Under Pressure, Google Promises To Update Android Security Regularly

Under Pressure, Google Promises To Update Android Security Regularly

7:33pm Aug 05, 2015
Both Google and Samsung are rolling out new processes to issue security updates for Android devices, like the Samsung Galaxy S6 and S6 Edge.
Both Google and Samsung are rolling out new processes to issue security updates for Android devices, like the Samsung Galaxy S6 and S6 Edge.
Jung Yeon-Je / AFP/Getty Images
Both Google and Samsung are rolling out new processes to issue security updates for Android devices, like the Samsung Galaxy S6 and S6 Edge.

Both Google and Samsung are rolling out new processes to issue security updates for Android devices, like the Samsung Galaxy S6 and S6 Edge.

Jung Yeon-Je/AFP/Getty Images

This post was updated at 4:14 p.m. ET.

Google is making big promises to fix its Android operating system. The company recently came under sharp criticism after researchers found a major flaw in Android would let hackers take over smartphones, with just a text message.

Now, Google tells NPR and writes in a blog post, it'll work with other phone makers to fix that bug. And, going one step further, Google is rolling out a brand new system to protect smartphones regularly — not just once in a while.

Adrian Ludwig, lead engineer for Android security, spoke Wednesday at Black Hat, a cybersecurity conference in Las Vegas. He covered a few topics, starting with the bug called Stagefright.

Last week researchers with Zimperium, a mobile security firm, said they'd discovered major flaws in the heart of the Android operating system (in a library called "libstagefright"). This bug would allow hackers to take over nearly 1 billion phones, just by sending an infected text message. To fix the problem, Zimperium says, smartphones need firmware updates that reconfigure the entire operating system. It's the software version of open heart surgery.

While Google agrees this bug is serious, the company disputes how widespread it is. Ludwig says that currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue.

Clearly there's a difference of opinion. Still, Google is agreeing that it needs to take decisive action. The company makes Nexus smartphones. Ludwig announced that Nexus owners will get patches starting this week.

He also spoke on behalf of other Android manufacturers. He's promising that this month, the most popular Android devices are getting the fix. The list includes:

— Samsung: Galaxy S6, Galaxy S6 Edge, Galaxy S5, Note 4, Note Edge;

— HTC: One M7, One M8, One M9;

— LG Electronics: G2, G3, G4; and

— Sony: Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Compact.

Also Wednesday, Samsung described a new Android update process that "fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month."

A New Industry Standard?

Ludwig made another announcement: Nexus devices will receive monthly updates that are "purely focused" on security to keep users safe. (The company states in its blog post that the devices "will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.")

"People have been looking for clear communication about Android from a security standpoint," Ludwig said. "It now exists. This is really a watershed moment for us as an industry."

For three years, Google has given Android manufacturers regular updates about flaws that need to be fixed. But whether they act on that information is not in Google's hands.

Nexus is. Granted, the brand is a much smaller share of the market than Samsung, but if Google keeps its promise and executes well, the company could be creating a new industry standard for smartphones — at least on the Android side. Apple, which controls both the hardware and software of its devices, regularly rolls out updates to its iOS that are quickly adopted by users.

Bryan Glancey, a security researcher with Optio Labs, used to work for Samsung. He says a coordinated system for Android security is long overdue.

"If you fix a problem on Apple, it goes to all Apple devices and you've done it one time. But if you want to fix a problem on Android, you've got to fix every variant," he said.

And to do that, Google must coordinate with many manufacturers. Glancey says by doing so, the company hopes to decrease the public perception that Android phones are less safe than iPhones.

It'll be interesting to see if other Android manufacturers and phone carriers, which are often a bottleneck to updates, follow Google's lead.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

MELISSA BLOCK, HOST:

Google is making good on its promise to fix a big problem in its Android operating system. Researchers had found a major flaw that would let hackers take over smartphones with just a text message. Now Google is rolling out a brand-new system to fix that bug and others that may pop up in the future. NPR's Aarti Shahani reports.

AARTI SHAHANI, BYLINE: Adrian Ludwig, lead engineer for Android security, is in Las Vegas today at Black Hat, a cyber-security conference. Android is the most popular operating system on earth for smartphones. In a presentation on stage, Ludwig compared it to the United States of America and his speech to the state of the union.

(SOUNDBITE OF ARCHIVED RECORDING)

ADRIAN LUDWIG: The union is a complicated one. There are over a billion users of android devices. Thousands of them...

SHAHANI: Google makes Android. Many companies manufacture smartphones that run on android, and carriers like Verizon and T-Mobile tweak those phones for their own apps.

(SOUNDBITE OF ARCHIVED RECORDING)

LUDWIG: It is perhaps unprecedented. Nearly every other platform is a closed platform in a way that Android has strived not to be.

SHAHANI: Being open and having all these layers of partnership can make it very hard to fix a problem. And in the world of software, there's always going to be a problem. Last Monday, researchers announced a major flaw that would let hackers take over Android phones via text message. Today, Ludwig made an announcement. Speaking on behalf of the Android union, he says, Google and other phone makers are rolling out what may be the largest software update the world has ever seen.

LUDWIG: Samsung, HTC, LG, Motorola - effectively every consumer name associated with mobile devices delivering updates.

SHAHANI: And going one step further, Google will begin conducting regular updates about once a month for its Nexus smartphones. Ludwig says the company is creating a new industry standard.

LUDWIG: People have been looking for clear communication about Android from a security standpoint. It now exists. And I think this is really a watershed moment for us as an industry.

SHAHANI: Bryan Glancey, a security researcher with Optio Labs, used to work for Samsung. He says a coordinated system for Android's security is long overdue. Consider this comparison.

BRYAN GLANCEY: If you fix a problem on Apple, it goes to all Apple devices, and you've done it one time, right? But if you want to fix a problem on Android, you've got to fix every variant of Android.

SHAHANI: And to do that, Google must coordinate with many manufacturers. Glancey says by doing so, the company hopes to decrease the public perception that Android phones are less safe than iPhones. Aarti Shahani, NPR News, Las Vegas. Transcript provided by NPR, Copyright NPR.

Support your
public radio station