Google might resort to embarrassing phonemakers late to update its Android mobile operating system.
Google has drafted a list that ranks its manufacturing partners by how up-to-date the operating system and security patches are on their smartphones, reported Bloomberg. Google shared the list with its Android partners earlier this year, and has considered publicly releasing it to "shame tardy vendors through omission from the list," wrote Bloomberg.
The list, in part, is Google's response to an inquiry by the Federal Trade Commission (FTC) and Federal Communications Commission (FCC) into how Google, Apple, and other software developers, manufacturers, and wireless carriers address security vulnerabilities. In announcing the investigation, the federal regulators referenced concerns about the way that a security flaw in Android's Stagefright multimedia playback engine was resolved. Yet, this "shame" list also highlights Google's commitment to improving the security of Android in an attempt to prevent hacks and to stay competitive with Apple.
Ever since Google launched Android in 2007, it has found it difficult to persuade manufacturers to keep the open-source software up-to-date. Security professionals have been critical of Google because of this, wrote The Christian Science Monitor’s Joe Uchill.
When bugs affect Android versions that Google still supports, the company writes a patch, sends it to phone manufacturers, and counts on companies such as Samsung or Motorola to update their customers' phones. But many manufacturers do not treat updates with urgency. If a bug affects a version of Android that Google no longer supports, phone manufacturers can develop patches on their own, but few ever do.
Google attempted to lead by example, accelerating its process for developing security updates, technology workarounds, and reducing its phone testing requirements, reported Bloomberg. Then the Stagefright bug happened.
The flaw in Google's Android mobile operating system allowed attackers to take control of someone's device through text message. An attacker could gain control over Bluetooth, video, audio, and the microphone – enough to turn a phone into a spycam, and on many phones, the attacker could gain complete control of the device. With more than 1 billion Android users, Google adopted a more forceful approach.
It drafted the list, rewarding Android partners whose handsets are most up-to-date, while excluding ones who aren't. And this isn't the first time Google has embarrassed its Android partners.
A team of hackers from Google found 11 security flaws in the Samsung Galaxy S6 Edge that allowed them to "access a phone user's contacts, photos, and other data without the user’s permission; get access to private data just by sending the phone user a text message or email; and for apps that are supposed to have access to only some of a user’s email functions (like forwarding a link to a friend) to access all email functions (like forwarding all of your emails to the app maker)," wrote the Monitor’s Lonnie Shekhtman
All but three of the 11 flaws were fixed.
Aside from the federal investigation, there might be another reason Google wants to make sure all its Android partners keep the operating system up-to-update: Apple does. Unlike Android, Apple's iOS software is not an open-source program, so Apple can push an update to all its devices. Eighty-four percent of Apple devices are up-to-date; 7.5 percent of Android phones are up-to-date, according to Yahoo. And Google doesn't want to lose any ground to its Silicon Valley rival.