Your online security and privacy don’t just depend on Google’s work
Google and the companies that make phones using Android have managed to update everything to protect our online security and privacy. Most. These are the important updates, even if they are not the glamorous kind.
An Android security update requires a lot of work. Probably more than you think, and from more companies than you think too. When you get down to the details, those companies you are not thinking do the most work and play the most important role.
So many smart parts
Your phone isn’t just a piece of metal and glass filled with Android magic. It’s built using thousands of different parts, many of which run a bit of code inside so they can work. One of the most important of these parts is, of course, the SoC (System on a Chip) inside. The chip isn’t just the most powerful part of a phone, it’s usually the most vulnerable when it comes to exploits that affect our security and privacy.
Example: Check Point Research has just released information about a vulnerability (it has since been patched or is being patched on all affected devices) inside the chips that power about two-thirds of every Android device.
Long story short, 11 years ago Apple released open source code used for audio decoding. It has been modified over the years, but is still in use today. That’s the great thing about open source code – anyone can use it, improve it, and share it with everyone.
Qualcomm and MediaTek both use a variation of this code and hackers (the bad kind no one likes) have found a way to exploit this code to do things like stream video from your camera without your knowledge, or even get permission to install malware or take over everything. This is bad news.
You don’t have to worry about this one because all the best Android phones have already been updated with a patch that prevents these hackers from doing anything. But soon enough, another similar – or worse – vulnerability will be discovered.
Google can’t solve this problem
We like to keep saying how important it is for Google to do whatever it takes to get the latest security-focused updates for every user. But it’s a major task, because Google can’t just create a patch and force it on all phones, because the manufacturer has to get involved. Google can patch a Pixel phone, but Samsung has to patch a Galaxy phone. Samsung does a great job, but not all phone makers care that much.
All that aside, even if all the phone makers and Google got together to make sure all Android patches get pushed out, a vulnerability like the one described above wouldn’t get fixed. This is because neither Google nor the company that built your phone can fix the code provided by Qualcomm or MediaTek or any of the other vendors that provide parts that include a bit of code needed to work properly.
Luckily, companies like Qualcomm, MediaTek, and Nvidia are really good at fixing vulnerabilities quickly and getting fixes out to their customers. Qualcomm, for example, patched the audio decoder exploit, then passed everything Google needed to Google and also passed everything the phone maker would need as well.
Sure, that’s probably a condition of any service contract, but the speed and complicated work of finding and fixing a bug or exploit is always a big deal and no matter what you might think of a company that provides microprocessors – or even if you never think of them at all – they deserve some recognition.
You have to do the right thing, too
Some of us can’t wait to get some update. Whether it’s for an app or a security patch or even the next version of Android, we monitor it and install it as soon as possible. Some of us even sign up for beta access to try it out before it’s ready.
But for many people, installing an update on their phone is just a hassle. This usually means you have to restart your phone and you don’t even seem to get anything cool, so the notification just clears. After all, it will come back and you can “do it later”.
Don’t be that person. As you can read above, patching software is a never-ending process that involves a lot of hard work, and every bit is done to make your phone and online experience safer. Sometimes it forces changes on people they might not like or app developers aren’t ready for, but no company spends time and money creating software patches because that’s fun.
You’re not the only one affected by poor security, either. People around you don’t want to be recorded without anyone knowing and if a malicious app can access your contacts, someone else’s privacy could be invaded. Yes, it can happen. Anything can happen when many people are looking for a way to cause trouble in a system as complicated as the software that powers a smartphone.
When you see this notification about an update, remember how hard so many different teams worked, why they did it, and how it will only take you a few minutes to hop on board and install it.