I don't think I will surprise anyone by saying that there is a new version of Android out there: 4.3.
And so, we will have everyone all worked up about it, and wondering when they will get this on their phones. (which I can understand. Both my phone and tablet are still at 4.1.2).
I guess its a good idea to perhaps review all this.
First off, its funny people are getting worked up about 4.3, when its not a "major" upgrade (ie, 5.0), tho Google hasn't been to consistent on this. It's still Jelly Bean.
Let's tackle that. Android OSs have both a number (3.0, 4.1, etc) and a codename. Which is interesting, because codenames are usually internal and not used outside a company. The codenames so far have been: Cupcake, Donut, Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, and Jelly Bean. If you haven't guessed yet, they have 2 themes: they are desserts and they are in alphabetical order. So the next one will start with a "K", and rumor has it, it will be "Key Lime Pie".
Now, the version number is a bit confusing. The first number is usually the major version (1.x, 2.x, etc), the second number the minor version. But sometimes a minor number gets a codename as well. 4.0 was Ice Cream Sandwich, whereas 4.1 on has been Jelly Bean. A better example is that 2.0 and 2.1 was Éclair, 2.2 was Froyo, and 2.3 was Gingerbread. Rumor has it, Key Lime Pie will be 5.0.
The second thing has to do with upgrades.
Now, the PC world this is sooo easy. (well, to a degree).
Microsoft makes the OS.
Then you have many manufacturers who make the PCs. HP, Dell, Asus, Acer, Lenovo, Toshiba, Samsung, etc. They make systems that have different capabilities. Difference size screens, different size and types of memory and storage, different graphics cards, different processors (Intel or AMD), etc etc.
But that doesn't matter. It's all the same OS (more or less). You install the same OS on all of them, the install takes care of putting the right drivers you need on the system. When an upgrade goes out, it goes out to everyone. (I think most of us with PCs are getting various updates every couple of weeks).
Now, in the world of mobile devices (smartphones and tablets) its different.
Google makes Android.
Then you have many manufacturers who make the devices. HTC, Motorola Mobility, Ericson, Samsung, etc. They make devices that have different capabilities. Difference size screens, different size and types of memory/storage, different graphics, different processors, different cell radios (LTE, GSM, etc), and all the rest.
THEN you have the carriers who allow the devices on their networks. Verizon, T-Mobile, AT&T, etc. They have different requirements due to the networks they use, PLUS they usually demand certain apps be put on the devices.
So, unlike in the PC world, the manufacturers actually tweak the Android OS to work on THEIR devices, and usually further tweak it to work on particular carrier's network.
So when Google releases a new version (or even an update) of Android, its NOT like when Microsoft releases an update of Windows.
FIRST it gets released to the Nexus and other "Google Experience Devices". That's part of the whole reason for these devices, to provide a "pure" Android experience. (tho I have a GES and am still on 4.1.2. Go figure.)
THEN it gets released to the manufacturers. Who must THEN tweak it to work on their devices AND for the carrier's networks. This means the manufacturers must test their devices and then give it to the carriers to test before it gets pushed out.
This is why the updates are delayed. (please note, am trying to be VERY simple here.)
Not mentioned is that manufacturers don't guarantee that they will upgrade ALL their devices. Most only guarantee they will provide 2 updates (if that). If you got an old device, you are SOL. Its almost part of the planned obsolescence in mobile devices. If your devices is more then 2 years old, you are probably NOT going to get an official upgrade.
And part of what makes this difficult for the average user is that most manufacturers "lock" the bootloader of these devices to make it hard to install your own OS, usually as the request (or demand) of the carriers. This is NOT an issue with PCs. (and the whole matter of locked bootloaders is another big issue).
NOW. As Security people, why should we care?
Simple. Updated/upgraded systems are usually more secure. Some of those updates are security updates, to plug holes. Most of us understand this in the PC world, that we need to keep our servers, workstations, and laptops up to date as part of an overall security program.
But what about mobile devices in this "Post PC" world?
They need to be kept up to date as well. But this current system we have makes that VERY difficult.
Unlocked bootloaders would make it easy, but that opens up a host of other problems. (a subject for another posting).
I wish I had an answer. I wish that there were some working on a solution, but I don't see it.