ITEM: The Electronic Frontier Foundation is taking mobile OS vendors to task for not doing enough to secure their platforms, and is advocating third-party patches as a market-pressure tactic to get OS vendors to up their own security game.
An analysis piece posted on the EFF site
Friday by Chris Palmer (who briefly worked at Google on Android framework security, according to his bio) says that PC and server OS platforms have become very good over the years at reasonably open disclosure of security bugs and fast distribution of patches to fix them. Mobile OS vendors, by comparison, are way behind the times.
Apple, for example, has been known to release patches for bugs several months old. And Google routinely releases Android patches without announcing them, and with the security fixed unmarked among the other fixes and enhancements included in the release, Palmer writes.
Complicating things for Android is fragmentation, as OEMs and cellcos tend to tweak Android to add unique features and sometimes remove standard ones, says Palmer:
Users may or may not want the new features and the new features may or may not be secure. Their distributions are sometimes based on old and known-vulnerable versions of Android, and they tend to publish updates rarely – or never. As a result, the ecosystem of Android devices is out of date, fragmented, and unnecessarily vulnerable to known attacks. This situation is bad for everyone: users, carriers, OEMs, application developers, and Google.
However, support for third-party security solutions by users will create economic leverage to convince OS vendors to take security more seriously, Palmer says:
Although there is no guarantee that third-party distributors will be more responsive to security problems, and nor is there any guarantee that they will not introduce new security problems, they do have an opportunity to perform better than Apple and Google have so far and to take market share.
Readers representing the mobile OS vendors are welcome (and encouraged) to respond to this post.