Android Marshmallow's best security measure is a simple date

Android security has always faced a daunting challenge — scrambling to get users, manufacturers, and carriers in sync — but the new Marshmallow operating system has a small feature that could make a big difference in that fight. You'll find it in the Settings menu, a header titled "Android security patch level," followed by a date. As of that day, your device is protected with all known Android patches.

Championed by Adrian Ludwig, Google's head of Android security, the date represents a public bet on the industry's ability to keep Android devices updated. "It should make it really simple for users to understand the state of the device," Ludwig says, as part of Android's larger push toward "making sure that security information and patch level information is available to users."

That information won't always be good news. If Ludwig's plan works, most Android users will see a date from some time in the last month, as part of the monthly update scheme adopted by many manufacturers in the wake of the Stagefright vulnerability this summer. But not all carriers have committed to monthly updates, and historically many devices have lagged years behind Google's recommended updates. The update data has never been this public before, and it's still too early to say how carriers and manufacturers will respond to it. If it works, it will spur the Android world into faster, better updates — but if it fails, the readout will be a reminder of just how out of date a given device has become.

Users faced with an old date still won’t be able to force an update on their own, but Google hopes the date will put new pressure on solving an old problem. While Apple can push updates to iPhones whenever it wants, Google has to rely on a network of manufacturers and carriers to make sure users get those updates. Too often, those manufacturers and carriers have dragged their feet. A survey earlier this month found 79 percent of Android devices still hadn't updated to Android Lollipop, released in November of 2014. But while it's a real problem within the industry, most users aren't aware that their phones are out of date. Checking a given phone's update status, a user would simply see a 4.4 version number, with no clear indication that 5.0 had come out. If carriers don’t push an urgent patch, most users have no idea they've missed out.

At the same time, Google has been ruthless about cataloging any available vulnerabilities in Android. Each month, the security team publicly announces a new set of patches, deployed directly to Nexus devices. Android has an open rewards program — offering $8,000 for a critical bug, test suite, and patch — and the Project Zero team regularly turns up new vulnerabilities. That gives Ludwig's team a running tally of what needs to be fixed and how to fix it, and a steady stream of dates for carriers to keep up with. "It doesn't make it easy to meet the target," Ludwig says, "but it makes it easy to see where the target is."

If the date does fall behind, it can also be useful for applications or administrators trying to limit exposure. The date can be automatically queried through an API, so if a company IT department wants to limit access to any device that's too far out of date, it will be able to. Applications can also use the date to build around any vulnerable portions of code, if they know a specific set of users is still unpatched.

Still, Ludwig is optimistic that Android users will soon start to see faster patches from the top down. After years of putting pressure on the ecosystem, he sees manufacturers and carriers finally shifting toward better security. "We see them changing the way they do business in order to satisfy that," Ludwig says. "I think in the next few months, we'll see many many devices being updated on a monthly basis."

Published : Oct 7 2015