HTC vulnerability exposes private data to unprivileged apps on its Android phones →
This is pretty bad.
One of Android’s biggest problems is the lack of OS updates after each device is sold, since both the manufacturer and the carrier need to approve each update, and neither of them care much about dumping money into enhancing “old” phones.
In addition to the long-term customer satisfaction issues this causes,1 it’s also a potentially huge security risk: if a serious vulnerability is discovered in a released version of Android and Google issues a patch, vast numbers of phones in the marketplace might stay unpatched for weeks, months, or the rest of their service lifetimes.2
In this case, the problem is in HTC’s code, not Google’s. That’s probably worse: HTC is a hardware company that barely makes software, so they’re unlikely to have any mature process in place to create and deploy security patches quickly, and they’re unlikely to care about it as much as Google would.
This must bother Google immensely, and it’s probably one more reason why they want to (and should) “close” Android, prevent manufacturers and carriers from mucking around with low-level services, and take control of updates and deployment.
-
For the remaining Android customers whose long-term satisfaction hasn’t already been burned by poor battery life. ↩︎
-
Google narrowly dodged this fate with a less-severe issue by issuing a server-side fix, but very few vulnerabilities can be fixed that way. ↩︎