13

Okay, I'll just begin with the question and then elaborate a bit below. It is:

Why has the world's dominant maker of non-Apple smartphone operating systems, Google, still not adopted a straight-to-the-user model of distributing security updates for Android, instead sticking with the current, obviously deeply flawed approach of relying on phone makers and wireless carriers to rapidly test, approve, and distribute them? How substantial would the technical obstacles really be in moving Android to the direct-update model if Google genuinely wanted to do it?

So, some additional not-good news came out yesterday regarding the fun Stagefright set of media player-component security bugs in Android. First, some newly-announced flaws in the same component appear to extend the scope of Android phones affected to virtually every one that's ever been made & sold. Second, there are apparently even more flaws in the same component that have been disclosed to Google and that are in the pipeline for public announcement soon, including some that will get a "critical" label. I'm not intimately familiar with the Android security scene, but this certainly seems like it's being held as the most important security event that Android has had to deal with so far.

Of course, the discovery of awful vulnerabilities, on any platform, always leads to the next question: "When is my device going to be patched?" Unfortunately, the way things work now with Android security updates--Google pushes them to hardware makers and carriers, who have to sign-off on off on them and be willing and to distribute the updates to users-- the vast majority of the 1 billion+ Android users can expect only one of two answers:

--For the lucky ones: it will be months. (This report, also linked above, quotes an estimate that it usually takes somewhere from 9-18 months for patches to get from Google to wind their way through testing and various approvals to a user's phone. Now, one assumes that with Stagefright that will be hurried up to some degree, but still...)

--For the unlucky ones: never. (Some Android makers barely provide any post-sale update servicing at all for their phones. Others seem to have an unwritten support period limit of maybe a year, or perhaps two, after which the user is out in the cold.)

All of which raises the question: Why can't Google just do what companies who make operating systems for other computers do--PCs and servers--for example-- and bypass OEMs and service providers to deliver security updates straight to the user?

Now, obviously there are probably both technical aspects to this and business aspects to this. I'm thinking more along the lines of technical aspects (though I admit that sometimes the two are less easy to separate from each other than one might think). In what ways could going to a process of Google directly issuing security updates--but not necessarily directly shipping any updates that involved anything beyond fixing security vulnerabilities--cause problems with hardware and/or software compatibility that could be so troublesome enough for users, phone makers, carriers, and Google itself that that factor could outweigh the value of getting these patches out much more quickly and far, far more widely than they are likely to under the present system? Or is it really a slam dunk in favor of Google going to direct distribution, as 99% of security news reporters & commentators seem to think?

Community
  • 1
mostlyinformed
  • 2,715
  • 16
  • 38
  • 3
    Imho, your question is a bit broad (as the two questions are not directly related: 1. is it *technically* possible to update and 2. is it *economically* likely that Google will do that). Consider splitting it up and (and this is important) cut it down to 2 background paragraphs **max** for each question, in order to attract answers. – dst Oct 04 '15 at 00:41
  • And, incidentally I am by no means an anti-Google partisan. I've had use multiple Android devices as daily drivers in the past and might well have another in that role again very soon. The ecosystem that Google has built with Android is amazing in size and spread. I just find their philosophy on updates somewhat ...questionable. – mostlyinformed Oct 04 '15 at 00:43
  • "*Why can't Google just do what companies who make operating systems for other computers do--PCs and servers--for example-- and bypass OEMs and service providers to deliver security updates straight to the user?*" won't work for China where Google is blocked, btw. Also, not all vendors have Google license, so they can't use Google service in official way. Lastly, Google *does* provide security update, but only to Nexus devices, their own products. – Andrew T. Nov 09 '15 at 04:17

4 Answers4

36

The crux of the problem is that with only a few notable exceptions, every phone ships with a fork of Android, not with the software written by Google. So Google can't push changes to Samsung's phones any more than FreeBSD can push changes to Apple's Macbooks.

Android is Open Source, which is a bit unusual. This is the first time a major consumer operating system with this size of userbase (1.4 billion users and growing fast) has been an open source project rather than a centrally-controlled one. We're used to the idea of the creator of the OS being able to take responsibility for updating it. And as evidenced by this question, we somehow expect Google to be able to control Android the same way Microsoft controls Windows and Apple controls iOS.

But by allowing companies like Samsung and Sony and Motorola to ship their own modified version of Android, Google gives up that control in a way that they can't get it back. Samsung then takes over not only control of their own flavor of Android, but also responsibility for keeping it updated. And by allowing Verizon to fork Samsung's version, Samsung then sheds both control and responsibility now to Verizon.

Theoretically this all works; theoretically Verizon will be just as responsible and dependable as Google. Except when they're not.

So there's three possible solutions. Either:

  • Manufacturers could start taking more responsibility for their OSes. Since Samsung's Android belongs to Samsung, we get nowhere unless Samsung takes some initiative on keeping it updated. This may require some cooperation with companies like Verizon if Samsung has allowed them to fork the code as well. This is more or less that status quo, but with more wishful thinking.

  • Google could take back control of Android. By switching to a closed-source license, they could impose licensing restrictions like requiring companies like Samsung to push patches within a limited timeframe. Of course, if Google went this route, there'd be no end of shouts about how "evil" and "anti-consumer" they were being, despite the fact that they're literally the only major player that is Open Source to begin with. Politically this is probably a no-go.

  • Companies like Verizon and Samsung could voluntarily give control back to Google without being forced into it by a licensing agreement. This is the sort of utopia arrangement where companies decide to do the right thing out of their own free will. Until a few weeks ago, this was the least likely of the three. But since the stagefright mess, several companies have pledged to do more or less exactly this.

So we'll see where it goes in the coming months and years.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 1
    A much more comprehensive, sense-making explanation than anything else I've read. Thanks! I do wonder whether if, as more and more vulnerability events keep happening (not a slap against Android; any OS that is used by 1 billion+ people is going to draw a lot of security researcher attention) the pressure on Google to do some version of the "take back control" option will become too much to resist. (Maybe do something like keep the base OS portions FOSS but make the Google Play ecosystem components & apps available only on phones running one uniform, Google-managed OS version. ) We'll see. – mostlyinformed Oct 07 '15 at 21:42
  • 1
    Just a note: Samsung is probably the company that keeps the most up to date and is most responsible with updates for their phones. And I do notice a lot of cooperation between the companies and Google. For example Samsung developed the F2FS filesystem and it's not part of Linux (and thus Android). These companies regularly help with the development for either AOSP or Linux, or both. – forest Mar 12 '18 at 08:50
3

It was a big issue till very recently, but

it is changing right now.

New Android versions (O and P) feature something called Project Treble.

From the linked page:

One thing we've consistently heard from our device-maker partners is that updating existing devices to a new version of Android is incredibly time consuming and costly.

With Android O, we've been working very closely with device makers and silicon manufacturers to take steps toward solving this problem, and we're excited to give you a sneak peek at Project Treble, the biggest change to the low-level system architecture of Android to date.

General idea is to separate the vendor compatibility layer from the rest of the system. New Google updates to the system core are compatible with all phones supporting Treble, without any additional work from the vendor.

Community
  • 1
Frax
  • 131
  • 3
0

Recently Google put a lot of effort into redefining Android’s low-level system architecture in a way that separates critical system components from vendor-specific code: Project Treble was introduced in Android 8, and its main goal is to separate device-specific vendor implementation from Android OS Framework. This separation significantly simplifies the Android update process for device manufacturers, but most importantly, it allows Google to push security updates to all devices, regardless of vendor-specific changes.

Source: https://android-developers.googleblog.com/2017/05/here-comes-treble-modular-base-for.html

The biggest issue after implementing Project Mainline was the fact that all updates, including security ones, had to be pushed to the device directly by the device manufacturers, who, unfortunately, in some cases, deliberately did not provide those updates in order to force users to buy new devices. This problem was solved in Android 10 with Project Mainline. Long story short, Project Mainline highly modularizes the Android ecosystem and allows core modules to be updated with Google Play, thus making critical updates independent from device manufacturers’ release cycles.

Source: https://source.android.com/docs/core/architecture/modular-system

Securing
  • 1
  • 2
-1

Canonical and all other providers of forks of linux actually make sure security updates are immediately available for laptop/ desktop distros.

Therefore, it can only be lazy security and development practise by phone companies which aren't updating their forks of Android to be patched.

ITedInnovator
  • 1
  • 2
    "it can only be lazy X" -- no. The context of a desktop OS and a phone OS is different because the abstraction layers for the hardware is different. – schroeder Mar 19 '20 at 14:31