An Android presentation just after Mandt’s asserted that the one-two punch of Android fragmentation has placed Android users at risk of missing out on important security updates. That’s not going to be fixed anytime soon, they said.
The issue, argued Jon Oberheide of Duo Security and Northeastern University security researcher Collin Mulliner, lies in how Android devices receive — or more precisely, don’t receive — their updates.
“The Chrome guys will deliver an update within 24 hours. On Android, it can take months and years,” said Oberheide. “Your carrier doesn’t have a lot of incentive to fix your ancient HTC Evo. They want you to buy the latest and greatest device.”
So, the pair said, even when Google patches Android security flaws, the handset manufacturer and the carrier effectively stop patches from reaching the people who need them.
Android security apps can’t be relied on, Mulliner said, because they’re fighting Android malware — something that he said just isn’t a big problem in most regions.
“None of the big antivirus or security companies are doing a really good job because they’re all concerned with stopping malware,” he said.