Android battles to fix the holes where the rain gets in


Google’s security mavens have been hard at work this month, patching an impressive 78 Android flaws in the firm’s latest update.

All-told, seven issues are rated ‘critical’, including a hat-trick of kernel-level holes, a privilege flaw in the MediaTek video driver and three biggies affecting Qualcomm silicon.

Qualcomm turns out to be a bit of a theme with 31 vulnerabilities (identified by CVE numbers) mentioning the chip maker by name.

If 78 sounds like a lot of security holes to fix at once, it’s actually down on recent months. In July, the number reached an all-time high of 108, followed by another 103 in August.

Since Android’s monthly cycle started in July 2015, it has shipped a total of 410 fixes which, depending on your interpretation, either shows how vulnerable the operating system (OS) is or how hard Google is working to patch things up.

For sure, patching Android is a rather complicated affair these days, encompassing a wide range of devices from external handset OEMs as well as Google’s in-house Nexus and Pixel families, which sprawl across 13 devices.

Things have become so fiddly – Google recently started offering monthly patches in two tiers, the first allowing OEMs to fix issues common to all Android devices (designated 1 October) with a second level (5 October) covering specific products.

With a little help from our friends

Android started issuing monthly security updates in the the summer of 2015 when a clutch of major security holes were discovered in the OS.

The worst of these was Stagefright, a collection of eight vulnerabilities rolled up under one banner.  Days later came Certifi-gate, a serious issue in a remote support interface used by several smartphone makers.

The timing of these being made public was probably down to the beginning of Android’s bug bounty program in the summer of 2015, but their discovery served as a reminder of the OS’s vulnerability.

Creating patches is all well and good but actually getting them on to handsets has been a huge problem for Google, and, as of April this year, about 400 million Android devices were still beyond its reach.

One of the other things that’s interesting about Android holes is who’s discovering them; external researchers.

Google thanks them by name in its October advisory, listing no fewer than 24 different people, most employed by security firms. Each will have been paid a modest bug bounty for their trouble; with a critical application flaw in Android netting (including fix) $8,000.

The forthcoming Android 7.x (Nougat) promises to make all this updating less of a chore for users. From this version onward, it will be possible to continue using a device even as major updates are applied in the background.