We already know that Android handset makers don’t always deliver security updates in a timely way – Google has only recently started issuing regular security updates for its own Nexus devices, and even some of those lag behind the latest patches.
But the number of unsecure Android devices out there is truly astonishing, according to research from the UK’s University of Cambridge – 87% of Androids are exposed to at least one known critical vulnerability.
Android device buyers – be they consumers, businesses or governments – often don’t have any guidance on which device models are getting security patches or on what kind of timetable, researchers Daniel Thomas, Alastair Beresford, and Andrew Rice note in a new paper.
One example the researchers found is CESG – the information security arm of the UK’s Government Communications Headquarters (GCHQ) – which advises the government on securing its computer systems.
CESG recommends choosing Android devices from manufacturers who are good at promptly shipping security updates, but it doesn’t say which manufacturers those might be.
The lack of data leaves us stuck with what the researchers call a “market for lemons”:
The difficulty is that the market for Android security today is like the market for lemons: there is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not.
Not all device manufacturers are equally lagging in patching devices.
The study found that Google, LG, and Motorola far outperformed Samsung, HTC and Asus.
Nexus devices do considerably better, and LG is the best manufacturer of all.
Still, few devices are promptly updated: the study found that, on average, a device receives 1.26 updates per year, leaving them unpatched for long periods.
Data collected from 20,400 Android devices with the university’s Device Analyzer app installed revealed that 87% of Android devices were vulnerable to at least one of 11 known, critical bugs, including the TowelRoot and FakeID vulnerabilities discovered in 2014.
Device manufacturers are finally beginning to address the problem of lagging updates.
Stagefright – the nasty security hole in Android disclosed in July – soon thereafter scared Samsung and Google into announcing that they’ll both push monthly security updates for Androids.
As we saw with the Stagefright fracas, handset makers package Android software along with their own software, and Google has left it to the vendors and carriers to get updates out to users.
That means Android users typically get security updates months late, if they ever get them at all, because Samsung or T-Mobile or fill-in-the-blank vendor or carrier gets bogged down in wrapping its own software around a given security fix.
For its part, HTC has said that monthly updates are “unrealistic” due to a bottleneck at the carrier testing stage: HTC says that Android’s hardware partners take Google’s security fixes, wrap their own software around them, and then rely on carriers to approve and push out the updates.
But the Cambridge researchers noted that the bottleneck for the updates is really the fault of the manufacturers, who “fail to provide updates to fix critical vulnerabilities.”
The researchers are hoping that by quantifying the problem, they can help people choose a more secure device and that consumers’ buying power will “provide an incentive for other manufacturers and operators to deliver updates.”
Image of broken robot courtesy of Shutterstock.com.
Marvin
This surely threatens to undermine Android
My phone reports that it uses Android 2.3.6
Checking for system updates reports “Your device is up to date”
My tablet reports that it uses Android 4.4.4
Checking for system updates reports “Your device is up to date”
Anyone know if Ubuntu phones (using Ubuntu touch) suffer from this nonsense?
lee
phones IOS and windows phones at least they fix security issues
with iphones default security been very hard to defeat for someone to gain access to the phone, its even now pointless to steal a iphone now as if you factory reset the phone you have to provide the owners apple password to allow use of the phone after reset so its a brick
Melvin
While I don’t think much of the lack of transparency with Apple regarding their security efforts, I do appreciate the security infrastructure — from what I recall, most iOS apps can’t interact with each other, which is nice from an antivirus point of view. Also, they have a much better permission landscape, wherein the apps have to be designed to ask for individual permissions at run time, unlike the Android world, in which an app won’t download/install/run unless you give it all permissions it might ever want.
I think that some of that is changing with the newest version of the Android OS, and I look forward to the change.
Melinda
My HTC One X M8 is “up to date” with 5.0.2
My HTC One X is “up to date” with 4.1.1
I’ve never had an iPhone but between the lack of security and the fact that I can’t share videos except by uploading to YouTube, my next phone will definitely be an iPhone.
Melvin
I assume that your “up to date” status means that there are no more patches or updates that have made it through both HTC and your carrier; I agree that neither of those is the latest version of the OS.
That being said, I too tire of that delay, and believe that my next phone will be a phone fully supported by Google. It is true that I’ll no longer get to call my carrier for support, but I don’t do that anyway, and if I called to ask about patches, they probably couldn’t tell me anything. With the Google Nexus 5X or 6P, I feel like I can expect faster security updates.
David Pottage
I read that study, and I think their methodology is faulty. They assume that if there has been an update since a vulnerability was fixed in the official android source tree, the update includes a backport for that fix.
I think that is a very big logical leap to make, and not supported by evidence. Manufacturers and networks can issue updates for any number of reasons, and backporting complex security fixes that most costomers have never heard of will be low on their list of priorities, compared with say the latest version of their bloatware with an updated company logo.
The other problem is that the researchers got their information from self selected volunteers. As far as I can tell, these are volunteers who read their security blog, and agreed to download and install the reporting app. People who read security blogs are a long way from the mainstream when it comes to android security.
In other words, I think the 87% is a gross underestimate. The real figure is probably over 99%.