Google is revising their security policy to force companies to offer timely updates for phones and tablets. Google will be writing in security patch requirements into its agreements with Android OEMs related to Android-based devices. This was revealed at Google I/O this week and the overall goal is to force Android manufacturers to deliver the necessary security patches to their devices.
Why is Google doing this? Wired recently conducted a story about a a pair of researchers at Security Research Labs who put in two years’ worth of effort to discover just how well OEMs are sticking to security patches, and the results are not great. Manufacturers have been lying to their customers for years about issuing timely security updates.
Jakob Lell and Karsten Nohl tested firmware from over 1,200 devices and found that some suffer from “patch gap”, where the device would claim it was up to date but in fact may be missing up to a dozen different security patches. The devices tested were from companies like Samsung, Sony, HTC, Motorola, TCL, and others. It looks like even smartphones from the biggest manufacturers suffer from this issue, too, with Samsung and Sony occasionally missing a patch.
How will this new security policy affect the e-reader industry? There are a growing number of electronic readers with E Ink that run Android and rarely receive any firmware updates, much less updates that add in an extra layer of security. Onyx and Good e-Reader are the only two that regularly push out firmware updates out to enhance functionality and stability, but security not really a big issue.
The lack of security on Android e-readers is irksome to growing number of people. I can’t even think of an Android driven e-ink reader that has a lock screen that requires a password to use, other than the Sony Digital Paper. This means anyone can pick it up and have access to all of your stuff.
The lack of security on e-readers means that there is little to no protection against malware or viruses. Security firm Check Point discovered a new strain of Android malware called “ExpensiveWall” lurking in about 50 apps in the Play Store. They had cumulatively been downloaded between 1 million and 4.2 million times. Even after Google removed the offenders, Check Point discovered a new sample of the malware in Google Play (which got removed as well) that had quickly racked up more than 5,000 unique downloads. Meanwhile, researchers at the security firm ESET announced in early September that they had found malicious apps from the BankBot malware family in Google Play. The applications, which had names like “Earn Real Money Gift Cards” and “Bubble Shooter Wild Life,” had malware directly in them and were also built to quietly download additional nefarious apps once installed. The list goes on.
Although people on e-ink devices tend not to play games, which are the main culprit of malware and viruses, there are always hidden threats. My problem is nobody in the entire e-reader industry is really taking security seriously, which is why Amazon and Kobo lock down their ecosystem with Linux.
I do not think the Google policy will have any impact on the e-reader industry. Every single e-reader that is running Android is not certified with Google, because they lack specific hardware requirements such as cameras, GPS, accelerometers and gyroscopes. Most of the devices that run Android are the open source version of Android and use authorized versions of the Google Play framework. There is no binding agreements between Google and anyone who designs and manufactures e-readers.
Michael Kozlowski is the Editor in Chief of Good e-Reader. He has been writing about audiobooks and e-readers for the past ten years. His articles have been picked up by major and local news sources and websites such as the CNET, Engadget, Huffington Post and Verge.