In another news, google stop fixing security bugs which cover 60% of the current android users (4.3 or older). Not saying microsoft is right, but they just dropped windows xp support last year (that is >10 years of support).
Thank the carriers for being jerks for that one. I know on the last time this article came up I took a hard line on them, but upon further reflection, it's not like they can just write a patch and have it out in a week. Heck, it takes months for point releases to go through acceptance testing at the carriers, and probably not insignificant amounts of cash.
At least they're starting to own more of the ecosystem. I wouldn't expect this to be as big of a problem on newer devices.
Carriers not rolling out updates a) doesn't waive Google's responsibility to roll out patches to their largest OS cohort and b) is really all Google's fault because they let the carriers get away with it and have never reigned them in even after years of incompetence on the carriers' part.
Look into the "Open" Handset Alliance (especially findings from the SkyHook lawsuit) to see how much control Google actually wields over manufacturers. Google controls what software and services are bundled with handsets (see SkyHook). Google prevents manufacturers from creating competing Android devices using forks of Android (see Acer; that's why the quotes around "Open"). If it cared at all, Google could easily require manufacturers to provide regular updates.
See the beauty of the situation is that they are all at fault. However, only one company makes the core OS software these hardware manufacturers run on.
Perhaps if Google provided the update and the pressure could be put on the manufacturers to roll out the update to their paying customers...?
That assumes that you can make enough consumers with these (relatively) older devices care loud enough for any "pressure" to be applied to the manufacturers.
Security updates aren't sexy and don't get applied unless they include shiny things along with them.
Right now, the customers have zero power because Google and the manufacturer simply point fingers at each other as to who's to blame.
Releasing the update gives the customer power to press for pushing their manufacturers.
The whole model where carriers or manufacturers can send updates is ridiculous. Carriers update baseband. Manufacturers should defer to google for Core OS updates and Google Play. The fact that they're even involved is simply a recipe for disappointment.
It's bad for everyone because compromised machines simply reward and embolden the criminals which will eventually increase the harm to everyone who ins't a criminal.
No. They are not all at fault. The only one's responsible for updating their phones are the companies supplying the phones. There is nothing stopping Samsung, Sony, HTC, LG from creating and submitting a patch to AOSP and they are the ones who actually have a responsibility to their customers to do so. There is also very little stopping them from updating their phones to 4.4.
> is really all Google's fault because they let the carriers get away with it and have never reigned them in even after years of incompetence on the carriers' part.
You are again blaming Google for the carriers policy of updating phones not even belonging to Google. Do you really think Google is involved with a carriers agreement to carry Samsung phones?
Last time I checked, Nexus phone's can also be updated without the assistance of the carrier.
It's not Google's product any more than it's the Linux Foundation's product. Both are just organizations with software built into somebody else's product. Nexus phones purchased from Google are Google's product.
Separately, complaining that the vulnerabilities are unpatched in Android is a rubbish argument. They are fixed in the latest release.
I can't fault Google for that. They've released subsequent versions of Android that has fixed the vuln in WebViews.
Also, they took a major step in Android L by removing the WebView from the Android Framework and distributing it via the Play Store, thereby, enabling them to push security updates to all newer devices without the devices themselves having to update to a newer version of Android to get security fixes.
Microsoft also released subsequent versions of Windows, but they still keep updating old ones.
I don't understand why Google hasn't build an update process for Android in the first place. Everyone knows the OEMs won't update if they don't have to.
I consider google with android to be a similar position to the linux kernel on my servers. I don't expect any of the kernel team to produce a patch for my 2.6.18 kernel I am running on a RHEL 5 system, I expect Red Hat to do that.
Why doesn't Samsung / LG / HTC manage Long Term support for Android versions, back port the patches and roll them out? Alternatively why don't they all pool together and manage an LTS version for customers.
It seems crazy that the company that has a relationship with the customer doesn't have to support the customer, and everyone instead blames google who wrote the code. The android vendors could back port, create alternative patches or simply make the device able to be updated to a more recent version.
Google is not responsible for supporting Android. Android is fully open source, and OEMs are responsible for their devices. AOSP is distributed under Apache 2.0 license https://source.android.com/source/licenses.html which stipulates there's no warranty or support.
Google supports Play Store and related services, but webview on 4.3 and older is not part of that.
Android is "fully open source" except that Google writes 99.999% of the code in secret. Rarely they will accept a pull request but there is zero transparency into that process.
One thing to note, more and more of what constitutes the android user experience is being pulled into the Google Play Services app which is closed source. A big part of the reason why is that it gives Google a better negotiation tool to use with carriers as they have to license the use of the Google Play platform and that isn't really optional in modern Android right now. AOSP has been left behind not in support but in more and more features of "Android" being closed source. Another huge benefit is that tons of bug fixes that would have required coaxing carriers into supporting a software update on the phones can now be applied just by patching Google Play Services and rolling it out as an app update.
Why does Google still rely on the carries, even though they know for years, that they don't have interest in updates. They could easily implement an update mechanism for the core of Android, like they do for App-Updates as well.
When i buy a Laptop from HP, Dell, Lenovo or any other OEM, i still get Windows updates (even if i don't upgrade to the latest Windows version). I would really like to know why it is not possible for Google to implement such an update system? Blaming carriers is easier i guess.
That's exactly what they are doing, although perhaps for two-fold reasons. More recent versions of Android move more and more core stuff into the Play services. This enables Google to push updates to core services like normal app updates. It also ensures that a lot of core APIs are covered by services only available on phones licensed with Google.
I'm honestly not sure what you're talking about. Android does have a system update mechanism. You go to settings -> About phone -> System updates.
If manufacturers / carriers change that to check for updates on their own servers, rather than google's - which they can do since Android is open-source, and so they all do - then that's how the system update mechanism will work.
I don't follow what you're suggesting google could do about that, apart from moving more and more OS functions out of the core OS and into google play services. Which is exactly what they've been doing.
Aka, no longer part of Android. The millions of users without Google Play will have an even less functional OS than they used to, all in the name of greater control by Google.
[1] http://arstechnica.com/security/2015/01/google-wont-fix-bug-...