Is Android Fragmentation making the OS as fragile as glass?

What is fragmentation and how does it affect the security of the Android-based devices? Join our podcast here.

Dan Koretsky, our sr. security researcher at Lacoon Security, provides a brief overview of Android fragmentation and its implications on enterprise security.

For those that prefer the written word, here’s a short summary.

Android: The liberal, open source and diverse world that Google has created has allowed a technological version of Darwinian evolution that makes the best platforms and versions even stronger while at the same time killing off the weaker ones.

The most commonly used term to describe Android’s diversity is “Fragmentation”. The Android ecosystem is built up from many different developers, manufacturers and carriers, each with their own input and influence on the phones we use.

Screen Shot 2014-06-20 at 5.36.03 PM

While fragmentation is key to the constant development and variety of Android devices, it’s not without problems. One of the biggest consequences of Android fragmentation is that a vast number of users – numbering hundreds of millions –are left vulnerable to malware and data theft as a result of unfixed vulnerabilities in the code.

Whenever Google releases either an update to Android (small updates, security patches etc), or a completely a new version of the operating system, the code then goes to device manufacturers to be customized with their own tweaks and personalizations. Then, with devices on cell contract, the carriers then get a chance to make their additions.

Not only is this a very lengthy process, but the problem is made exponentially worse by the fact that neither manufacturers nor the carriers feel the need to actually push out these updates and make sure people install them.

Two major security issues have recently highlighted just how serious this problem has become:

  • The Pileup flaws: these code flaws left every Android-powered smartphone and tablet, more than a billion devices in all, vulnerable to malware due to to privilege escalation issues.
  • The Heartbleed OpenSSL bug. Besides affecting millions of servers, the bug affects certain versions of Android 4.1.x (Jelly Bean). Although Android version 4.4 had already been released when Heartbleed broke, a whopping 35% of Android devices were still running 4.1 at the time.

JOIN us for a podcast where we ask Dan Koretsky, sr. security researcher at Lacoon Security, about the different aspects of Android Fragmentation.

Navigate to the podcast.