Android handset makers’ failure to deliver timely security updates leaves almost everyone open to attack.
That’s among the conclusions of a study from Cambridge University that sought to quantify just how bad the Android security situation had become.
To compile the data, the group of researchers published a Data Analyzer app to the Google Play Store. Along with giving a lot of people the ability to participate, it ensured that phones without Google Play services that are targeted at emerging markets weren’t calculated into the results. As a result, the team acquired data from 20,000 different Android devices, with most being from major manufacturers like Samsung, LTG, HTC, and Motorola. You can download and run the app yourself to give the team more data to work with.
The research, which was partially funded by Google, is ongoing. So you can download the app to your own Android phone to contribute.
With the data, the Cambridge group then created a score for how quickly all the major manufacturers were applying the latest security updates to their devices. The full results reveal that it isn’t a pretty picture.
Why this matters: The Stagefright vulnerability demonstrated how quickly one security issue could threaten a ton of devices. That’s because Android updates run into a bottleneck. After Google releases a new version or security fix, the manufacturers have to incorporate it into their own split-off versions of the Android OS before spiriting it off to your device. It’s even worse with carrier-branded phones, as the carrier must also test and approve the updates before they come to you. This contrasts sharply with how updates work on iOS. Apple pushes a button, and it heads right to everyone’s iPhone.
Nexus is best, but everyone needs to elevate their game
The Cambridge team created a FUM score to compare the security provided by the different devices. As the chart indicates, Nexus devices are at the top, with LG leading the other third-party manufacturers.
Even with the pledge of monthly security updates, no one besides Nexus devices scored above a five out of 10. That could change over time, but it’s too early for us to know how effective these monthly patches are, and whether or not the manufacturers will hold to this promise over the long term. Also, the monthly security patch promise doesn’t solve the bottleneck problem—outside of full-price and unlocked phones, carriers still hold the keys to when phones get updates.
Researcher Dr. Daniel Wagner summarized the core of the problem.
”Google has done a good job at mitigating many of the risks and we recommend users only install apps from Google’s Play Store since it performs additional safety checks on apps,” he said. “Unfortunately Google can only do so much, and recent Android security problems have shown that this is not enough to protect users. Phones require updates from manufacturers, and the majority of devices aren’t getting them.”
Fortunately, if you stick to Play Store apps and don't download any shady software from outside sources, you should be fine. But when it comes time to upgrade your phone, you may want to check back with the Cambridge team as part of your decision about which phone to buy.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.