One of the blessings of Open Source initiatives is the rapidity with which coders can release quality collaborative code. This is one of the ways the Android managed to claw its way into the smartphone mainstream, after arriving late to the game. But as the app ecosystem matures, vulnerability/patch management becomes more of an issue, due to the sheer volume of apps which become available for the platform. Add to this the myriad of differing approaches hardware and software companies might take toward keeping on top of vulnerabilities and patches, and you have a recipe for scammers to sneak in and exploit systems during the interim.
Once Google releases an Android patch, it is up to the various hardware/software vendors to adopt it and push it out to the devices. This takes time. Also, once an update is available to users, there’s a delay in getting around to running the update tool. During this time, malware like the Trojan DroidDream managed to compromise around 250,000 devices, no trivial exploit.
Some, like Timothy Vidas, a doctoral researcher at Carnegie Mellon University, say “the fundamental problem is that there are too many cooks in the kitchen”, a sentiment that’s echoed by others in the community. There is a long supply chain from the original Android code to the users’ devices, and some wonder if that can be shortened. Google’s original code is widely considered to be of high quality, but exploits evolve, and the code must evolve to match, so there’s still a time lag.
Devices like iPhone have taken a more aggressive stance at vetting applications before they are allowed into the App Store. But with the sheer number of apps available for Androids, along with the Open Source development environment, there are more people involved, and less control over the supply chain, end-to-end.
In the PC world, there have been third party vendors who create patch-management software, but we haven’t seen many of those in the Android ecosystem yet. In an enterprise environment, timely patch management becomes a requirement, which is one aspect which will need to be addressed prior to widespread enterprise adoption. It also may help to have smaller patches, more quickly released.
Androids will continue to make inroads into the enterprise ecosystem, and vendors will continue to create apps to manage security for the platform. The devices have had a stellar rise in consumer adoption, and seem to be continuing strongly, but there are still a few pieces missing from the supply chain management to make enterprises eager to jump on the bandwagon.
Author Cameron Camp, ESET