Google's implicit promise to offer a suitable OS. They shouldn't have to backport complex patches in the OS core. One infosec-minded Twitter user at schmoocon last week described the mobile malware situation as a "powderkeg," and if fears that I and others have about Google abandoning old versions are correct, then he's absolutely right. -Peter -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
