Android’s latest version now has its own culinary sobriquet: Marshmallow. But the release of the operating system, announced in May and arriving this fall, doesn’t address one of the biggest issues facing Android — its security model.
Last month, a security researcher discovered a software bug, called Stagefright, that could potentially threaten millions of Android devices. Google acknowledged the bug and sent out a patch to manufacturers and carriers to fix. Then last week, a different security firm found another vulnerability; this one was in Google’s patch. Google said it has since released a fix for that hole, which affects Nexus devices.
Still, both findings underscore the nagging headache Google has built with an OS so reliant on hardware partners, many of whom are struggling to maintain profits. And it shows that Google will continue to wrestle with the issues as Android moves onto other devices, like cars, wearables and home automation.
“The whole Android ecosystem is a mess,” said Aaron Portnoy, vice president of Exodus Intelligence, the firm that spotted the second hole.
The primary issue is that Google is not fully in control of its own destiny, with updates typically needing the okay of device makers and carriers before making their way to consumers, who also have to update their devices. Contrast that with Apple, which is largely able to push updates on its own.
The security issues facing Google are reminiscent of those that faced Windows back in the day. The operating system, dominant in the PC world, found itself the increasing center of attacks. Adding to the issue was the fact that businesses were reticent to update their servers and PCs without doing independent testing.
But at least they had the option to install updates as soon as Microsoft had them ready. Google, by contrast, releases patches that typically go to the phone maker. Phone makers, suffering with razor-thin margins and intense competition, are stretched thin to develop their next devices and test software updates to phones that have already been sold and for which they won’t be paid another dime.
That’s a problem for big, multinational OEMs such as Samsung and HTC. It’s potentially worse for the numerous smaller ones. Android is seeing most of its growth from local manufacturers that sell budget phones, often running on older versions. Stagefright, a vulnerability that would allow hackers to attack phones with a single text, highlights Google’s problem wrangling the multitude of companies making Android devices.
“Every day you look at it now, there’s a new vulnerability that’s been reported,” said Andrew Blaich, an analyst with Bluebox Security. “That shows there’s a very long tail that they have to move toward. It just takes time.”
Major software updates also go to the carriers, at least in the U.S., who then do their own testing. That means major releases take months to get approval, if they are made available at all.
And Android will soon have even more partners it must rely on for security, as the OS attempts to move into more connected devices. Cars, in particular, pose a similar problem — the industry has a range of slow-moving, often reticent, hardware manufacturers, and it has shown a vulnerability to hacks.
“The coordination across them is going to become an issue,” Chris Wysopal, the CTO of Veracode, who dubbed the Stagefright bug “the Heartbleed for mobile,” said about Android’s automotive efforts. He added: “I worry about the same update problem.”
There is a growing recognition that security updates need a different approach. Google has committed to monthly updates, and hardware makers like Samsung and LG have said they will support that schedule. On August 5, Google said it will start pushing monthly updates specifically for security to Nexus devices, the ones that Google can fully control.
This article originally appeared on Recode.net.