Not running Froyo? Careful what websites you visit

Last week,, security researchers at Alert Logic released the code to exploit the Android WebKit browser on phones and devices running Android 2.1 or earlier.  The exploit isn't the most serious issue ever released -- it appears to give someone running a webserver and listening on a certain port the ability to see your browser and media scanner history -- but it needs fixed, and quickly.

Which is why Google fixed it -- in the Spring when Froyo was announced.  Apple fixed it, too.  I can't find any documentation, but I'm pretty sure HPalm did as well.  I'll talk about it a little deeper after the break. [CIO.comThanks Dave!

I use Linux, so I might be a bit jaded,  I just wanted to say that up front.  I imagine that a number of exploits and security holes were discussed and made public this week at HouSecCon -- a security conference held in Houston.  I expect application vendors, Linux kernel maintainers, Microsoft software engineers, Apple engineers, and anyone else involved in creation of software to be hard at work patching them, including the folks working on Android.  Anyone using Windows, or Mac OS, or Linux will soon be getting those patches in the form of OS updates.  Companies like Adobe or Mozilla will have patches out to us soon as well.

Mobile is a bit different.  iOS users will have to wait a bit longer to patch any holes in the OS if needed, but once it's done, Apple will roll it out and everyone can take an hour and update if they choose to.  Google will get an update out OTA to Nexus One users if needed, and have all the patches committed to the codebase.  Because of the complexity of a mobile OS, it might be a month or so to get any of these patches, and I can live with that.

But what about the carriers?  If I go out today and buy an Android phone, there's a very good chance it won't be running Froyo.  Depending on the model, it may never be running Froyo.  That means browsing the internet with the built in web browser is not safe.  Yeah, I said it.  The flaw is in the Webkit code, so it's possible that third party browsers are unsafe as well.  What do the carriers expect us to do, since they aren't currently offering any alternative?

Proprietary app stores, and bloat are annoying.  Many call it fragmentation when carriers get their hands dirty and monkey with the Android source code.  I call that choice -- choose with your wallet.  This is a bit different.  I'm calling you out, carriers -- how are you going to take care of all your subscribers with phones you can't or won't update, are still in the midst of a long and expensive service contract, yet can't use the internet without exposing themselves to security issues?  What about those phones on your shelves?  Leaving your users hanging is just wrong, and any that are proactive and take the steps to fix these sort of things themselves are left with a very expensive phone without a warranty.  Step up to the plate and earn some of that money you're making from us Android users.

Any of you out there that have had enough and are ready to fix things yourselves, jump into the forums.  There's a really good reason to root now.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.