Andrew Munn, an engineering intern at Google, responding to this post by Dianne Hackborn, an Android Framework Engineer:
It’s not GC pauses. It’s not because Android runs bytecode and iOS runs native code. It’s because on iOS all UI rendering occurs in a dedicated UI thread with real-time priority. On the other hand, Android follows the traditional PC model of rendering occurring on the main thread with normal priority.
This is a not an abstract or academic difference. You can see it for yourself. Grab your closest iPad or iPhone and open Safari. Start loading a complex web page like Facebook. Half way through loading, put your finger on the screen and move it around. All rendering instantly stops. The website will literally never load until you remove your finger. This is because the UI thread is intercepting all events and rendering the UI at real-time priority.
Munn goes on to list four other related reasons that help explain the lag that persists throughout Android. Some of the technical discussion in these two posts gets a little beyond my capacity, but they’re great reads if you want some insight into the issue from people who just might actually know what they’re talking about.
By exploiting these leaked capabilities, an untrusted app on these affected phones can manage to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geolocations all without asking for any permission.
In other words: Android OEMs are playing fast and loose with customer privacy and security when tinkering with Android’s underpinnings, adding features, or making modifications to suit their priorities.
Manufacturers and carriers have been installing what is basically a rootkit on millions of Android, BlackBerry, and Nokia phones to record everything their users do, “ostensibly so carriers and phone manufacturers can do quality control.”
Wired has a video of the software in action, showing how it records a security researcher’s Google search for “hello world” despite using HTTPS (it’s recording keystrokes), as well as every phone number dialed. Numbers are uploaded to Carrier IQ, the company that created this rootkit for carriers and manufacturers, before the phone call is even placed.
If [the Android APIs are] publicly documented, they’re part of what we consider the Android Application Framework. This means their tests appear in the Compatibility Test Suite (CTS) so that our hardware partners have to prove that the APIs work, and that we promise to try very hard not to change them and thus break your code.
In almost every case, there’s only one reason for leaving APIs undocumented: We’re not sure that what we have now is the best solution, and we think we might have to improve it, and we’re not prepared to make those commitments to testing and preservation.