When the serious SSL exploit “Heartbleed” was announced, I was at lunch. By the time I got home from work, there was already a patch in the Debian repositories, and there was one in the Ubuntu repositories before I went to bed.
Both Debian and Ubuntu are distributions of linux, and are installed on all sorts of different computers – from laptops to desktops to servers to the tiny Raspberry Pi, so the “oh, Android’s on lots of different hardware” argument seems a little thin to me.
Contrast that with the response to the “Stagefright” Android security hole. Announced at the end of July, it still took the big Android manufacturers a week to simply state that they were going to provide monthly security updates.
What they didn’t say was that the patches would roll out slowly, and only for selected models of phones. If you look at this list of patched phones, you’ll see that whether or not you’re patched has a lot to do with how new your phone is and who your carrier is. Have a Galaxy S3? I hope you’ve got Sprint as a carrier.
This, unfortunately, isn’t new. A vulnerability discovered in older versions of Android (and by old, I mean “the primary version in mid-2013”) simply will not get a patch.
Which is kind of crap. It’s leaving people who can’t afford to get a new phone every year or two (or simply don’t want to give up a perfectly good phone) in the dust.
And yet, my near end-of-support cycle Ubuntu laptop got a software patch for Heartbleed within 24 hours.
But this is not just a customer service issue. This is a national security issue. Take a listen to RadioLab’s story about Darkode. Realize that everything that applies there also applies to your smartphone.
Yes, I realize that our government (hello NSA!) thinks that there’s a benefit to having the code be closed. But just like ISPs and PC manufacturers realized it was less expensive to provide antivirus software to consumers, so must our defense industry realize that having the ability to quickly and easily stop exploits will be far less expensive than dealing with the fallout from huge mobile botnets.
We don’t have to abandon Android (or iOS with its linux-style backend); we do have to make it so that these commercial providers have the same kind of security consciousness and responsiveness that free and open source software does as well.
It’s entirely possible there’s a real reason what I’m suggesting couldn’t happen. If so, please educate me.