What is fragmentation, and how does it affect the security of the Android-based devices? To answer these questions and more, Lacoon Mobile Security recently issued a podcast where one of its senior security researchers provided a brief overview of Android fragmentation and its security implications.
Android is famous for being the liberal, open source and diverse alternative to Apple’s iOS. Google has created a technological world of Darwinian evolution where the best platforms and versions grow ever stronger while the weaker ones die off gradually. In this harsh environment, Android has become the most popular mobile OS in the world, dominating than 60% of the global mobile market.
The most commonly used term to describe Android’s diversity is “Fragmentation”. The Android ecosystem is built up from many different developers, manufacturers and carriers, each with their own input and influence on the phones we use.
As shown in this great image, the Android Ecosystem is built from many different devices, manufacturers, operating systems apps and services. While fragmentation is key to the constant development and variety of Android devices, it’s not without its problems. One of the biggest consequences of fragmentation is that a vast number of users – numbering in the hundreds of millions –are left vulnerable to malware and data theft as a result of unfixed coding vulnerabilities.
Whenever it releases either an update for Android (small updates, security patches, etc.) or a completely new version of the Android OS, Google sends the code to its device manufacturers where it is customized to fit their unique specifications. Once the devices are put on cell contract, the carriers finally get a chance to make their own adjustments.
Not only is this a very lengthy process, but the problem is made exponentially worse by the fact that neither manufacturers nor the carriers feel the need to actually push out these updates and make sure people install them.
Two major security issues have recently highlighted just how serious this problem has become:
1.) The Pileup flaws. These code flaws left every Android-powered smartphone and tablet, more than a billion devices in all, vulnerable to malware due to to privilege escalation issues.
2.) The Heartbleed OpenSSL bug. Besides affecting millions of servers, the bug affects certain versions of Android 4.1.x (Jelly Bean). Although Android version 4.4 had already been released when Heartbleed broke, a whopping 35% of Android devices were still running 4.1 at the time.
As long as the weaknesses of Android’s fragmented ecosystem remain prevalent, we will undoubtedly see more mobile malware targeting specific devices and/or versions of Android OS.
Although not a guarantee of safety, there are several things that can be done by enterprises to ensure their BYOD policies are as secure as possible. To find out more, I recommend listening to Lacoon’s podcast at:
By Yonni Shelmerdine, Mobile Security Trends Analyst, Lacoon
Yonni is the lead Mobile Security Trends Analyst at Lacoon. Yonni brings five years of experience in Datacom & GSM network security analysis from an elite unit in Israel’s Intelligence Corps. Yonni heads the analysis of mobile attack trends where he researches new attack vectors and identifies major mobile malware attack patterns. Juggling university, work and football isn’t easy, but Yonni is a master of multi-tasking.