Complexity of Updating Android Exacerbates Security Problems
I bought a new HTC Nexus One last week, which unfortunately came with a custom ROM (Android Kernel Version: 2.16.405.1 CL223106 release-keys). Unfortunately, this particular firmware prohibits any “Over The Air” (OTA) updates or even manual updates and it was a nightmare trying to track down the solution to the problem. Luckily my online search led me to this page explaining the upgrade process which calls for a very complicated 6-stage manual process to upgrade to Android version 2.3.4.
To summarize, I had to follow the following upgrade process, and each stage took about 5-30 minutes (depending on download time):
- Downgrade to 2.2 build FRG33 using passimg.zip method
- Upgrade to 2.2.1 build FRG83
- Upgrade to 2.2.1 build FRG83D
- Upgrade to 2.2.2 build FRG83G
- Upgrade to 2.3.3 build GRI40
- Upgrade to 2.3.4 (Google announcement here)
With an upgrade procedure this onerous, it is no wonder that so few devices are running newer versions of the Android Operating System. The result is an immense level of Android fragmentation, leaving 99% of the devices vulnerable to a serious security flaw in the ClientLogin API. ClientLogin was apparently designed without any encryption, so that user credentials are transmitted in the clear, making them easy for criminals to intercept.
The market share for non-vulnerable versions of Android OS might be a little better than 1% now but not much better according to Google’s statistics.
Image credit: Google