I am grateful to Craig Timberg, a Washington Post technology blogger, for pointing out this dangerous flaw in the Android smartphone industry.
A while ago, computer researchers at North Carolina State University uncovered a potentially dangerous security flaw in the operating system of Android phones that could allow scammers to hack the phones and send phony messages from the phone to all on the phone's address book — a practice called "smishing." Google, the creator of the Android system, was notified and immediately responded that they too had been able to verify the flaw and they would correct it.
They did and they incorporated the fix into Jelly Bean 4.2, the latest version of the Android operating system. They also quickly created a security update for earlier versions. However, this operating system update, closing a major security flaw, has never reached most Android phone owners, leaving their phones still vulnerable to hackers.
The problem is that it's not clear who exactly is responsible for disseminating system updates for Android-based smartphones. It's an expensive undertaking, and who should bear the cost – Google, the smartphone maker, or the wireless carrier that sells the phone?
The problem is called "Fragmentation," and the result is that Android updates often take many months to reach users, if they reach them at all.
"You have potentially millions of Androids making their way into the work space, accessing confidential documents," Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union told the Washington Post. "It's like a really dry forest, and it's just waiting for a match."
Author Timburg notes "the risks are particularly serious for businesses and government agencies, whose increasingly popular bring-your-own-device policies have created new potential portals for espionage aimed at secure computer systems."
"We've built the system from Day One to deal with this kind of world," Hiroshi Lockheimer, vice president of Android engineering is quoted as saying. "The health of the Android ecosystem is really important to us."
Google can incorporate the latest security fixes in the newest versions of its software still not in consumer hands. But it has struggled to get updated software to smartphones already in the hands of consumers. For instance, it is estimated that only about 1.5 percent of Android phones in consumer hands contain the updated software fixing the flaw the N.C. State researchers found.
The latest version of Android — the one with the "smishing" fix — is used by just 1.4 percent of the more than 500 million Android devices worldwide, according to data compiled by Google. The company confirmed it also released a security patch to repair the flaw in earlier versions of Android, but neither Google nor the wireless carriers could say how many current phones received the patch.
This fragmentation problem points out a significant difference between the Apple iPhone and Android-based smartphones. Apple operates essentially a closed distribution system. It is able to issue timely operating-system updates that are guaranteed to reach users.
But Android-based phones are manufactured by a number of different phone makers, each of whom have different contractual relationships with the wireless networks that actually sell the phone. Moreover, each of the major carriers has their own schedule and way of updating operating systems.
Google has placed a very high priority on fixing this update distribution problem. But in the meantime Android-based phone users need be aware of it and take precautions to only download proven virus-free apps from safe sources like Google's own app store.