Google just pulled some business jiu-jitsu.
In one swift move, Google has made its own Nexus phones the safest, most reliable Android phones on the market. But it also made every other type of Android smartphone — Samsung Galaxy, LG G4, Alcatel OneTouch — more vulnerable to hackers.
To understand why, consider the painful relationship between Google on one side and on the other device makers like Samsung and cellphone carriers like AT&T, Sprint, T-Mobile and Verizon.
Unlike iPhones, when Google releases new features or security patches, device makers and carriers decide when to implement it. Customers abhor this fragmented system.
Ever wonder why Google released the new Android version, Lollipop, in November but you didn’t get it until months later? Blame your phone maker and carrier.
The Google-preferred Nexus devices get updates in a flash. Everyone else waits. But now that wait will be more painful than ever.
This week, Google decided to start rewarding smart researchers for finding Android software flaws in Nexus devices — and immediately sending updates to Nexus phones and tablets first.
That means, for a period of time after every update, hackers everywhere will have clues about how to hack non-Nexus Android phones.
Did Google just betray Android users? Paying hackers for finding flaws — and reporting them publicly — isn’t new. It’s called a “bug bounty” program. Every respectable tech company does this: Facebook, Microsoft and others.
Why pay for hackers to find flaws? Because the flaws are valuable and sell on the black market. Criminals and spies are willing to pay upwards of $20,000 for a never-before-seen bug, because they can use so-called “zero-days” to sneak into computers at companies and governments.
It’s how cybermafias break into banks. It’s how the U.S. government slipped into an Iranian nuclear enrichment facility and sabotaged its program back in 2009. “Zero days” are the hacking superweapons.
Google is offering to pay $500 for small bugs, $2,000 for big ones, and $8,000 if a researcher can provide a fix, too.
Overall, cybersecurity experts agree this transparency makes Android phones safer. But it creates a two-tier system: Nexus is first-class, every other device is stuck back in coach. Enjoy the peanuts.
Bugcrowd, a company that runs one of the largest bug bounty programs, described Google’s move this way: “You’ve essentially zero-dayed your own customers.”
CNNMoney asked Google whether it just left 96% of Android users out to dry.
In a statement, Google said, “We will work as quickly as possible to get patches to partners, generally within 30 days. We will then work with researchers who report issues to disclose the information in a timely manner.”
Why would Google do this? Some see this as a way for Google to nudge the likes of Samsung, LG and cellphone carriers into adopting updates more quickly.
Kymberlee Price, BugCrowd’s senior director of research, said “hardware vendors are on notice to start taking security updates right away, or they’ll lose security-conscious customers.”
“It’s definitely a pressure move,” she said. “This could very well be Google saying, ‘We’re not going to be held back by hardware vendors anymore.'”
None of the cellphone carriers provided comment to CNNMoney. Neither did phone manufacturers.
This hits Samsung particularly hard. Just over half of all Android phones are made by Samsung, according to software trackers at AppBrain.