We find that on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities and, across the ecosystem as a whole, assign a FUM security score of 2.87 out of 10.
Advertisement
“Unfortunately something has gone wrong with the provision of security updates in the Android market”, the study reads.
When considering those numbers, you should take into account that this study included devices which may be outside the new 18-24 months commitment period that OEMs have implemented for delivering updates and critical security patches.
The paper, by Daniel R. Thomas, Alastair R. Beresford, and Andrew Rice, reveals a major disconnect between the Android OS providers and the device manufacturers.
Android devices receive, on average, 1.26 security updates per year, resulting in long stretches of time where the devices are at risk. Android appeared to be the most secure during the early parts of 2013, with consecutive discoveries pushing most devices into the “insecure” category in the years that followed.
Researchers at the UK’s University of Cambridge have confirmed in a study a fact that has always been the elephant in the room when it comes to Android devices: they just aren’t getting the security patches they need to be kept secure. With the app running in the background and gathering data, the researchers scored device manufacturers based on several factors: the proportion of the device that is free from security vulnerabilities; the proportion that is updated to the most recent software; and the mean number of vulnerabilities that the manufacturer did not yet fix.
He noted that devices from LG, Motorola, and those that fall under the Google Nexus brand are better than most. The Nexus score, for instance, might even still be influenced by any Galaxy Nexus or Nexus 4 devices – which Google has not committed to supporting – still roaming out and about.
Although Symphony and Walton received the lowest scores, the researchers note that because they are unpopular manufacturers their phones do not pose the greatest risk.
“If you’re a handset manufacturer like HTC or Samsung, you [also] don’t make any money supporting an old phone”.
The paper concludes that ‘the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities’.
Google’s Nexus receiving the best FUM score is notable.
Given the reality of Android’s reach and the sheer number of vendors that develop around it, it’ll likely strike no one as a surprise to learn that most Android devices out there are now vulnerable.
Advertisement
The research, which was partially funded by Google, is ongoing.
