Most Android devices do not ever receive security updates. Also, most (95%) of Android devices can also be compromised with a simple MMS test message. Google does not have any way to apply the security patches to these devices and the manufacturers / carriers just do not care.
The network of Androids, is basically a domain of unpatched devices full of security holes. If you compare that to Apple’s iOS, when there is a security hole, Apple will just update all supported iPhones with a new version. Even Windows phone are better than Android at accomplishing this.
There was a recent MMS bug called Stagefright, which involved a security hole in Android. Google then creates patches and applies them to Android’s open source code. Google then sends these patches to hardware manufacturers like Samsung, HTC, Sony, Motorola, etc., and this is where the involvement of Google comes to a close. Google cannot force the manufacturers to actually release these patches.
Then, if manufacturer wants to actually apply these patches, they have to apply them to the device’s Android code and build a brand new version of the software for that device. This is a separate process for EVERY phone and table that manufacturer supports. Each manufacturer has to then contact the phone carriers and provide device specific patch to each carrier. This is then where the manufacturers involvement ends. Even if they patch every single device they’re still supporting, which is highly unlikely, they still cannot force the phone carriers to apply the patches.
Carriers can then choose whether or not to send the patched version of the software to their devices. If they do, there’s a pretty good chance it’s only after a long testing period. Even if a carrier still does want to do this, there is also a pretty good chance they’ll only want to test the update on a few ‘newer’ phone and not older devices.
Most Android devices just do not receive the security updates and are left as bait. Google does not enforce the delivery and implementation of the security updates like they do with other things in contracts with manufacturers. Manufacturers create a numerous array of devices and don’t want to be bothered with the work of updating all of them. Carriers then ship numerous different devices and also do not want to bother testing them. They would rather push new devices to customers, than updating old phones. Those security holes were fixed in the latest Android build, this makes the new device secure until another hole is found and then not patched.
Then some say, “What about the ‘check for updates’ feature?”, which checks to see if there’s any manufacturer and carrier approved updates. This is NOT a reliable way to make sure you have the most recent security updates. The way Android updates their software if very broken. There isn’t a way to tell exactly what security holes were patched in your specific device, because you must depend on the manufacturer adding the patch to their build of Android and pushing it out to your device.
Google has tried to remedy this with, but again can only do so much. Any Android device running Android 4.4.4 and older (most Android devices) currently have a web browser which is full of security holes because Google cannot update it. And now, almost all Androids can be compromised with an MMS.
Do you want an actual guarantee of security updates for your phone? Then you pretty much would need to buy an iPhone. When a security hole is found, Apple can then release a patch to every iPhone user at once, and the Carriers don’t even get involved.
When it comes to App permissions, this is another situation where iPhone dominates Android. Basically, Android either gets all of what it wants or none. iPhones have an improved permission system where you are able to pick and choose what data an app can have access to. If you want to use an app, but do not want it to have access to your location, or contacts, or other sensitive data? This can be done in iOS.
As stated, Android app permissions are almost like a demand, you either take it all or leave it. Apps also asked for more permissions than what it really needs in order to function, and you never know when the game you have just installed is uploading your sensitive data to a remote server. Supposedly, Google is working on a permission control to some future version of Android, but that’s too little, too late.
iPhones can actually allow you to control what the apps are able to do on your phone, showing app permissions as a way to control privacy which anyone can understand. This allows you to keep your data as secure as you want it. However, on Android, it is really just up to the app, and you can only control whether or not to use that app.
Yes, Android is an open platform and involves many manufacturers, but so is Windows. Google needs to crunch down and get their platform in order. We will continue to see these security outbreaks get worse in Android until there comes a time when Android starts caring about security and is capable of patching security problems in a quick, and consistent manner, like every other modern operating system.