Wireless Carriers Put On Notice About Providing Regular Android Security Updates

msm1267 writes "Activist Chris Soghoian, who in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices. The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. 'With Android, the situation is worse than a joke, it’s a crisis,' said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. 'With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.'"

Stop screwing with it so much

[redback]

Handset manufacturers should stop screwing with it so much, if they used pure android it wouldnt be so much work to get updates out.

Re:Stop screwing with it so much

[ColdWetDog]

Like AT&T Maps; it's $10/month, the one time I used it was by accident because I confused it for Google Maps.

No, it's not by accident. It's by design. A significant number of people won't be able to parse the difference between AT&T maps and Google Maps. So they'll just pay the dollars until they wise up. If indeed you do wise up, then you have to change their contract to opt out. Then the contract timer starts again.

They get you coming or going.

Brilliant strategy.

Re:Stop screwing with it so much

[Frojack123]

I agree, to a certain extent.

But I also maintain that this is strictly Google's fault (The Open Hanset Alliance).

They took an operating system, Linux, which always has long the ability to put hardware drivers in dynamically loadable modules and built Android, where they compiled everything into the kernel in one huge binary blob. This is a huge retrograde step in OS design. The kernel should be replaceable without having to replace the driver for every radio, screen, sound chip.

After all, the radio didn't gain any new functionality between Android releases. The same carrier specific radio "rom" the phone was shipped with should suffice. Just call it dynamically rather than compile it into the kernel. Let us get our kernel updates directly from Google, or the handset manufacturer, and any carrier specific updates from the carrier.

This is a packaging error.

Re:Stop screwing with it so much

[tlhIngan]

Tell that to my Galaxy Nexus that's still running 4.1.1. So much for the idea that Nexus devices are on the cutting edge. They're abandoned as fast as any other phone.

Only the Verizon Nexues are "abandoned". If you got the HSPA ones, you should be at 4.2.x already.

If you're not, perhaps it's because you bought it from a carrier and have the default carrier firmware stuck to them with carrier firmware updates. In which case you need to go to Google, download the latest factory images and install them on your GNex. This will get updates as fast as Google pushes them out (the carrier ones actually have an update URL pointing somewhere else, while the Google ones point to Google).

An interesting note - when I did this, battery life shot up dramatically. The carrier GNex firmware isn't all that great.

Re:Java

[supersat]

No. Even if it did, it doesn't matter because Android does NOT rely on Java for isolation or security. Each application runs as a separate Linux user, and the kernel enforces isolation between apps this way.

Because apps are isolated in this way, they can include native code.

Re:Keep it Android!

[AmiMoJo]

The real problem is that customers in the US get completely and utterly screwed by the carriers. Really, you guys take it hard in the arse and pay though the nose for the privilege.

In the UK you can get a phone on contract from a third party. You get the same contract deal as you would going directly to the carrier, although often for £5/month less. The phone is unlocked and unbranded, you get updates directly from the manufacturer and no pre-installed carrier crapware. There are some good deals on offer too, for example 3 do a really unlimited data plan. A friend of mine runs Android uTorrent on it.

Regulation has delivered this for us. It is really easy to switch provider and take your number with you. Contract terms are heavily regulated to make sure they are fair and reasonable. It isn't perfect by a long way but it saves us from the rip-off hell that the US mobile market suffers from.