How the Stagefright Bug is Improving the Android Ecosystem

A week and a half following the public announcement of the Android Stagefright bug and already some Android devices are receiving updates pushed by the wireless carriers. The Original Equipment Manufacturers (OEMs) are climbing aboard as well, promising regular security patches.

Back in April, when the researcher Joshua Drake first discovered the Android Stagefright bug, Drake revealed the bug to Google and provided Google with security patches, agreeing to a 90-day embargo period before announcing the bug publicly, sufficient time for Google to roll out a security fix to all Android phones.

However, the announcement of the Android Stagefright Bug following the 90-day period – with no security patches rolled out, highlighted a much larger, security challenge within the Android ecosystem: the lack of efficiency and speed of security patches filtering down to users – a result of the many layers between code fix and patch release.

The Android operating system (OS) is developed by Google, while the phones are produced by a host of manufacturers including Samsung, LG and HTC. The Android OS code changes are developed by Google, and then have to work through the hierarchy of OEMs such as Samsung, LG and HTC who in turn need to integrate the changes with their customizations. In some cases, the OEMs can then release the patches directly to the devices through their automatic update systems. However, in the US and other countries where the wireless operators heavily customize and rebrand the devices, the patches must continue through the hierarchy of wireless operators like AT&T and Sprint who have their own patch approval and release process.

The Android process is in sharp contrast to the competing Apple/iOS ecosystem where Apple rules the patch release process with an iron first. There are no intermediate OEMs and the wireless operators have little to no control over patches.

Now, 11 days following the announcement, already patches are pushed onto devices. Sprint released a fix for Galaxy S6, S6 edge, S5 Note edge, Nexus 5, Nexus 6 and Galaxy Note 4. AT&T is following suit with fixes pushed to Galaxy S5, S5 Active, Note 4 and Note edge and Alcatel will be releasing a patch soon.

The discovery and ensuing publicity of the Android Stagefright bug appears to be pushing significant improvements to the process. Google looks like they may have finally woken up to the fact that security patches require priority treatment, and is now promising a monthly update for its Nexus devices (the article also mentions that HTC, LG, and Sony will be releasing Stagefright patches, though there is no mention of delivery dates from these manufacturers).

In the same vein, Samsung announced new monthly updates for security fixes.

The relative speed with which AT&T and Sprint announced their patches seems to indicate that they have gotten Google and the OEMs to turn the patches around quickly, or they took matters into their own hands, and applied the patches directly to their local existing customized firmware. Either way: if done correctly and with adequate testing, this is a major improvement of the Android ecosystem and a net win for the consumers.

For additional information on how to secure your Android from the Stagefright bug and other vulnerabilities, see Stagefright: How to Secure your Android Phone in 2 Simple Steps.