We’re on day who-the-heck-knows of the Android Stagefright security vulnerability, and there’s really no point keeping track of the days because no one’s going to fix it. The Android ecosystem can’t deal with security, and it won’t change until it’s too late.
Android was originally designed, above all else, to be widely adopted. Google was starting from scratch with zero percent market share, so it was happy to give up control and give everyone a seat at the table in exchange for adoption. The sales pitch was simple: “Apple locked you all out of the iPhone and with Microsoft you’re just a customer, but on Android, you’ll all have a say in the end product.” The open source nature of Android allowed anyone to adapt its code to their hardware, and OEMs and carriers could (theoretically) alter or fork it to their hearts’ content.
Now, though, Android has around 75-80 percent of the worldwide smartphone market—making it not just the world’s most popular mobile operating system but arguably the most popular operating system, period. As such, security has become a big issue. Android still uses a software update chain-of-command designed back when the Android ecosystem had zero devices to update, and it just doesn’t work. There are just too many cooks in the kitchen: Google releases Android to OEMs, OEMs can change things and release code to carriers, carriers can change things and release code to consumers. It’s been broken for years.
The Android ecosystem’s reaction to the “Stagefright” vulnerability is an example of how terrible things are. An estimated 95 percent of Android devices could fall victim to a remote arbitrary code execution just by receiving malicious video MMS. That’s really scary, and as you might expect, Google, Samsung, and LG have all pledged to “Take Security Seriously” and issue a fix as soon as possible.
Their “fix” is to patch 2.6 percent of all active Android devices. Tops. That’s the percentage of Android devices that are running Android 5.1 today, nearly five months after the OS was released.