Marshmallow fails to fix the huge update problem at Android’s heart

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Android MarshmallowSo, here comes the latest version of Android – named in Google’s typically sweet-toothed fashion, Marshmallow.

Or rather, chances are that it won’t be coming to your Android smartphone. Chances are that you’re not even running Android Lollipop yet.

Because, the giant problem with securing Android devices is the how to keep the OS updated with the latest security patches and fixes. In many cases, updates simply are not made available to Android’s many millions of users.

Compared to rival iPhones and iPads, Android devices have a poor history for updates, with many users left in the lurch even when huge vulnerabilities like Stagefright (and even Stagefright 2.0!) come to light.

Sign up to our free newsletter.
Security news, advice, and tips.

If you’re hoping that Android Marshmallow will fix this problem then you’re going to be disappointed, as Ars Technica explains in its detailed 12-page review:

Marshmallow solves lots of little problems but ignores the biggest one…

“Android is far, far behind the competition when it comes to device security. The only real solution we can see is a Windows Update-style system that can send centralized updates to every device. This would require architecting the way OEMs and carriers handle software, but something needs to change so that there’s a real update and security solution for every Android device and every Android user. If you’ve got a Nexus device, the Android security update speed is still slow thanks to the rollout system, but at least it exists. For everyone else, maybe there will be something for you in the next version.”

In fact, when Ars Technica sums up the good, the bad, and the ugly about Android Marshmallow… it’s clear that they find security Android’s achilles heel:


The Ugly

There is still no solution for getting Marshmallow out to the billion+ devices out there.

The problem is that carriers, smartphone manufacturers and Google all have to work in unison to get an update pushed out to users. And they just don’t seem to have enough incentive to pull together in the right direction. Users of Apple devices don’t have this problem, because there’s just one company – Apple – in charge.

Millions of Android users deserve better than this.

Further reading: Here’s what Google thinks of Android security, 2011-present.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

14 comments on “Marshmallow fails to fix the huge update problem at Android’s heart”

  1. David L

    Google is not helping by using Chinese oems for the New Nexus Devices,and previous ones too. Already, Huawei had a device that was found with malware preinstalled right out of the box. Gdata security found this just a few months ago,along with many other devices, and some name brands too! These Chinese devices will call home,and ANY connection crossing their boarders IS VULNERABLE! So, rooting and installing Cyanogen Os is the best solution.

    1. Michele Possamai · in reply to David L

      That's bull… The software of Nexus devices comes straight from google so it's not possible for the Chinese to add malware..
      That's the whole idea of a nexus. Hardware from X, firmware from google.

      1. coyote · in reply to Michele Possamai

        Sort of like at least three corporations released software and/or hardware infected by CIH ? For instance, IBM shipping thousands of Aptivas one month prior to the payload (which is also named after the Chernobyl disaster because the payload was activated on 04/26). You do know what the payload was, right ? If not I suggest you look it up because it was quite nasty. Or perhaps you mean to say that Google is perfect and has never accidentally let fake anti-virus software appear in their store, and they have never let malware in their store, either? That must be it – all the references to that happening on this site alone are false – and IBM (and other corporations) never ever released products infected by CIH (for one example of others), right? Why would they do that? It would be a terrible thing to do and they would never get away with it! Too bad all of these things have happened.

        Doesn't matter what your poison is because your theory is completely wrong and it has been proven again, and again and again. It will continue to happen too because funnily enough, these companies are operated by people.

  2. BG

    Security firm G Data has uncovered more than two dozens of Android smartphones from popular smartphone manufacturers — including Xiaomi, Huawei and Lenovo — that have pre-installed spyware in the firmware.

    Here are the devices infected with the malware: [from tech worm]

    Xiaomi Mi 3,
    Huawei G510,
    Lenovo S860,
    Alps A24,
    Alps 809T,
    Alps H9001,
    Alps 2206,
    Alps PrimuxZeta,
    Alps N3,
    Alps ZP100,
    Alps 709,
    Alps GQ2002,
    Alps N9389,
    Andorid P8,
    ConCorde SmartPhone6500,
    DJC touchtalk,
    ITOUCH,
    NoName S806i,
    SESONN N9500,
    SESONN P8,
    Xido X1111

  3. Byrd

    SO how is this Googles fault? Google lays out the source code on their website for anyone to DL and tweak. IMO, It is the phone manufactures and carrier providers that created this problem due to the way cellular services are sold in the US. It is in the phone manufacturers and carriers best interest to not upgrade so that they can make more money selling you a new phone, and locking you into another 2 year contract, with the latest OS on it. I realize you make your living scaring everyone that android is not, or ever will be, secure enough for you, but this sounds like just another "Andorid Sucks" article from another Apple Fanboy.

    1. coyote · in reply to Byrd

      He wasn't blaming Google. If you actually read the article properly, you'd note this:

      "The problem is that carriers, smartphone manufacturers and Google all have to work in unison to get an update pushed out to users. And they just don't seem to have enough incentive to pull together in the right direction."

      Note the first sentence in particular. You might also want to look up 'reading comprehension' before you make petty, unfounded, frankly irrelevant accusations. For the record, Android IS less secure but let me tell you something: I hate Apple more than Microsoft and I do not at all like Microsoft. True, I hate Google as well but you know something? I still hate Apple and I know their devices are more secure out of the box than Android. It isn't about liking Apple or not, despite what – you or any one else whose had their feelings (and opinions) hurt – believes.

      1. coyote · in reply to coyote

        Even though many don't care, I do. It didn't work in my head at the time and that is because it isn't right. I clearly meant who's as in who is (or in this case who has). That is, "you or any one else who has had their feelings (and opinions) hurt" instead of whose.

        Edit: Oh, and it should be anyone but that was my fault in the original response; I quoted it as is to show what I was correcting.

  4. Bill

    So stop buy phones from manufacturers that don't update their devices. Buy Nexus.

  5. Simon

    We all know carrier ROM updates take month of Sunday's to be released. Other less popular manufactures are probably not as proactive in delivering updates to their ROM's.

    Technically-minded folk reflash their ROM's with later/generic stock firmwares. Some are not permitted (ie: MDM policies), others are not aware of such publicised flaws and the rest simply don't care…

    Google needs to enforce a new licensing agreement and way of how Android is released/updated by;

    Making any manufacture/ROM maker (or 'publishers' for the lack of a better term) wanting to deploy Android apply for a certificate (license) to become a 'certified' publisher
    Publishers must submit OOTB ROM's and future releases to Google for their vetting and approval
    Publishers must address any vulnerabilities for any customisations they wish to apply before they're approved
    Repercussions enforced and licenses revoked (controlled by certificate revocation-like system) if publishers are found in breach, ie: try to bypass Google's security model
    ROM's from currently licensed publishers can only be installed
    Much like an invalid SSL detected in browsers, those using ROM's from revoked publishers should be alerts that their handset are potentially insecure/at risk of being vulnerable and to contact (insert publishers name here) for technical support.
    Google (much like Microsoft) must be held responsible for the core Android OS and promptly address/fix any detected/reported vulnerabilities
    Android OS updates (like Windows Updates as mentioned earlier) must be released and prompted to install.
    With this regime, like iOS, carriers no longer control the delivery of updated ROM's. If they want to deliver their (albeit mostly unwanted bloatware), they may do so via Google Play, by informing their customers via email/SMS on where and how to retrieve them.

    The above ideas is just 'an idea' and I'm sure there is a thousand other ways to do it.
    Google's 'free range' ecosystem is all well and good in some ways, but it's fragmented state of ensuring it's users are safe isn't.

  6. A.J.

    ". . . The only real solution we can see is a Windows Update-style system that can send centralized updates to every device. . ."
    This style is working very well on my Windows 10 Lumia! Seems like an easy one. I upgraded my Blackberry to an iPhone > to an Android > and now to a WinPhone.

  7. fart

    And have my device become inexplicably useless after a year, forced to purchase a brand-new flagship? nah.

    I don't even want this, Graham Cluley, this is practically the best thing about android.

  8. jm

    after i update the marshmallow update….most of my apps like games are not working anymore..please help

  9. Peter wearing

    As a novice and a OAP it seems to me from all your remarks that this is one more case of rip of Britten and the world.No wunder we are suffering the Likes of the Paris attacks

  10. Pissoff user

    Thank you android for making all electronics useless with your stupid marshmallow update that doesn't allow use of sd card I just wasted $249 on an s2 tablet as a christmas present that will be useless after internal memeory is used. Thank you from all the the loyal users you screwed with your awful update that has reunied so may phones and devices!! Try test your updates more throughly in the future! Thank you for making users buy new products just to build your profits!!! Hope the hell you didn"t vote for Hillary!!!

Leave a Reply to Peter wearing Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.