Roughly 87 percent of Android devices are exposed to one of 13 critical vulnerabilities that currently plague the Android ecosystem, and due to carriers repeated failure to issue patches, many linger far too long without getting properly patched, a recent study (PDF) from the University of Cambridge reported. Their research concluded that “on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities.”
Data used in the study was collected through the “Device Analyzer” app, which has been freely available on the Google Play Store since May 2011. After installing the app and opting into the study, the University is able to collect daily Android version and build number information, which the study did on over 20,000 devices. Researchers then compared the version of Android against 13 critical vulnerabilities, including Stagefright, and some dating back as far as 2010.
From there, each device was then labeled “secure” or “insecure” based on the whether or not the OS version was patched against the looming vulnerabilities, or in rare cases, a special “maybe secure” label appeared if the device may have gotten a special patch researchers weren’t able to clearly identify.
As for why such a high number of Android devices are insecure, the study found that most of the blame is on the OEMs. The university states that “the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.” Alongside the study, the University of Cambridge is launching AndroidVulnerabilities.org, a site housing the research data and grades OEMs based on their security tract record. Security ratings will be graded on a 1-10 scale. The “FUM” score the University is using is an algorithm that takes into account the number of days a device has no known vulnerabilties, against the mean number of vulnerabilities not fixed on any device the company sells. The study found that Google Nexus-based devices were the most secure Android devices on the market, with a FUM score of 5.2 out of 10. Not surprisingly LG was next with a 3.97, followed by Motorola (3.07), Samsung (2.75), Sony (2.63) and HTC (2.63).
Google’s high score of a mere 5.2 out of 10 may seen low, given all the security updates Nexus devices have been receiving, however there is some speculation as to why it scored so low. Some believe it’s due to Google’s lengthy two week patch roll out, or that Google’s update policy isn’t living up to its reality. As the survey recorded amass of devices, it’s likely old Nexus devices and possibly even unsupported devices may have wound up on the list.
What’s strange about the study is that according to IDC, the top four Android OEMs worldwide are Samsung, Huawei, Xiaomi and Lenovo, respectively. However, Samsung was the only device to make it onto the study’s FUM scale. Due to the app being distributed via the Google Play Store, we’d imagine the results exclude non-Google Play friendly countries, like China.
With a majority of Android devices being flagged as insecure, more specifically 87 percent, the study goes to show just how far manufacturers don’t go to protect their users. Google just released their latest security update program that will automatically patch devices that are vulnerable. However, til an all-in-one solution – compatible with all Android devices and carriers – exists, Android devices will continue to remain vulnerable.