Ask any IT-security pundit: what is the most important thing we as users can do ensure our safety while traversing the Internet? Together now… “Keep software up to date.

I have asked, and most people agree. I’d even say we’ve drunk the Kool-Aid, actively updating software when needed. Why then, are devices using Android operating systems not up to date (chart, courtesy of Android Developers)?

Over 50 percent of Android phones are two major revisions behind. To get an idea of how many that is, Google predicts the number of Android activations will reach one billion by November 2013. (chart, courtesy of Asymco).

That means over 500,000,000 phones using an Android operating system will not be up to date.

Finger pointing

Opinions as to the reason why Android is so far behind are abundant, and borderline accusatory. The latest bout erupted this summer. Randall Stephenson, AT&T’s CEO started the fray by blaming Google. Seth Weintraub captured Stephenson’s comments from this video — specifically a member of the audience asking Stephenson why phones are slow to get the latest versions of Android. Stephenson’s response:

Google determines what platform gets the newest releases and when. A lot of times, that’s a negotiated arrangement, and that’s something we work at hard. We know that’s important to our customers. That’s kind of an ambiguous answer because I can’t give you a direct answer in this setting.

In the same blog, Weintraub included Google’s response:

Mr. Stephenson’s carefully worded quote caught our attention and frankly we don’t understand what he is referring to. Google does not have any agreements in place that require a negotiation before a handset launches.

Google has always made the latest release of Android available as open source at source.android.com as soon as the first device based on it has launched. This way we know the software runs error-free on hardware that has been accepted and approved by manufacturers, operators and regulatory agencies such as the FCC. We then release it to the world.

Up next is Paul Lilly, and his post for ExtremeTech is titled, “Is there anything Google can do to solve the problem of slow Android updates?” Lilly wades through several potential reasons why updates aren’t happening, but:

There aren’t any winners when playing the blame game, and if Google’s going to solve the problem, it has to figure out if a solution even exists, and whether or not it cares to implement it.

Further in the post, Lilly suggests a possible solution that was mentioned in an earlier ExtremeTech post — charge users for Android updates. Their logic is it should motivate the OEMs and mobile-telco providers to roll out updates. What do you think? Does the idea have a chance? Lilly mentioned something else that’s worth noting:

Apple doesn’t have this problem because it builds its own hardware, and neither does Microsoft, which requires Windows Phone makers to follow a specific hardware blueprint.

So there we have it, millions of Android-based phones in service, half of which are using an outdated operating system and no remedy in sight.

Selective updating?

A recent situation provided evidence that updating Android OSs in a reasonable timeframe is possible. I must say I was surprised. What are these historic circumstances?

It started with Ravishankar Borgaonkar, a security researcher at Technical University-Berlin, discovering a new Android exploit with potential to cause financial pain — more on this later. Hindsight shows his presentation, “Dirty use of USSD Codes in Cellular Networks,” started the gears of change turning. I contacted Ravi and asked him to explain:

“I discovered a vulnerability that allows an attacker to execute USSD codes automatically without any user permission/interaction. This happens due to:

  • Android dialer fails to differentiate between a phone number and USSD code.
  • Important USSD codes can be executed without need of pressing the green dial button.

The affected Android versions are 2.3.x (potentially earlier versions before 2.3.x too), 3.x (Honeycomb), 4.0.x (Ice Cream Sandwich), and 4.1.x (Jelly Bean). Ravi also mentioned all Android devices running the mentioned versions are affected.

Paul Ducklin wrote an excellent blog of how the exploit works for Sophos Naked Security: “Are Android phones facing a remote-wipe hacking pandemic?” He also mentioned that Dylan Reeves created a website that allows you to check your phone.

http://dylanreeve.com/phone.php

There seems to be some confusion as to what malicious deeds are possible by exploiting the vulnerability. The two most serious ones I’ve read about are:

  • Killing the SIM card permanently.
  • Resetting the phone to factory condition.

I hope you’ll forgive me, that’s all the further I want to go on the exploit. Others more knowledgeable, like Paul, have already provided the details. Besides, I have something else on my mind.

I’ve had three Android phones now. Why? It was the only way for me to get the latest version of Android — without jail-breaking. When I purchased the new SIII (version 4.0), my beloved Infuse was still on version 2.3. Why, I don’t know.

I tested each phone for Ravi’s exploit, and both were vulnerable — no surprise. The surprise came later that day; tech media outlets were mentioning Samsung already had a fix available and AT&T (my provider) had it ready to download. Right. I have to see this.

Sure enough, there’s an 80-plus meg Over-the-Air download.

Quick note: Unknown to me, my security app Lookout shut down after the update installed and mandatory restart. The only way I knew this was an email from Lookout wondering why I disabled their app. I quickly reentered my login info and Lookout was back up. I have mentioned this to the folks at Lookout, and they are checking into it.

If it’s that easy

I struggled for a few days, trying to understand the rationale behind when and how Android devices get updated. I decided to ask William Francis, my Android investigative partner, and fellow TechRepublic writer for his thoughts about the speedy update. Here’s what he had to say:

I think the fact that this patch got to users so quickly points out the short comings of the Android software distribution model. Ultimately, it is the phone manufacturers who run the show. And they are motivated solely by the prospect of selling more devices.

When Google comes out with a security patch, it is easy and advantageous for a phone manufacturer to say “it wasn’t our fault”. But hey if you want to get the latest version of Android why not just buy our latest phone. In this case, the issue was not only on the latest phone, but also all the blame was Samsung’s.

If they did not push out a fix fast they would be liable to refund customer purchases, or allow them to select a new model phone that did not have this issue. Interestingly enough, I believe the carrier has to sign off on the update too. It goes to show that the phone manufacturers have way more pull with the carriers than Google, the creators of the operating system itself. But again it is all about the bottom line and money is directly exchanged between the carrier and the manufacturer while this is not the case with Google and the carrier — at least to my knowledge.

Final thoughts

Smartphone sales eclipsed PCs in 2011. If I know that, the bad guys surely know it as well. Using history as a guide, it’s easy to see where they’re going to focus their effort. If “must keep software up to date” is true, we had better make it so.

I’d like to thank Ravi Borgaonkar for making sure we were aware of this. And others like Dylan Reeve and Paul Ducklin for helping to get the word out.