Nexus Warrior No More
This is a sore subject. My first smartphone was the Nexus One. My second the Galaxy Nexus. My third the Nexus 4. In need of a new phone and not wanting the Nexus 6’s size I opted for the spec monster offered by Samsung’s S6. It’s great a phone overall. Excellent camera, IR sensor, wireless charging, good enough battery and mostly smooth.
Unfortunately with the AT&T version of the S6 I won’t be seeing the newest version of Android for a long, long time. I’m betting on March 2016. I wouldn’t be surprised if it’s the last major update the phone receives. Anyone want to place bets?
Does Grandpa Need Marshmallow?
Let’s step back for a second and answer a question. Is there really an issue if we don’t receive updates? Does it really matter that most Android users are on an old version? Does Dad, Mom or Grandpa care about Google Now on Tap?
Grandpa doesn’t need to care about Google Now on Tap, nor would I attempt to even show him how it works. I of course want all the new shiny features (particularly granular permissions). However, the only important argument for why we need fast updates rests on security.
As mentioned previously I have the AT&T S6. The flavor that took nearly 6 months to get 5.1 and finally close the door on the Stagefright exploit. I’m one of the lucky ones. 7.9% of Android users are on the most recent 5.1 release and 1 billion total people actively use Android, leaving at least 790 million people using a phone with a potentially fairly critical security hole. There is some debate, some evidence, and even more evidence whether Stagefright has been actually patched at all.
This is a problem. You can make all the arguments you want about how Grandpa doesn’t need all the new features. You can say “as long as the general population have Facebook, Instragram, Snapchat, and Twitter they will be fine.”
You cannot argue around the need for security. Basic security is important… especially for a Grandpa who likes to download every email attachment, install any app that looks fun, and click on the ad to improve the speed of their phone.
Can Google Fix Updates In Android?
When I started writing this article, I was contemplating all the different ways Google could handle the update issue. At the end, there are only two options. Google controls all the OS updates across all their devices OR Google rethinks their entire updating infrastructure specifically related to security.
Google won’t be releasing Marshmallow or any future OS update to all of Android at once. Google needs to release the OS and then the manufacturer’s release the updates to their devices… one way or another. There are far too many variations of hardware for Google to blindly release it to everyone. Google also has no interest in building dozens of different Android variations for the manufacturers. Google does not make much money from Android. In fact, the rise of mobile devices that Google has helped spur has slowly been bringing down their advertising revenue. There are fewer ads on smaller screens.
The larger issue, primarily in the US, is that carriers have their filthy paws on Android and won’t be letting go anytime soon. Google and other major manufacturers like LG and Samsung promise releasing monthly security updates. This is great except for the middle-middle-man. Google can release the code. Samsung can then make any needed changes for their device and push it out. Carriers will then sit on it until they make sure it doesn’t break any of their 100 preinstalled bloatware. Google can’t have the same level of carrier control Apple relishes in; nonetheless they can and need to do something more.
Google started a trend over five years ago. A trend they need to continue to push. The trend was decoupling core apps and core functions of the operating system. Gmail, the calendar, the messenger, the location services, Google Play services, Chrome and Maps all used to part of the operating system. They now all update independently, either in the Play Store or on the server side.
Google needs to take it one step further. They need to decouple security from the operating system. During the 2014 Google I/O, Google announced the 97% of Android users are on the most recent version of Google Play Services. Security needs to be updated quietly pushed in the backend through Google Play Services. To Google’s credit, many vulnerabilities are already controlled by Google Play Services which is updated every 6 weeks. However, this largely only covers malware found within their own Play Store.
Google can’t fix fragmentation entirely. Ironically, they can help many of the issues with fragmentation by continuing to separate, or fragment, their core services.
Unfortunately, decoupling security has its own issues. First, it might not even possible without an incredible amount of restructuring. It also creates a single point of failure. If a vulnerability is found in Google Play Services, a hacker could have full root access. Finally, if security is able to be removed from the operating system, carriers and manufacturers will have even less of a reason to update to the next iteration.
This brings us full circle. If you want the newest version, you have to buy a Nexus, buy a new phone, or switch to iOS/Windows. No other clear option exists and please don’t argue about rooting and flashing a new ROM, this isn’t an actual option for 99.9% of the population. There likely never will be another option for Android. It’s a grim world for someone who just wants to protect their device.