Under Pressure, Google Promises To Update Android Security Regularly

August 5, 2015

Google is making big promises to fix its Android operating system. The company recently came under sharp criticism after researchers found a major flaw in Android would let hackers take over smartphones, with just a text message.

Now, Google tells NPR and writes in a blog post, it’ll work with other phone makers to fix that bug. And, going one step further, Google is rolling out a brand new system to protect smartphones regularly — not just once in a while.

Adrian Ludwig, lead engineer for Android security, is speaking Wednesday at Black Hat, a cybersecurity conference in Las Vegas. He’s covering a few topics, starting with the bug called Stagefright.

Last week researchers with Zimperium, a mobile security firm, said they’d discovered major flaws in the heart of the Android operating system (in a library called “libstagefright”). This bug would allow hackers to take over nearly 1 billion phones, just by sending an infected text message. To fix the problem, Zimperium says, smartphones need firmware updates that reconfigure the entire operating system. It’s the software version of open heart surgery.

While Google agrees this bug is serious, the company disputes how widespread it is. Ludwig says that currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue.

Clearly there’s a difference of opinion. Still, Google is agreeing that it needs to take decisive action. The company makes Nexus smartphones. Ludwig is expected to announce that Nexus owners will get patches starting this morning.

He’ll also speak on behalf of other Android manufacturers. He’s promising that this month, the most popular Android devices are getting the fix. The list includes:

— Samsung: Galaxy S6, Galaxy S6 Edge, Galaxy S5, Note 4, Note Edge;

— HTC: One M7, One M8, One M9;

— LG Electronics: G2, G3, G4; and

— Sony: Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Compact.

Also Wednesday, Samsung described a new Android update process that “fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.”

A New Industry Standard?

Ludwig is making another announcement: Starting Wednesday, Nexus devices will receive monthly updates that are “purely focused” on security to keep users safe. (The company states in its blog post that the devices “will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.”)

For three years, Google has given Android manufacturers regular updates about flaws that need to be fixed. But whether they act on that information is not in Google’s hands.

Nexus is. Granted, the brand is a much smaller share of the market than Samsung, but if Google keeps its promise and executes well, the company could be creating a new industry standard for smartphones — at least on the Android side. Apple, which controls both the hardware and software of its devices, regularly rolls out updates to its iOS that are quickly adopted by users.

Experts say a higher standard is long overdue. Consumers pay up to several hundred dollars for a phone and store their most sensitive financial and personal data on it.

It’ll be interesting to see if other Android manufacturers and phone carriers, which are often a bottleneck to updates, follow Google’s lead.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.