I’m an Apple guy, and have a love-hate relationship with their recent product strategy, and the tight control they keep over the ecosystem. The downside is that we’re stuck with some bad decisions (like building apps that expect to be online all the time), but the upside is that everyone gets access to updates at the same time – Apple has the most up-to-date user base of any major computing platform. Android, not so much.
Android took the opposite approach – open code base, licensed to manufacturers to customize, and then further customized by carriers. The advantage to that is lower cost and wider adoption, but it comes at a significant price for security. When Google releases a new version of Android, only their own devices immediately receive the patch. Everyone else has to wait for 1) the manufacturer to test, certify, and release the patch, and then 2) the carrier to do the same. That assumes of course, that both actually bother to do the work to make updates available. The net is that the vast majority of Android devices are running known-insecure versions of the OS.
I’m seeing a broad movement among businesses to tighten controls over mobile OS versions, and to apply the same policies to both corporate owned and BYOD devices: If you’re not N or N-1, you can’t use your device. That means that those old iPhone 4’s get retired too, by the way.
So what to do? Well, some would say ‘jailbreak’ and install your own code. There may be something to that, but you run into serious risks there too. Most jailbreaking tools are from the shady side of the internet, so you never really know what you get. Most companies block jailbroken devices from business use (all really should). It’s also technically beyond most users, so let’s leave that off the table.
The next option is to only purchase devices that get updates directly from Google. That limits choices significantly, but as a side benefit, you don’t get the pre-installed spyware that comes with many of the dirt cheap android phones – that’s how those companies subsidize the phone. Buyer beware. This is a hard choice for businesses because it largely erases one of the advantages of Android over iOS (cost), but it’s one I’m seeing a number of organizations do. For individuals who buy Android devices, it’s the one I’d recommend.
Next is to buy cheap devices, and simply dispose of them when the OS expires. That’s all well and good, but it’s expensive, time consuming, and you have a window of vulnerability during the transition. Of course, banning Android completely is an option too, and I do see some of that happening.
But the most common approach I see these days is some form of risk limiting via containerization, or other restrictions on what the devices are allowed to do. Containers can be bypassed (e.g. compromise the underlying device with a keylogger), but do provide reasonable protection for moderate risk content. Organizations should leverage their data classification projects to determine what information is suitable for mobile device access, and potentially change that based on how current the OS is.
I know this challenge is top of mind for Google’s Android team, and they’re starting to look at separating the Carrier bloatware layer from the underlying OS as well as other measures to speed up manufacturer release. I hope they succeed – we need an alternative to keep Apple on their toes. In parallel, consumers shouldn’t buy devices without clear statements of patch release timelines from vendors and carriers. Until all that happens, and we have a better option, Android users beware.