Study finds 87% of Android Devices are Insecure
Roughly 87 percent of Android devices are exposed to one of 13 critical vulnerabilities that currently plague the Android ecosystem, and due to carriers repeated failure to issue patches, many linger far too long without getting properly patched, a recent study (PDF) from the University of Cambridge reported. Their research concluded that “on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities.”
Data used in the study was collected through the “Device Analyzer” app, which has been freely available on the Google Play Store since May 2011. After installing the app and opting into the study, the University is able to collect daily Android version and build number information, which the study did on over 20,000 devices. Researchers then compared the version of Android against 13 critical vulnerabilities, including Stagefright, and some dating back as far as 2010.
From there, each device was then labeled “secure” or “insecure” based on the whether or not the OS version was patched against the looming vulnerabilities, or in rare cases, a special “maybe secure” label appeared if the device may have gotten a special patch researchers weren’t able to clearly identify.
As for why such a high number of Android devices are insecure, the study found that most of the blame is on the OEMs. The university states that “the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.” Alongside the study, the University of Cambridge is launching AndroidVulnerabilities.org, a site housing the research data and grades OEMs based on their security tract record. Security ratings will be graded on a 1-10 scale. The “FUM” score the University is using is an algorithm that takes into account the number of days a device has no known vulnerabilties, against the mean number of vulnerabilities not fixed on any device the company sells. The study found that Google Nexus-based devices were the most secure Android devices on the market, with a FUM score of 5.2 out of 10. Not surprisingly LG was next with a 3.97, followed by Motorola (3.07), Samsung (2.75), Sony (2.63) and HTC (2.63).
Google’s high score of a mere 5.2 out of 10 may seen low, given all the security updates Nexus devices have been receiving, however there is some speculation as to why it scored so low. Some believe it’s due to Google’s lengthy two week patch roll out, or that Google’s update policy isn’t living up to its reality. As the survey recorded amass of devices, it’s likely old Nexus devices and possibly even unsupported devices may have wound up on the list.
What’s strange about the study is that according to IDC, the top four Android OEMs worldwide are Samsung, Huawei, Xiaomi and Lenovo, respectively. However, Samsung was the only device to make it onto the study’s FUM scale. Due to the app being distributed via the Google Play Store, we’d imagine the results exclude non-Google Play friendly countries, like China.
With a majority of Android devices being flagged as insecure, more specifically 87 percent, the study goes to show just how far manufacturers don’t go to protect their users. Google just released their latest security update program that will automatically patch devices that are vulnerable. However, til an all-in-one solution – compatible with all Android devices and carriers – exists, Android devices will continue to remain vulnerable.
Thanks for this info, it’s precious. Now what to do. I have a Samsung and have communication with my clients and prospects. I try not to receive confidential info from them via text or emails. These is what I’m planning to do. Find out in the market what can I install in my android or change it do make it unhackable if that’s possible. Since you are researchers, can you give me suggestions. This is only for my android. I also need suggestions for my windows 7 laptop.
Hi Guillermo, I am a bit confused at your question. Are you asking how to keep your device secure?
If so, the only way you would be able to make it extremely secure is to leave it in an isolated and air-gapped area. Meaning no inside our outside connections are able to access the phone. Now clearly, this is not really possible as you need 3G and 4G just for the phone to work.
Your best bet would be getting a PrivacyCase, as it gaps the entire phone from all networks. This will leave all outside threats with no target. Now this is the issue, your going to need to remove the phone from the PrivacyCase to use it, but this is where you need an extremely secure and isolated area and network to work with.
It may be impractical, but this is your best bet for real security.