Quick Links
Here's a dirty secret: Most Android devices never receive security updates. Ninety-five percent of Android devices can now be compromised via an MMS message, and that's just the most high-profile bug. Google has no way to apply security patches to these devices, and manufacturers and carriers just don't care.
The Android ecosystem is becoming a toxic hellscape of unpatched devices riddled with security holes. For comparison, when Apple's iOS has a security hole, Apple can just update all supported iPhones with a new version. Even Windows phones are better than Android here.
Android Phones Aren't Guaranteed to Get Security Updates
The recent Stagefright MMS bug gives us a good case study, demonstrating what happens when someone discovers a security hole in Android. Google creates patches and applies them to the main Android open source project code. Google then sends these patches out to hardware manufacturers -- Samsung, HTC, Sony, LG, Motorola, Lenovo, and others. Google's involvement ends here. They can't force manufacturers to actually release these patches. This often seems to be where the process ends.
If a manufacturer does want to apply these patches, they have to apply them to a device's Android code and build a new version of Android for that device. This is a separate process for every single phone and tablet that manufacturer supports. Each manufacturer then has to contact the carrier it sold the phones through and provide every individual device-specific patch to each carrier around the world. The manufacturer's involvement ends here. Even if they go crazy and patch every single device they're still supporting -- very unlikely -- they can't force carriers to actually apply these patches
Carriers can then choose to send the new, patched build of Android to their devices, or not. If they do, there's a good chance it's after an extensive testing period where the security holes will continue to stick around. Even if a carrier does want to do this, there's a good chance they'll only want to test the update on a few flagship phones, and not older devices.
In practice, most Android devices just don't receive security updates and are left vulnerable. Google hasn't chosen to enforce the delivery of security updates like they enforce other things in contracts with manufacturers. Manufacturers create many, many different devices and don't want to do the work of updating them all. Carriers ship many, many different devices and don't want to bother testing them. Rather than delivering updates and maintaining old phones, they'd rather push customers to purchase new devices. Those security holes were fixed in the latest builds of Android, so a new device will be secure -- at least until more holes are found and not patched.
Yes, that "check for updates" feature on your Android device just checks if there's any manufacturer-and-carrier-approved updates. It's not a reliable way to ensure you have security updates.
iPhones Are Guaranteed Timely Security Updates
The Android update model is horrifically broken. It's not just about receiving the latest and greatest features. Instead, there's no way to guarantee you have the current security patches. There's really even no way to tell exactly which security holes have been patched in your device, as you depend on the manufacturer adding the patch to their custom build of Android and rolling it out to your device.
Google has tried to avoid this with Google Play Services, which automatically updates on all Android devices. But it can only do so much. All Android devices running Android 4.4.4 and older -- that is, most Android devices -- currently have a web browser full of security holes because Google can't update it. And now, almost all Android devices can now be compromised with an MMS.
Really, this is terrible. Imagine if Windows laptops never received security updates from Microsoft. Instead, Microsoft would issue patches to Dell, Lenovo, HP, and other manufacturers. The manufacturer might choose to patch it or not, and if they did choose to patch it, that patch would have to be approved by the store you bought the laptop from before it reached you. Microsoft would be rightly raked over the coals for this. Instead, Microsoft releases a patch and it's provided to users of all models of Windows PCs via Windows Update. Even Google's own Chrome OS works this way without manufacturers getting in the way.
Want an actual guarantee of security updates for your smartphone? You pretty much have to buy an iPhone, although even Microsoft's Windows phones are ahead of Android here. When a security hole is discovered in an iPhone, Apple can release a patch to every iPhone user all at once -- even carriers don't get in the way.
Permissions and Privacy Controls Are Better on iOS, Too
App permissions are another case where iPhones trounce Android phones. Android started out strong, offering "app permissions" -- you can see what an app requires before you install it and choose not to install it. iPhones now have an improved permission system where you can actually pick and choose which data an app gets access to. Need to use an app, but don't want to give it access to your contacts or other sensitive data? You can do this on iOS.
On Android, app permissions are more like demands -- take it or leave it. Apps often ask for many more permissions than they really need to function, and you never really know whether that game you installed is uploading your contacts list to a remote server. Google is working on adding a permission control to future versions of Android, but that's too little, too late. Such functions are currently only available in third-party custom ROMs after Google removed Android's hidden permission manager.
iPhones actually give you control over what apps can do on your phone, exposing app permissions as helpful privacy controls anyone can understand. This helps keep your private data secure. On Android, it's really just up to the app -- you can only control whether you use that app or not.
Apple's locked-down app store has gone overboard in banning specific types of content, but only allowing apps from an approved source does provide some additional security against malware. Most malware on Android comes from outside Google Play, often when a user downloads a pirated app and installs it. This isn't possible without jailbreaking an iPhone. The iOS app store approval process is also a bit more rigorous, involving a person who actually tests the app rather than an automated algorithm.
Google needs to fix this situation. It's unacceptable for most Android devices to never receive security updates and be left vulnerable to an uncountable number of security holes. Many devices even have locked bootloaders, which would prevent you from patching the bug yourself by installing a custom ROM.
Yes, Android is an open platform with many manufacturers involved, but so is Windows. Google needs to get its platform in order. We'll continue to see ever-worsening security outbreaks in Android land until the entire Android ecosystem starts caring about security and becomes capable of patching security problems in a timely and consistent manner, like every other modern operating system.
Image Credit: Indi Samarajiva on Flickr