Who cares
Most users couldn't care less and the OEM's are not much better.
The fragmentation of Android is creating additional security risks, as the rush to release new devices without sufficient testing is inadvertently introducing security flaws, security researchers have warned. The researchers – Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed and XiaoFeng Wang – uncovered flaws in …
To answer your question the security reasearchers/companies/fear-mongerers care. That's why they constantly bombard these sites with press releases which say nothing of interest.
I saw a stat the other day that something like 20-30% of UK online banking activity is now done through mobile devices.
Google appear not to give a flying fuck about the security of their users, just so long as they keep getting the advertising revenue. At least when Microsoft released XP, mass use of the internet and mass virus outbreaks were relatively new to the world. And they started to respond reasonably quickly, with SP1, automatic updates, checks to make sure you were running anti-virus and the like. Then gave up on the whizzy updates to XP they were working on to re-write the whole shebang in a more secure manner. Vista was that disappointing for a reason...
This Android updates problem has been around for a very long time now. And I'm not talking about not getting latest shinies, but missing out on security patches for brand new handsets. And Google would appear to have done the square root of bugger-all about it!
It isn't about Google, its about OEMs/third-parties who write custom rubbish software, including drivers for their custom hardware.
I think the subtext is supposed to be "buy an iphone" but I'm not sure I'm getting many security fixes for my 3G either - for the OS or for the apps.
THIS user does. That's who.
I can't/don't speak for any others, but I care rather a lot about this. My android devices are used for casual gaming and casual web browsing only. Nothing involving credit cards or banking is EVER done on an Android device or, for that matter, my WinPhone. Yes, I give up some cool and convenient functionality. I can live with that - and the ever-so-slightly better security of my personal data that goes along with it.
What they said: "helped the manufacturers fix those problems."
What this actually means: "Made sure that the manufacturers won't make these particular mistakes again in their new products. Much as we'd have liked them to issue fixes for their existing user base, they all told us to get knotted."
The problem with allowing a wide variety of hardware and letting manufacturers customise the O/S[1] is that this customisation is being done by cheapskate fucks who regard any design more than a year old as obsolete and any effort spent supporting such as money down the crapper.
[1] MS found exactly the same with WinMo. The clever thing Google have done with Android is managed to get people to actually blame the device's maker when the thing's an unreliable bag of shite rather than the O/S itself. MS never managed this very important bit of sleight-of-hand marketing.
Yes, when you look at the list of phones they analysed you can see they're only reasonably high-profile ones that the manufacturers might consider providing a patch for. I'll bet the issues are in no way limited to those phones;
"The researchers analysed five different distributions: Google Nexus 4, Google Nexus 5, Sony Z1, Samsung Galaxy S4 and Samsung Galaxy S5, all running OS versions 4.4.X (except for Samsung S4 running version 4.3)"
Perhaps the researchers want to keep the manufacturers on-side - if they'd announced that the Samsung Galaxy Ace (or whatever cheap popular-yet-obsolete Android handset they picked) had these problems I doubt a patch would have ever seen the light of day, and they wouldn't have gotten much appreciation from the manufacturer either for highlighting the fact that they can't be bothered to security patch anything but their latest high-profile handsets.
The problem is that 'probably' these manufacturers are under the cosh in terms of costs. And as we all know, security and testing is one of the first things to be chopped by the beancounters. For all their many faults, these are some advantages in paying an Apple premium - they can afford to patch, and will have a godawful problem once the first major vulnerability releases email accounts/passwords/bank accounts etc...
So for Apple there is the carrot and a hell of a big stick.
an Android App that takes away the unnecessary permissions from OTHER Android apps?
Why the hell does a weather app need permissions for my contacts, photos, etc??????
Of course Google could have done that when they made Android but they are too busy plowing through your contacts, photos, etc!!!!!!!!!!!!!!!!!!!
"AOSP [Android Open Source Project] code has had the most eyes on it, from Google, the SOC partners, the OEMs, the community. It is quite reviewed."
No, it is most certainly not. Let's review the AOSP bugfest:
- Towelroot
- Stock browser same origin policy failure
- OpenSSL
It goes without saying that the use of OpenSSL *requires* the ability to patch.
How does 4.1 Jellybean do on the ssllabs.com browser scanner? I would think the score is an F - and if not, it's certainly not for lack of trying.
"No, it is most certainly not. Let's review the AOSP bugfest:"
Only 3, dookie? BTW, Towelroot was a linux bug.
Let's have a look at the hundreds of iOS security exploits:
http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49
Or what about that Windows 0 Day OS?
http://www.cvedetails.com/product/17153/Microsoft-Windows-7.html?vendor_id=26
That's only for Windows 7. In total Windows has more than a thousand security exploits.
They should have had a "single OS-image" policy from the start. Where you have one Android image which can run on any device, just like you have with most PCs. This would also have made alternative images a lot easier.
Hardware manufacturers would have had to agree to well defined interfaces, eliminating the need for binary only drivers and making hardware discoverable.
Unlike previous attempts like Microsoft's MSX, we now can have rather flexible hardware with features added in compatible ways. Your SoCs would, for example, all have the same framebuffer mode, acceleration features however, could be different on each one of those.
The scanner at ssllabs.com reports the stock browser on cm10.2:
- doesn't support TLS 1.2
- is vulnerable to logjam
- is vulnerable to freak
- is vulnerable to poodle
How on earth could TLS 1.2 be disabled? And why weren't the MOST STRINGENT security settings used, since there was absolutely no update capability?
This is truly pathetic. Operating systems simply should not be designed this way.
There is a now a critical MMS bug on all Android versions from 2.3 up. It allows the exploit of the system account (uid 1000) on many phones.
http://www.extremetech.com/mobile/210906-950m-phones-at-risk-for-stagefright-text-hack-thanks-to-android-fragmentation
http://www.pcworld.com/article/2953052/most-android-phones-can-be-hacked-with-a-simple-mms-message-or-multimedia-file.html