Step into my time machine, and go back to May 20, 2010, with me. That was the day Google released Froyo to the world with much fanfare and cheering. I think a few little old ladies may have even cried. In any case, we all were excited and looking forward to the day we could have some frozen yogurt for our Android phones. Now back to today, and things still look about the same -- a year and a few days later and manufacturers are still shipping phones with Froyo, even though Gingerbread has been available since December of last year. We're not talking about phones that languished forever and a day without getting an update, that's just as ridiculous, but best saved for another day. This is about new phones, still being shipped and sold with a year old codebase -- and known security issues. Hit the break and read along.
I'll let that last bit simmer for a second -- shipping with known security issues.
Forget about the bugfixes. Forget about the improvements to rendering and partial GPU acceleration. Forget about enhancements for certain CPUs. Think about this instead: On any version of Android prior to 2.3.3, a potential troublemaker can intercept and read your Google Calendar and Contacts on any open Wifi network, and a truly dedicated one can impersonate you at Google. This isn't hype or scare tactics -- it's real, and pretty damn easy to do for more than a few people. Without getting into too much detail (we're not a zero-day exploit site after all) it's something that shouldn't have shipped in the first place, but to Google's credit it was fixed shortly after discovery and made available to OEMs months ago. But you likely haven't seen it yet, unless you're using a Nexus device or a good custom ROM.
There are other, less dramatic security fixes as well. That's part of the reason Google updates Android with version bumps like the one from 2.3.2 to 2.3.3. But maybe sidejacking and authToken bugs don't matter to you. You just use your Android phone for fun and could care less if some loser in Starbucks wants to see your calendar. To you I say one word: GTalk. That Samsung Droid Charge you just bought has a really cool front-facing camera, but you're stuck using Qik or Tango while Google has made GTalk ready, willing, and able to video chat with other Android phones and any computer with a camera (even Linux this time). And even to an old tech dinosaur like myself, it's fun. Phones almost six months old can do it, but your brand new one can't. And there's a good chance that the next brand new one to hit the shelves won't be able to, either. And the worst news? When Ice Cream Sandwich is released, we get to do this all over again.
Maybe I'm a geek, but the answer seems simple to me. If manufacturers want to fork Android, and carriers want to purchase those forked phones, they are responsible to keep you up-to-date, both with critical security patches as well as software enhancements. Forget Google, they are only responsible for two phones, and both are up-to-date. They have made the patches, and added in the features, but Samsung, Motorola, HTC and the rest don't seem to understand the importance of getting the updates out. If they can't do that, they have no business forking around with the codebase, then locking up the phones like a Chinese puzzle so you can't fix it yourself. That's how open-source works -- when the folks behind Debian Linux find a critical bug and issue a patch, the folks behind Ubuntu and other Debian forks quickly issue one of their own. If you've built your own system, you get the code fixes and build your own patch. It's the only way open-source can work. It's the way Android was designed to work.
The folks at Google know this is an issue. They have even assembled a team of people from carriers and OEMs with a plan to keep new models updated and current for 18 months. If this works as planned, it will be just what we need, but my skeptical side sees this getting mired in excuses and red tape. Unless Google does it for them, it's going to cost money, and nobody likes to spend money unless they have to. This is another of those times where I want to be wrong, we'll see. I also hope another mandate of this program is getting the current version on the phones before they ship -- Google use your heavy hand and make that a requirement of getting your apps and the Market bundled in a phone or tablet, please.
There are a few things you can do to get out of the old OS rut. Buy a Nexus phone to always be up to date. Or buy from someone like Sony Ericsson, who hopefully learned from their past and are shipping phones with Gingerbread (although not the latest version) and allowing consumers to unlock and update them at their own pace if they like. Another option is asking your carrier for a fix, but that's just going to lead to a lot of finger pointing and shoulder shrugging -- might as well ask the man in the moon because they can't do anything about it. And of course, you can always root your phone and own it, provided you were lucky enough to get one that's not sealed up like a pickle jar and feel comfortable doing it.
The only real solution is to stop buying new phones until the carriers get the message, because they can pressure the manufacturers in ways you and I can't. I just signed a contract with T-Mobile to keep the rates and plan I have for at least two years, and got a pair of LG G2X's for my troubles. They shipped with Android 2.2.2, and it leaves a bit of a bad taste in my mouth that I have to void the warranty and root them to get them current. I don't expect 90 plus percent of the users out there to do the same, and they shouldn't have to.
Get with the program manufacturers, or risk losing your most hard-core users.
For more information on sidejacking and Android: Freedom to Tinker; ULM University