An Android pre­sen­ta­tion just after Mandt’s asserted that the one-​​two punch of Android frag­men­ta­tion has placed Android users at risk of missing out on impor­tant secu­rity updates. That’s not going to be fixed any­time soon, they said.

The issue, argued Jon Ober­heide of Duo Secu­rity and North­eastern Uni­ver­sity secu­rity researcher Collin Mulliner, lies in how Android devices receive — or more pre­cisely, don’t receive — their updates.

The Chrome guys will deliver an update within 24 hours. On Android, it can take months and years,” said Ober­heide. “Your car­rier doesn’t have a lot of incen­tive to fix your ancient HTC Evo. They want you to buy the latest and greatest device.”

So, the pair said, even when Google patches Android secu­rity flaws, the handset man­u­fac­turer and the car­rier effec­tively stop patches from reaching the people who need them.

Android secu­rity apps can’t be relied on, Mulliner said, because they’re fighting Android mal­ware — some­thing that he said just isn’t a big problem in most regions.

None of the big antivirus or secu­rity com­pa­nies are doing a really good job because they’re all con­cerned with stop­ping mal­ware,” he said.

Read the article at CNET News →