Android Stagefright, Bananas and the Weaknesses of Monocultures - HyTrust

Android Stagefright, Bananas and the Weaknesses of Monocultures

We’ll get to Android Stagefright in a minute, but did you know that bananas used to taste better? If you talk to older folks about things that were better back in the day, one of the things you may hear is that bananas used to be creamier with a stronger flavor. While it may be tempting to dismiss such claims, this is one where things really were better and it is due to the fact that when monocultures fail, they fail hard.

Back in the day, the bananas that people ate in the US were largely Gros Michel, a variety of banana that was more aromatic, softer, creamier and per most accounts tastier but with a somewhat thicker and more bruise resistant but harder to peel skin. Alas, Panama Disease, caused by a fungus called Fusarium oxysporum, found little resistance in the Gros Michel strain and mostly wiped out the breed, leading to the end of commercial Gros Michel production by the early 60’s. Gros Michel was replaced by the somewhat harder, blander, less fragrant and more easily bruised Cavendish variety which in turn is facing its own vulnerabilities to a similar fungus and may in fact follow the Gros Michel off the shelves and plantations and into history, illustrating the vulnerabilities of monocultures (not to mention the challenges of having a large percentage of your food coming from genetically identical places).

The thing about a monoculture, the practice of growing or producing a single crop often of a single variety, is that it can be so convenient. Many challenges related to interoperability, scale, fungibility and price are at least partially addressed by approaches like monocultures. Done at scale, everything becomes cheaper and easier. The drawback is that when disease or other problems come up, they can wipe out that entire crop. In a mixed environment, the impact of losing a single crop is reduced, but with a monoculture the loss of that crop can be devastating.

Which brings us back to Android, which with about 80% of the world’s smartphone market, is by far the most popular mobile operating system with a market share similar to that of the Gors Michel before its commercial extinction. This latest set of vulnerabilities, six of them, reported by Joshua Drake of Zimperium zLabs, leave an estimated 95% of Android devices (950 million +) exposed to risk of remote execution exploits and loss of data. While security issues in the media are prone to exaggeration, hype and FUD, this particular set of vulnerabilities, which exploit bugs in Stagefright, a media playback tool in Android, to allow attackers to do things like execute arbitrary code simply by sending a properly formed MMS to the victim. Depending on versions of software and components, users may not even realize they have been hit before the damage has been done.

Google was informed months ago about the vulnerabilities and took steps to address the vulnerabilities. The challenge here is that in some ways Android represents the worst of all possible worlds with regards to patching and exploits, a problem that due to the increasing importance of mobile computing in daily life with likely become more problematic in the future. The problem is that while the base code used by the vast majority of the world’s smartphone makers all comes from Google, the code that eventually runs on the device in the hands of the consumer is modified by handset makers. Typically the UI is the first thing touched (see Samsung Touchwiz, HTC Sense etc) but other areas of the OS are fair game as well. To make things even more challenging, handset makers often also modify the OS load for individual carriers such as AT&T and Verizon.

This means that while Android may face vulnerabilities like a monoculture, it patches more like a much larger number of smaller operating systems, with each handset vendor having to develop patches for their own offerings. Making things even more challenging is the fact that those handset vendors need to test and patch their devices, but often have to deal with operator specific customizations and operator specific testing and certification before patches eventually reach the devices in the pockets of the consumer.

There is a growing awareness in the Android community of the challenges brought by customization of the OS. Whether this awareness will translate into changes in the way that handset makers deploy the OS on their hardware is a different question – remember that the handset makers are all eager to introduce differentiation (and greater value) via customizing Android as they are all struggling against the prospects of a race to the bottom resulting in zero margins on the largely similar hardware sold by all. After all, how different can little slabs of glass and plastic be, right?

For Android users out there, hopefully carriers and handset vendors will cooperate to expedite fixes. One can further hope that they err on the side of generosity and inclusion with regards to which versions of the OS and which devices to patch – something that is not always the case. In the meantime, think twice about opening those MMSs from people you don’t know and enjoy this Harry Chapin song about a truck driver and some bananas.

We have placed cookies on your device to help make this website better. By continuing to use this website you agree to our Cookie Policy.