Google is becoming the Windows of mobility, and not in a good way. A comparison between Alphabet Inc (NASDAQ:GOOG, NASDAQ:GOOGL) and Microsoft Corporation (NASDAQ:MSFT) has existed since Android was announced in 2007, in that the Android operating system depends on a network of OEMs, many of whom tweak the software for proprietary advantage.
But as hackers continue to find bugs in the system, the way it’s organized makes users increasingly vulnerable.
While financial analysts will be most interested tonight in whether Alphabet “makes the number” on earnings, tech writers will be looking at recently discovered security flaws with Android phones and waiting for someone to exploit them.
Tech writers know that technology products become increasingly vulnerable from the time a vulnerability is announced until a patch is produced, although vulnerability remains until the patch is installed by users.
The problem for Android is there are many different phones, many of them without enough memory to take an upgrade that would include a patch.
The Flaws for Android
Tech writers are now talking about two Android vulnerabilities, a Linux flaw called DirtyCow and a memory chip problem called DRAMMER. Either would allow a hacker to take control of or “root” a victim’s device.
Dirty Cow, also known as CVE-2016-5195, has been in the Linux code base since 2007 and while it has been fixed in the latest Android software release, it could take months to get patches out through manufacturers.
It works by having the kernel put two files in memory, one of them read-only, then writing to the one it can change while asking the kernel to borrow back the memory being used for the file it can’t affect. Within a second, a hacker can overwrite the read-only file, which — if it’s a configuration or critical executable — lets them take control of the phone.
DRAMMER, known as CVE-2016-6728 is a version of an old Windows flaw. Once the hacker gets administrator privileges they can deliver malware.
Google encourages hackers to discover bugs, and pays them handsomely so it can then patch them.
But finding a bug, or even writing a patch, are just the first steps toward correcting a problem. This is where Android’s structure lets users down.
The Disease
Publicity over a 2015 bug dubbed Stagefright caused Google to take new action. Now, new versions of Android can see which recent bugs have been fixed, through the phone’s “About” screen.
The problem is there are many versions of Android in the market, just as there are many versions of Windows.
It has taken Microsoft a year to get Windows 10, which it sees as a solution to the fragmentation problem, onto just one-quarter of PCs, and Windows 7 still has the largest market share. Over 6% of users still use Windows XP.
But what happens when a bug infects all versions of the operating system? Getting a patch loaded by users who no longer take patches, or upgrades, gets many people sick of the whole update process. This leaves owners of older hardware vulnerable — it’s why the risk of a bug never falls to zero, even after a patch is available.
The bottom line is that Android is losing its battle with fragmentation and users are paying the price. Many Android phones may never be safe.
The Market Lesson for GOOGL
None of this has yet impacted the phone market.
Android still has over two-thirds of the mobile operating system market, against just 25% for Apple Inc. (NASDAQ:AAPL). In the last year, Android has gained as much as one-sixth of the market from Apple iOS. But this gain is spread among over a dozen different vendors and the share held by smaller vendors is continuing to rise.
Someone is going to take advantage of this, and the Google Android ecosystem is not ready for it. The potential liability to Google in such an event is immense.
Dana Blankenhorn is a financial journalist and author of the science fiction story Into the Cloud. Write him at danablankenhorn@gmail.com or follow him on Twitter at @danablankenhorn. As of this writing he owned shares in GOOGL, MSFT, and AAPL.
