Finally, compared to Google, Apple and BlackBerry maker Research in Motion have greater control over their devices. Thus, security flaws are fixed and distributed faster than the carrier-published Android patches.
Google needs to force a change to reduce the patch cycle
Users have no simple solution to fix the problem themselves. In the PC market, slow-to-patch software makers led to third-party vulnerability-management software to fill the gap, but the same has not occurred in the mobile-security market.
One reason for the lack of a solution is the same reason that some smartphones are so secure, says Marc van Zadelhoff, worldwide director of security strategy for IBM: "They are not all equally accessible. There is less of a third-party security ecosystem that can help on the mobile side because it is less accessible to the patch management vendors."
Instead, much of the solution to the problem has to be spearheaded by Google and other operating system makers. Smartphone manufacturers and carriers have to revamp their patching processes to speed smaller, more agile updates, says CMU's Vidas. Tools such as the Android Compatibility Test Suite (CTS) help smartphone manufacturers and carriers move along software updates and ensure that critical patches are included in the new firmware. Yet, updating frequently requires the whole firmware to be modified and replaced on a user's device.
By separating the different layers and components of the code, Google and the Open Handset Alliance could minimize the changes and reduce the quality testing required to sign off on an update, shortening the time, says Kevin Mahaffey, CTO at Lookout. "The solution is to move toward a more packaged-based update mechanism," he says. "Smaller updates means less QA and faster patching."
There is hope: The forthcoming Android 4 "Ice Cream Sandwich" release is expected to dramatically reduce the fragmentation among Android versions. The wide adoption of the newest operating system version could free up developers to push out patches and simplify updates.
At the technical level, the patching problem has been widely fixed on the user side. Just five years ago, when researchers found a serious vulnerability, patching the issue required the customer to visit a carrier's store, says Mahaffey. "Now we have over-the-air updates, which is great, even though there are still wrinkles on the back end that need to be ironed out."
Even Apple is jumping on the benefits of over-the-air updates, building the feature into iOS 5, which will be released on Oct. 12 -- the last major operating system maker to do so. The move is a necessary security step, as the company found that about half of all iPhones brought into its Apple Stores had not been synced with a computer, the only way to get patches in iOS 4 and earlier.
With Google speeding up fixes for the Android source code and users getting automatic updates, the only remaining bumps in the process are the smartphone manufacturers and the carriers. Until they get onboard, their users and subscribers will be left at risk. So far, they've shown little interest, so Google needs to step in and force the issue.
This story, "Android's big security flaw, and why only Google can fix it," was originally published at InfoWorld.com. Follow the latest developments in mobile technology at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.