In case you missed it, this massive bug in Android got revealed today, and it is quite a doozy. In this vulnerability, the original stock browser lets code from any website read from any other tab, and that other data could be anything at all. Banking information, for instance.
Following through the link to the browser share breakdown, Ars Technica is seeing 20% usage from that same, flawed Android browser, in spite of the push from Chrome. Other browsers could also be using the flawed underpinnings, and you’d never be able to tell.
Unfortunately for everyone, there’s no way to just download an updated browser from the Play Store and be secured. Due to the history of Android, upgrading the built-in browser requires a security update from your manufacturer.
Everything Is Awful
As you may be aware, Android phones have had an extremely spotty history when it comes to software updates. Most of the OEMs range from an update taking months to never being released, abandoning consumers mere months after release.
Compounding the problem is the carriers, who add their own ruination to the phones, ensuring updates take even longer. A case in point would be Vodafone in NZ, who took literal months to release the fix for the Samsung Galaxy SIII bug that would let a malicious link reset your phone. A fix that Samsung had already released.
Tech Elitism and its Victim Blaming
In the wake of this revelation, the Twitter humour account InfoSec Taylor Swift said thusly:
I'm a business with Android phones. OEM has never released an update.
Security vulnerability comes out. I'm supposed to install cyanogenmod?
Go check out the replies, and see the victim-blaming behaviour on display.
As a consumer, we’re expected to do considerable research on which OEM might continue to update our phones in the wake of serious security flaws, hope that our carrier will allow the patch to ship. If we lose that particular draw of luck, we’re expected to be sufficiently technical to root our phones and bear the consequences of bypassing much of the security infrastructure.
We’re expected to know what rooting even is!
This behaviour is victim-blaming because it absolves the OEMs for their anti-security stance, since the consumer should have known better. It absolves the technically capable, because we know better and that information is just out there, the consumer should have learned what we learned, while ignoring the considerable time spent accumulating that knowledge.
I am technical enough to do those things, and have. I’m also technical enough to write software, and that power carries ethical responsibilities; am I comfortable building a tool that I know someone will use to cause harm to others? A tool that I know they can’t build without my help?
What about when the act of building software is what causes the harm?
See, when I ship software for a platform, I’m endorsing that platform. The theoretical tool I’ve made is to be seen by consumers, and if it is a sufficiently desirable tool they are encouraged to join the platform. My actions, without taking into account the behaviour of the hostile OEMs, have caused people harm.
Through my actions I’ve stated that the status quo is acceptable and that it’s okay to produce a platform where security updates can be ignored and carriers can dither for months without releasing updates.
It was seeing others talk about this that made me start to question and wonder if, as a developer, I shouldn’t be holding these companies to do better.