Zit Seng's Blog

A Singaporean's technology and lifestyle blog

If Android, Then Nexus

At times, I wonder if the only Android devices out there should just be the Nexus ones. It’s like if you want iOS, you buy an iPhone. If you want an Android, and while there are so many devices out there, but the really only logical choices at the Nexus ones. Just because of software updates and security patches.

Nexus 6P software update

Nexus devices enjoy monthly software updates. It’s like how your Windows PCs or Mac computers receives regular updates from Microsoft and Apple respectively. The security patches, in particular, are important.

If you had an Android device that is not a Nexus, you are quite dependent on your smartphone (or tablet) manufacturer to update the software. What if they take too long? What if they don’t do it at all?

The March 2016 Android Marshmallow update lists a number of issues, six of them marked as critical. Two of the critical issues involve specific hardware, the MediaTek Wi-Fi driver and Qualcomm performance component. The other four are common Android software components, such as Mediaserver which seems to be plagued with problems after problems.

Remote code execution vulnerabilities in Mediaserver, and a new one in libvpx, mean that someone can send you a specially crafted media file which will then execute malicious code on your smartphone. You think you’re receiving a video MMS, but what’s really happening is that a third-party now has access to do things in your smartphone.

In the past, Mediaserver vulnerabilities were mitigated by updated versions of Google Hangouts and Messenger so that they do not automatically process media. You could, however, still have other apps installed in your Android device that don’t mitigate this vulnerability. This approach is better than not doing anything, of course, but the real fix is getting the underlying Android operating system fix. Therein lies the problem, because smartphone manufacturers are unlikely to do that in a timely fashion.

Imagine, if you will, that you have a cool Dell tablet running Windows 10. Unlike a Surface Pro 4 that receives Windows 10 software updates directly from Microsoft, you need Dell to build and distribute their version of Windows 10 which you can update your Dell tablet with. What if Dell takes a few months to do that? In the meanwhile, how would you feel putting your secrets in a device that has a huge gaping security hole? What if Dell never gets around to providing you with the fixed software?

Some Android users, and this will probably be a small fraction of all Android users, are comfortable flashing their own Android software on their devices. Community builds of Android, such as CyanogenMod, will likely get quite timely security fixes. If you are comfortable flashing your own ROM, and your smartphone is one of those supported hardware, then you’re probably alright. But this isn’t really representative of the general Android user population. It is an option, nevertheless.

Someday, Android device hardware should become so generic that, like desktop and notebook computers, we could have Google producing one build of Android that anyone can take to install on any device. Just like how you can put Linux on any, almost at least, computer,

But until then, is it the case that you’re best off either buying a Nexus device, or self support through third-party builds of Android?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.