It was right here on the EC-MSP Blog just a couple of weeks ago that we discussed the breaking story of an Android bug that had been described as one of the ‘worst Android vulnerabilities discovered to date.’ The so-called ‘Stagefright’ bug stemmed from a coding weakness within the Stagefright media library of the operating system, and left an estimated 950 million devices in danger of being accessed or even Trojaned simply due to receiving an infected video file by MMS.
At the time that we did first discuss this worrying security issue, Google claimed to have already developed patches to combat the bug but manufacturers had at that stage failed to provide these to users. Fortunately, this week, a raft of those manufacturers have stepped up and begun taking action to protect their millions of customers from the major vulnerability in their devices.
Samsung and LG have joined Google themselves in rolling out security fixes for users of their devices to nullify the ‘Stagefright’ danger. Those manufacturers have announced that a large number of their handsets will get the fix and that further monthly security updates will follow, whist Google themselves are expected to rollout the fix to their entire Nexus line.
It is believed that other manufacturers such as HTC, Sony and Android One will soon follow the lead of Samsung and LG and issue security patches to their customers in what could be an unprecedentedly large software update. Adrian Lugwig, Android’s lead engineer for security, in fact, believes that it could well represent ‘the single largest software update the world has ever seen.’ The sheer breadth of the update required therefore, is one reason why it has taken seemingly so long for the issue to be adequately addressed but there is another more fundamental explanation too.
Why has the Fix been so Slow in Arriving?
Unlike companies such as Apple and Blackberry, who manufacture both the software and the hardware for their devices, Google develop Android and then make it available to other manufacturers to modify and utilise for their own handsets. What that means when it comes to security updates and patches, is that an issue needs to be brought to Google’s attention, they need to develop the required fix and then provide it to manufacturers and those manufacturers must then roll it out to users.
There is therefore, at least one extra step in that process for Android than in the update procedure for devices operated by other systems and it is this which accounts for the apparent delays in the fix reaching the end user. That doesn’t make Android a necessarily lesser operating system of course, but does highlight the complexity of security issues inherent in all IT systems as explained by editor of Android Magazine Jack Parsons. Parsons has gone on record to state that ‘there’s no real villain here, that’s just how the system works, but there will always be security concerns with software, so it’s right that some of the manufacturers are stepping up to deal with this now.’
The news of the upcoming resolution of this issue will no doubt come as a welcome relief for any individual or business who relies on Android devices but also goes to show the importance of both vigilance when it comes to IT security and of reliable IT support.