A report this week that Google is compiling a list ranking Android handset makers by how quickly they apply updates to their devices has focused attention on the challenges the company faces in bolstering security across the fragmented Android ecosystem.
Bloomberg on May 25 reported that Google is developing a ranking system designed to shame Android phone makers into applying security patches and other updates more quickly. The company apparently has already compiled a list that ranks handset makers by how up to date their devices are in terms of security patches and Android operating system versions.
Google has released that list to partners and plans on releasing it publicly. Vendors that in Google’s opinion are not moving fast enough will be omitted from the list in an apparent bid to shame them, Bloomberg said, quoting sources close to the company’s plans.
Google did not respond to a request seeking more information on the reported plan or even if such a thing is in the works.
Getting Android handset makers and carriers to deploy security patches and operating system updates faster has become a critically important issue for Google. Unlike Apple, which has tight control over the iOS ecosystem, Google has little say in how and when carriers and the numerous third-party manufacturers that make Android phones and tablets apply security patches and other updates to their devices.
Google only has direct control over its Nexus line of Android devices. With all other Android devices, it is up to either the manufacturer or the carrier to install patches and updates. Each one has it own schedule—or in the case of some smaller manufacturers, none at all. As a result, patches and operating system updates that Google pushes out can take several months and often well over a year to get deployed across the Android ecosystem.
For instance, more than seven months after Google rolled out Android Marshmallow, the latest version of its operating system, barely 7.5 percent of Android devices have it, according to Google. Nearly two-thirds of all Android devices currently run versions of the operating system that are between one and two generations old.
Industry analysts believe that a large proportion of Android devices are vulnerable to known security threats either because they don’t have the requisite patches or are running outdated versions of the operating system. Concerns over the issue have heightened considerably following last year’s disclosure of several critical vulnerabilities in Android’s Stagefright media library that affected nearly 1 billion devices.
The disclosure prompted Google to move to a monthly security patch release schedule. The company has since been trying to get phone makers and carriers to do the same with little success.
Gartner analyst Mark Hung believes that in order for real change to happen, Google will need to put pressure not just on handset makers but on carriers as well. A lot of what’s going in the Android ecosystem with regard to patching and OS updates has got to do with the carriers, Hung said.
Whenever security patches are released, carriers want to run them through a comprehensive suite of interoperability tests to ensure the patches don’t disrupt services or cause other problems for customers, Hung said. Patches can spend a long time going through such testing, and it can be months before they get finally deployed, he said.
Some of the larger Android handset makers have been able to get patches out to unlocked devices relatively fast, but their hands have been tied with regard to devices distributed through carriers, Hung said.
What’s going on in the Android ecosystem is an interesting example of the law of unintended consequences, said Charles King, principal analyst at Pund-IT. “Google rightly developed a strategy for interacting with smartphone and other device makers that emphasized flexibility, collaboration and self-management, a process that resulted in Android becoming, by far, the most widely deployed and used mobile OS worldwide,” he said. The problem is there’s little standardization or balance within the ecosystem.
It’s too soon to say whether a Google attempt to shame manufacturers to move faster will work or not, he said. “How effective it will be depends on how consumers react,” King said. Given the increasing number of mobile security threats and the innovative new features that Google is planning in new OS versions, the pressure will ratchet up on slowpoke vendors, he said. “Not to be glib, but one person’s shame often equals another one’s praise.”