Why are so many Android devices insecure?

Would you use a computer that received its last security update in 2014? Most of us would probably refer to to the need for regular Windows Updates and an antivirus solution in the face of this question and feel moderately secure (and rightfully so). But what about Android devices? Android is runs on over one billion cellphones, tablets and other devices and is fairly secure, if those devices are running a somewhat current version which is not always the case.

I recently picked up a seldom used tablet and checked which Android version it was running. It was Android 4.4 which, by today's standards, can be considered antiquated. The device was made by Acer, didn't come cheap and had been left without updates for the past 3 years. I reckon it's safe to say that there will be no future updates for this device even though I'm an optimist. This is not an isolated case, 500 million devices have already dropped out of the update loop. How is it possible that devices are forgotten by their makers only 2 years after release? Why is there no centralized update mechanism as is present in Windows?

To better understand this issue, we need to take a closer look at what Android is and how this system is being distributed. Android is being developed by the Open Handset Alliance, a consortium of 84 firms including (you guessed it) Google, the lead developer, and, here's where it gets interesting for manufacturers, completely free. By using Android, handset makers can avoid major license fees although they do have to pay a small fee (rumored to be around 75 cents per device) to include certain Google services (like the Playstore). This is acceptable even for entry-level devices, consequently, manufacturers take the vanilla version of Android and adapt it to their hardware requirements, e.g. smartphones. This is called porting. In many cases, they will also pre-install their own or partner software and load their devices up with ads. Some even try to brand their products further by forking the operating system and modifying both visuals and features to win customers over.

Google themselves usually release security updates on a monthly basis and are making every effort to improve the overall security of their system. The number of malware-infected apps in the Playstore is steadily declining and new security mechanisms are introduced with every major update. Aside from their own software developers, Google also awards over 1 million dollars each year to users that discovered and reported security flaws back to them, but does this really help customers? Most companies worry only about their sales figures and would love for users to "upgrade" to their latest devices as soon as they become available. Even the 2011 agreement that manufacturers would provide their devices with updates for at least 18 months (a ridiculously short time span) had little to no effect. Some of the bigger players follow this "recommendation" but makers of smaller and cheaper models seldom do, mainly for financial reasons. This is all the more absurd and worrisome as especially older models not only contain dozens of security holes but these are also well known to malware authors.

Things look different in practice: Let's say there's a new Android update that contains critical security patches. Manufacturers will be notified - and from there on, the fate of your device is in their hands. Companies that rely on a vanilla version of Android without major modifications will likely roll out the update soon, provided the company is willing. But if the system is heavily modified, it'll take additional testing and cost money - money not all companies are willing to spend (on their customers). Even if a company reacts, it'll usually take weeks, even months, for "better" companies to provide updates for devices that will most likely still be online in the meantime. Branded cellphones (usually modified to work with a particular network) are a special case as updates need to pass through their respective mobile carriers first. Carriers love to "forget" prepaid cellphones or at least delay the affected updates for months. The makers of Android have no means of enforcing timely updates through contracts or penalties, they depend entirely on the good will of device manufacturers.

However, companies have little incentive to act fast since many customers pay little attention to the security of their devices and fail to assert pressure. It's the price and feature lists that sell products. As long as everything (seemingly) works, consumers are happy. What is unthinkable in the world of Windows appears to be perfectly fine in the world of Android. It's likely consumers would instantly get their pitchforks ready, if Microsoft stopped delivering updates and yet there have been Android phones that never saw an update but still received high ratings. Luckily, not all companies neglect their products in this way. Motorola, HTC and Sony tend to act quickly, Samsung always takes a little longer to react. Xiaomi takes a different approach and installs their own MIUI system on top of Android that is constantly being developed and hardened. So even though your device doesn't receive the latest version of Android (the best case scenario), if it's from Xiaomi, you will still be on the safe side.

It's clear the developers behind Android don't like debating these issue in public. Who'd want to admit that, though your system is steadily improved, these improvements will never make it to many customers? Only spectacular security leaks, like the Stagefright issue that affected Android's Media-Framework and left the system wide-open to malware attacks, make it onto the news. That's why, at this very moment, more than half a billion online devices have easily exploitable and well-known security holes. This situation will likely only change once customers develop an awareness for these issues and start pressuring device and software makers into acting accordingly. We need to convince Google to use their tremendous market power in the customer's interest, for once, and device manufacturers to keep their products safely usable for longer time spans. Rumor has it that Google's keeping a list of black sheep. As consumers, it would be interesting to know who's on it.