The Choice Is Yours: Android Vulnerabilities Highlight Pros and Cons of Decentralization

Another set of critical vulnerabilities in Google’s open-source Android operating system were reported by Motherboard this morning. Does this mean you need to throw out your Android device and go with Apple? Of course not. There are pros and cons to both, though, that you should be aware of when choosing the flavor of your mobile devices. (Full disclosure: I’m a long-time Apple guy who is currently shopping for an Android phone as a backup.)

In short, Apple tightly controls the software that can and can’t be added to their devices and on what kind of hardware their software can run. Google takes a decentralized approach, and therefore any number of hardware vendors can install Android on their devices. It also means that Android devices can be way more customized and there are greater options in what software can be installed.

The pro for Apple is that it’s easier for them to maintain updates, including security updates, for longer periods of time. For instance, support for the iPhone 4 just ended with the release of the 7 – that’s years of support for the 4. Apple’s tight control and review process for third-party apps means there is a greater chance of catching vulnerabilities and malicious apps before they can ever reach the public.

The con to centralization, on the whole, is that it provides a single point of failure. If Apple has a problem, then, potentially, all users have a problem, or at least users of the same model of device. That means all of those users are exposed until Apple provides an update.

The pro for Google is that you have many options in choosing the device that suits you while still using Android, and you have a lot more freedom in choosing the apps you want to install. You can even write your own. Hackers (I would hope by now I don’t have to explain the difference between hacking for good and for evil) love Android for this reason. I should also point out that outside of the US, Android is by far the dominant mobile operating system.

The con for this decentralized approach is that installing malicious code is a lot easier, and how/if updates are provided to users depends on the device manufacturers, which can leave users vulnerable for undetermined lengths of time. Androids go end-of-life (no longer supported) a lot quicker as hardware manufacturers try to push users to buy new devices, and that leaves users vulnerable.

In the case of these latest Android vulnerabilities, they lay at the core of the operating system, which means all users are affected. But for users to have their devices patched, it will depend on whether their manufacturers even provides the ability to patch. Not an ideal situation.

Am I advocating Apple over Google? Of course, not. Both have their pros and cons, and the more informed you are, the better your odds in choosing the device that’s right for you. What I will recommend, though, is pressing your prospective hardware provider/cell carrier to clarify their patching update capabilities and avoiding those that don’t provide updates. In this day and age, they should know better.

About Marc Blackmer

Marc is the founder of 1NTERRUPT and has been in the IT and cybersecurity fields since 1998. He is a product marketing manager for industry solutions in Cisco Systems’ Security Business Group, focusing on cybersecurity for industrial control systems (ICS) and the Internet of Things (IoT). He also blogs on IoT security on behalf of Cisco at www.securityledger.com.