KitKat is out, but a lot of Android users won't get it

Next-gen Android 4.4 won't be available on current-gen devices for some time

mobile forensics

Google has added lots of nifty features in the latest version of Android. Unfortunately, for most users of the mobile operating system, they'll have to buy a new mobile phone if they want to get the latest and greatest technology.

[Experts weigh in with wish lists for Android 4.4 KitKat security]

Google released Android 4.4 KitKat Thursday, but how soon users will get the OS will very much depend on either their wireless carrier or the device manufacturer, which tend to move slowly. As a result, some people may never get to use the enhancements in KitKat until they replace their phone.

The update problem has existed with Android since the beginning and most experts agree it presents the biggest security risk to users. Updates always include patches for vulnerabilities, and once the fixes are available, hackers are able to analyze them to find and exploit the flaws.

"We see exploits available in a matter of days after a patch has been disclosed," Adi Sharabani, chief executive and co-founder of mobile security vendor Skycure said. "Attackers are creating these exploits to attack users who haven't updated their devices."

The risk of not having regular updates was cited a couple of months ago in a memo the FBI and Department of Homeland Security sent to police and fire departments. The warning said SMS Trojans, rootkits and fake Google Play domains were the top security threats to out-of-date Android devices.

While experts universally agree that the lack of timely updates is a major security problem, there is no easy solution. That's because Google lets anyone modify Android to fit the needs of their business, which means there are as many ways to update Android as there are flavors of the operating system.

[The Department of Homeland Security and its obsolete Android OS problem]

Sharabani would like to see Google make structural changes to the Android codebase, so there are application programming interfaces (APIs) available to update the core OS without damaging whatever software is running on top of it, such as the user interface.

While that sounds reasonable, Tielei Wang, mobile security researcher at the Georgia Institute of Technology, points out that depending on the amount of customization, updating without breaking may be difficult.

"(Even with the APIs) it may not be easy to merge Google's code changes," Wang said.

Sharabani also suggests that Google launch a certification program for companies using Android. Those businesses that integrate Google's update mechanism into their platform would be certified as such. In addition, Google could impose other requirements, such as sending out patches in between OS updates for previously unknown vulnerabilities that hackers are exploiting.

Again, such a program sounds like a good idea, but managing and controlling it would be hard. Android has become the leading mobile OS because Google made it easy for carriers and manufacturers to use it. Changing that model would likely lead to serious discontent.

"Currently, it's almost impossible for Google to ban major manufacturers," Wang said.

Besides the technical difficulties, carriers have a business interest in not making Android updates a priority, Bogdan Botezatu, senior e-threat analyst for Bitdefender, said. Rather than update software, carriers would prefer to have subscribers buy a new phone.

"Instead of delivering fixes, phone manufacturers would rather spend their resources on developing new devices to deliver along with the latest version of Android," Botezatu said.

So for now, Android fans who want the latest update will have to be technically advanced enough to root their smartphone in order to install KitKat. For those who want regular updates in the future, they can buy their phone directly from Google.

Anything more universal won't come easily.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)