Mobile phone security moves in slow motion

The HTC One M9 smartphone.
The HTC One M9 smartphone.

Apple Inc. is likely to release a new iPhone sometime next month, and according to one rumor, the company’s ordered 90 million of them for sale during the holiday season. How many of those new iPhone owners will be defectors from Google Inc.’s Android operating system?

Perhaps quite a few, after reports of a major security flaw affecting millions of Android devices. Security researchers say that the so-called “Stagefright” bug is a truly dangerous threat. Most affected Android phones are defenseless, and many could stay that way for weeks.

Blame it on the innate complexities of the cellular phone business, and also on the shrewd but risky strategy that has made Android the world’s most popular operating system. But don’t assume that Apple’s phones are necessarily safer, or that iPhone bugs get patched any faster.

Despite its creepy name, Stagefright is a legitimate feature of Android, a piece of software that plays Multimedia Messaging Service, or MMS messages, which are standard text messages with attached sound or video files.

Late last month, researchers at Zimperium Mobile Security in California revealed that it’s possible to attack Android phones using a flaw in the Stagefright software. An attacker would simply transmit a tainted MMS message to the targeted phone. Depending on which version of Android is running, an attacker could take over various functions of an infected phone. In some cases, a victim’s phone could secretly activate the phone’s video camera and microphone. In other cases, the bad guy would get total control of the device.

How many Android users could be harmed by this? Virtually all of them, Zimperium claims — about 950 million. But on Wednesday, Google declared that this is a gross exaggeration, and that 90 percent of Android phones are not susceptible to the Stagefright attack. So it’s only about 95 million victims, tops. Good news, of a sort.

As a stopgap measure, Google urges Android owners to change the settings on their instant message software so it doesn’t automatically display incoming MMS messages. Instead, you‘ll get a notification; then you can decide whether to risk a peek.

There’s no evidence that anybody’s been victimized by the Stagefright bug, but it’s just a matter of time before somebody tries. So Google quickly designed a fix for the problem. But for many of us, an update could be far away, because of the way Android works.

Remember, it’s free software, given away by Google to cell phone makers, in a successful bid to extend Google’s core advertising business from desktop computers to mobile phones. But each of the many Android phone makers want to distinguish their Android phones from all the others. So they use a variety of chipsets, processors, and video screens, then top it off with their custom tweaks to the Android software, all to ensure that a Samsung Android phone, for example, is a lot different from an HTC Android phone.

It’s all good, clean competition, and it’s spawned lots of innovative Android phones. But it makes updating those phones a mighty hard slog. Any new software must be tested by the chipmakers, to ensure it’ll run on their hardware. Then it’s tested by the phone makers to ensure it’s compatible with their customized software. They must also make sure it runs on older phones that the company no longer makes, but millions still use. And after all that, the cellular networks such as AT&T and Verizon must make sure the new software functions properly on their networks.

Put it all together, and these devices have a long update cycle. Microsoft Corp. can push out updates for its Windows personal computer software as soon as they’re ready. Even Google has already patched its own Nexus line of Android phones against Stagefright, because Google helped design the Nexus phones’ hardware. But fixing the bugs in other companies’ Androids can take weeks longer.

iPhone users have it better, because Apple designed all the hardware and software, making it relatively simple to build and test software upgrades and security patches. But even Apple must have its software tested by the phone companies. So fixing an iOS security bug can take a long time, too. “Multiple weeks are minimum,” said Collin Mulliner, a research scientist in mobile device security at Northeastern University.

But the Stagefright scare has hit the Android camp like a 3 a.m. phone call, and people are waking up.  Google on Wednesday said it’ll start fast-tracking security patches for its Nexus phones, with new updates every month;  the top Android phone maker, Samsung, said it will do the same.

If other big players like LG, HTC, and Sony also get religion, Android could become the safest smartphone platform around.  And that could make Stagefright the best kind of disaster for Android.

Hiawatha Bray is a technology reporter for the Boston Globe. E-mail him at [email protected].
Follow Hiawatha on Twitter - Facebook - Google+