I liked particularly the reminder, based on data that arbitrary duration (2 or 3 years, 18 months or whatever) of updates and security fixes does not align with the needs in reality.
Yes, the article is based on fear; as some studies showed: security fears got old and tend to not lead to actions anymore.
So what can be done then?
Some ideas:
– Open Handset Alliance builds and updates continuously a public repository + test suite of all known Android and OEM vulnerabilities.
Free test apps and websites are provided for everyone to check their device.
– Google extends the requirement to access google services to every device license passing the vulnerability test suite as long as the device is still used by xxx.xxx+ users logging as measured for the platform versions report.
Access to Google services wouldn't be revoked for existing devices but the security updates for existing devices would become a requirement to ship a new model.
– Google stops pretending that users are safe as long as they install their apps only from the Play Store.
Any Android app can download an external binary or java class from the web and execute it later: by design it can't be caught beforehand by a static code analysis.
They're safer but they're not "safe" as long as their device is vulnerable to known exploits.
Waiting for Android’s inevitable security Armageddon
Editorial: Android’s update strategy doesn’t scale, and that’s recipe for disaster.
