Let’s not beat around the bush – Google is pretty fed up with people believing that the Android ecosystem might not be as secure as it should be.
And it most be particularly galling for those residing in the Googleplex that sometimes these flaws are not present in up-to-date versions of Google’s Pixel smartphone, but in those manufactured by other vendors.
Last week Google revealed it had taken another step to fix the problem, announcing an initiative to “drive remediation and provide transparency to users about issues we have discovered at Google that affect device models shipped by Android partners.”
What does that mean?
It means that Google’s Android Partner Vulnerability Initiative (APVI) will be publicising security issues it finds in third-party Android devices, in the hope that they will be fixed more quickly.
APVI only applies to vulnerabilities in code that isn’t serviced or maintained by Google – flaws in Google’s own code continue to be handled by Google’s Android security bulletins.
AVPI’s bug tracker has already uncovered a number of third-party vulnerabilities, including:
- Weaknesses in the password manager built-in to the Transission web browser pre-installed on many devices.
- Insecure backups on Huawei devices.
- Sideloading vulnerabilities affecting Oppo and Vivo phones.
Google’s plan appears to be to notify vendors before disclosing a flaw, and so far most of the reported flaws appear to have been fixed.
With luck, the threat of having a security vulnerability publicised will encourage more Android smartphone manufacturers to take greater care squashing bugs before they end up in the hands of unsuspecting consumers.
And what of Android based Tablets?
What of telcos that refuse to release available updates to force users to update their hardware to more recent devices?
Unless you unlock the vice grip they have on their firmware releases, this problem will vastly overshadow any minor software updates for fixing bugs.
Start releasing generic versions so users have choices. Force the telcos to unbundle their forced addons, or alternatively have them on a middle plane that doesn't retard updates to the underlying operating system while retaining their often unwelcome bundleware.
Bundleware and firmware should be unlinked so users can keep their operating system more current.
Yes, name and shame.