87.7% of Android Devices Are Insecure Due to Lack of Regular Security Updates
We have often emphasized how important it has become for Google to take control of software updates sent to Android devices, reducing the delays that are caused by its OEM and carrier partners. Android users have also become more vocal about the security of the operating system since the discovery of critical Stagefright exploit (putting about a billion devices at risk) and other security vulnerabilities found in Android in the recent months. But just how much of the Android ecosystem is really affected, you ask?
Android security study discovers 87.7% devices are insecure:
A recent study from the University of Cambridge, partly funded by Google, has discovered that "on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities." The findings of this study have taken the average from the data collected in last four years. The data were collected by having over 20,000 users owning devices of different OEMs download and run a Device Analyzer application from the Google Play Store which has been available in the Store for free since May 2011.
The collected data was compared against critical vulnerabilities, including Stagefright exploits dating back to 2010. Research team labeled the devices to "secure," "insecure," and "maybe secure" based on whether they received firmware patches against these security exploits or not, and if they received a backported fix, respectively. Based on the findings, research group concluded that the reason such a large number of Android devices are affected is mainly due to device manufacturers not rolling out security updates regularly,
The security of Android depends on the timely delivery of updates to fix critical vulnerabilities. Unfortunately, few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices unpatched for long periods. We showed that the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.
The collected data helped researchers rank OEMs on a 1-10 security rating system, of which the Nexus program received the highest score of only 5.2 out of 10. LG has been termed as the best manufacturer with a score of 3.97. Think about the score manufacturers like Samsung (2.75) or HTC (2.63) received and you would realize why OEMs are being blamed. The research also shares a security score for operators which is topped by O2 UK and T-Mobile,
Since the discovery of Stagefright vulnerabilities, Google has been trying to push its OEM partners to release timely firmware updates. Google and some of its partners have promised a monthly security update program for devices. However, this is only devised for devices that are less than two years old (three years for Nexus) and are in the flagship category. Since a very limited number of devices will fall into these two categories, this will not change anything about the security flaws that are affecting the entire Android ecosystem.
Microsoft recently reiterated its commitment to have control over the software updates it sends to its mobile devices, even with carriers testing these updates before they are rolled out. While Apple has a strong and an absolute control over iOS updates and Microsoft aims to have at least some control, Google is still trying to get its OEM partners on board. The alarming picture that this recent Android security study has shown won't change until Google rethinks the entire software updates paradigm and introduces a centralized, controlled approach keeping users' security before its hardware and carrier partners.