| The process of identifying bugs and the process of distributing patches are two separate things. And there is a very specific reason the "Android ecosystem" is slow to distribute patches -- an important piece, namely the hardware drivers, is not open. The reason you can't install the latest stock Android with all the latest patches on your device is that the device is stuck with proprietary blob drivers that aren't compatible with newer kernels. So that whole tweet from Andy Rubin about “the definition of ‘open’” has always been BS. And it doesn’t matter why people can’t get security updates. The fact is that iOS users get security updates faster and more reliably than Android users for phones that are up to 5 years old. They don't have to do it out of altruism, there are plenty of self-interested reasons to do it. Security researchers build their reputations by discovering vulnerabilities. iOS jailbreaks are valuable. So since security researchers including people from Google have found security exploits in closed sourced software that kind of makes the whole open vs closed thing a moot point... People really overestimate the difficultly for someone who knows what they are doing to find security exploits in closed source software. Heck, I was disassembling and patching 16 bit x86 code and 8 bit 65C02 code in middle school. And how many of those were discovered specifically because the source code wasn't available? Again, there is nothing magic about “source code”. It’s a little harder, but a skilled developer can follow the logic of assembly language. |