That isn't "spin". Android's ecosystem is (largely) controlled by the phone carriers in this context. Their "open" system is a fractured jumble of closed systems with indifferent maintainers.

If Google took it up, Apple's method here would be a solution. Were Google to force carriers into supporting security updates on Google's terms, we wouldn't see this kind of issue.

Nobody making the Android/iPhone comparison in this context cares about "openness". That's largely a foregone conclusion on both devices. They care about the effective and timely distribution of security updates.

> GNU/Linux distros are free open source software, and don't suffer from these sorts of update problems.

Why on earth would NPR compare Linux distributions (which the general public has basically never heard of) to smartphones? It might be "more accurate", but it's not an accessible comparison.

See also my other comment about words having false connotations, regardless of intent.

> Nobody making the Android/iPhone comparison in this context cares about "openness".

I don't know why you just assert this so nonchalantly. Clearly some people care, because they keep repeatedly associating closed systems with security update mechanisms, even though we have plenty of open systems with relatively good security update mechanisms. That is in fact my whole point; other people keep veering off on a tangent.

> it's not an accessible comparison.

What is "accessible" is very transient, dependent on the environment and cultural background. Those of us who are interested in balance and accuracy, have to make it accessible. Not doing so is irresponsible.

The fact that Apple runs a closed system is not relevant to Android having poor security updates, as is evident by how GNU/Linux distros work - yet these things are mentioned next to each other, as if they are related.

(edit: lots of people missing the point here. media articles can equally point to free open source software GNU/Linux distros as having relatively successful security update mechanisms, yet Apple's closed ecosystem is always given more focus as the contrasting example to Android's; why? it is not the closed property that makes a security update mechanism succesful, yet that is the implication.)

(edit: this is how weasel wording works; statements of fact which may be individually correct, are placed together in suggestive positions, so that the non-cautious reader walks away with a false understanding of a more complex point, but allow the author to deny responsibility of this)

Other media articles have similar weasel wording. I'm not commenting on the author's intent - e.g. they may just be repeating the dominant narrative on this - however the wording has misleading connotations regardless of intent.

This isn't that hard:

Bug in iOS:

1. Apple releases a patch

2. All users of supported devices can install it

Left hanging: people with old devices (minimum age approaching half a decade)

Bug in Android:

1. Google releases a patch

2. Many Nexus users can install it immediately

3. Everyone else has to beg dozens of manufacturers to ship an update for a device which brings no further revenue to the hardware manufacturer

4. At least in the U.S. everyone then has to beg carriers to ship an update to existing devices rather than using this as a chance to push you to upgrade to a $$$ new device and extended contract lock-in

Left hanging: everyone who doesn't own a recent Nexus device. Minimum age: negative – devices without the current OS will be sold to users months after release.

Note that absolutely none of this is Android's fault technically. It's only Google's fault to the extent that they naively believed everyone else would be responsible and neglected to have this license require updates, unlocking after dropping support, etc.

Otherwise known as "entirely their fault". It was very evident that this would be the case, as it was always the case before. Left to their own devices, OEMs and carriers will not approve updates because they simply don't care and have zero motivation to.

It happened with Treos, Nokias, and BlackBerries. It didn't happen with Apple because they used their clout to strongarm carriers into playing by their rules, and they are the OEM.

Google deliberately went buddy-buddy with the carriers to saturate the market as much as possible in response to the iPhone, and the concessions they made to do so are part of the reason Android devices still have this problem.

There was absolutely no reason to assume that anyone would "be responsible" if left to their own devices. It was not naivete, it was a calculated tradeoff to grant carrier control over user security, to give carriers a reason to promote Android over iOS. Google did a lot of things right with Android, this was not one of them.

infinity0's point seems to be that a more fair reporting would be: (1) here's the problem with Android's ecosystem [was included] (2) here's the solution with Apple's ecosystem [was included] (3) here's the solution with OSS distros' ecosystems [was NOT included]

I think it's fair to take umbrage that an intelligent but uninformed reader could very easily walk away from that article with the conclusion that "If Google ran Android more like Apple runs iOS, then Android would be more secure."

Which itself is probably true, but far from the only solution. And indeed, probably the least free (speech) solution.

Point 3 is only true if you cherry-pick “OSS” to mean “People who installed Red Hat, Ubuntu, Debian, etc. themselves and religiously install updates”. OSS also includes things like the various forks and boutique distributions which started drifting behind, all of those insecure libraries where someone installed a copy of OpenSSL, libtiff/libpng/etc., or almost any PHP app, and never came back to update it.

This problem is only going to get worse as the IoT gold rush continues and all of these “Two EEs and a web developer” companies ship a device shortly before folding, being bought out, etc. and there's no indication to the customer when it's no longer safe to have that device on a network.

Note that this isn't saying that open-source is insecure – the same problems routinely happen with commercial software, too – but rather that it's not a magic wand for solving the problem. Apple ships updates promptly because their reputation depends on it, which is the exact same mechanism which keeps Debian, Red Hat, Ubuntu, etc. going, too, but that approach doesn't work in the case where the real customer isn't the person using the device. As long as Samsung keeps Verizon happy, they only care about the user experience to the extent that many people would choose to buy another not-Apple device instead of theirs.

Ultimately, I think we really need legal changes to ban corporate attempts to shirk liability for flaws in their products and sharp restrictions on the ability to prevent users from securing their own devices – something like a vendor being required to publish the full source, build toolchain, hardware unlocks, etc. if they go more than a couple months without releasing a patch for a known problem in a particular device.

Google sets the terms by which it does business with OEMs. And yet, they've never been held to blame for the bad experience that users get due to this model. Google uses these terms to protect it's monopoly dominance, by mandating OEMs install 20 or so proprietary Google apps, but not to do anything really valuable to the customer, like mandating a security patching methodology.

Agreed, and imho this is in practice where Android differs from OSS as I referred to it.

Worst case, if you're running a non-Redbuntianwarint distribution, then you still have much better access and separation between components. Admittedly in practice almost no one avails themselves of the ability to build from source. But that's not the point.

The point is that someone can do so, and distribute that to others if they want it.

With Android, that prospect on {random device X} gets a lot more tenuous. Either because there are hardware security locks to prevent you from doing so or because there are missing or unavailable pieces that are included in the official manufacturer/carrier's build.

Perhaps as we get more physical hacking events that are easy for the media to cover, companies will start taking this seriously. If so, I'll guess that Google will assume that responsibility in exchange for more Apple-like control over the update process. There's no other sane way.

Most of the problem is that the general cycle for Android is a decent base OS which has two levels of middlemen adding cruft to it mostly for marketing reasons and that's as bad as it is because they're only looking potential income. Not letting them dodge liability changes that calculation in favor of either not obstructing the update process for branding reasons or, if they really think their custom UI is such a great selling point, actually hiring enough people to support it reponsibly.

I don't see how they would have to cater for what their readers infer from this text about open source at all, as I can't find any way they even suggest that Android is open source.

The only reference to 'open' I can find in the text is "open an attachment or download a file that's corrupt.". The closest I can find to "Android is open source" is "Google gives its latest version of Android to manufacturers, and they then tweak it as they please.".

I think anybody who makes the jump from that to 'they can tweak it because Android is open source' also knows enough to not make the further jump to 'open source is dangerous'.

> 4. At least in the U.S. everyone then has to beg carriers to ship an update to existing devices rather than using this as a chance to push you to upgrade to a $$$ new device and extended contract lock-in

The solution is for Google to pay manufacturors (or share revenue, however you want to put it) to update all existing phones:

- Google is accountable for shipping the bug. They should pay the costs.

- Google is currently taking almost all the profits. Android phone makers, as we've all read, are running on thin margins, if they aren't losing money. The media stories that say Apple makes 95% of all mobile profits fails to include Google's profits.

Google not doing this is, IMHO, an ethical breach and putting profits before users greed. What shinratdr said.

1a) If the issue can be fixed and/or worked around in Play Services, Google does that and "everyone" gets the fix without even having to explicitly install it.

3b) For each OEM, if the problem can be fixed/worked around by updating the apps and/or frameworks they publish via the Play Store, they do that (if only for the sake of new and upcoming devices) and all of their customers get it once they install those update.

Those cover a large (and growing, because Google and the OEMs are both aligned on this) chunk of your "left hanging" users.

#3b is particularly optimistic since that assumes an OEM will ship updates promptly and that's been the underlying problem here since day 1. It particularly wouldn't help if, say, a vendor ships an update for their flagship Android 5 devices which doesn't run on the 4.x devices which most all of their users have and will never receive an upgrade to Lollipop.

I wonder why do the manufacturers even lock the phones if it brings no further revenue. They lose nothing if users where able to pull the updates directly from Google.

Because a Google update that conflicts with their own customization and borked the user experience would cost them future revenue, since it would reduce the chance that the user would by a phone from them in the future.

1. goes unfixed for months

That it's closed against us is not nice at all, but being closed against Deutsche Telekom and Verizon and such is a feature, not a bug.

The issue is described fairly accurately.

It would however be nice if the article brought up the point that the issue could be mitigated if users were allowed to actually control the software that runs on their phone (without hacking around restrictions). Instead most users are reliant on the device manufacturing seeing the financial incentive to provide updates.

Most users are reliant on this regardless. Few people possess the technical ability, much less time, to perform these tasks. Making the platform "open" and pointing to that as a solution would also be a way of weaseling out of that responsibility to users.

But there are plenty of crappy, not-updated-that-often linux distros that strand users too!

Just like in android, on GNU/Linux you are dependent on how good your OEM is, and what they provide you in terms of a security update mechanism/times.

Here is what it looks like to play the game:http://www.htc.com/us/go/htc-software-updates/

Agreed, but I would go further and say that the _PC platform_ doesn't suffer from such problems. You can buy a computer from HP/Lenovo/Toshiba/whatever and later buy an OS upgrade from Microsoft. Ordinary users can do this.