It's easy to see that the Android ecosystem currently has a rather lax policy toward security, but a recent study from the University of Cambridge put some hard numbers to Android's security failings.
The conclusion finds that "on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities." Data for the study was collected through the group's "Device Analyzer" app, which has been available for free on the Play Store since May 2011.
After the participants opted into the survey, the University says it collected daily Android version and build number information from over 20,400 devices. The study then compared this version information against 13 critical vulnerabilities (including the Stagefright vulnerabilities) dating back to 2010. Each individual device was then labeled "secure" or "insecure" based on whether or not its OS version was patched against these vulnerabilities, or placed in a special "maybe secure" category if it could have gotten a specialized, backported fix.
As for why so many Android devices are insecure, the study found that most of the blame sits with OEMs. The group states that "the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities." Along with the study, the University of Cambridge is launching "AndroidVulnerabilities.org," a site that houses this data and grades OEMs based on their security record.
The group came up with a 1-10 security rating for OEMs that it calls the "FUM" score. This algorithm takes into account the number of days a proportion of running devices has no known vulnerabilities (Free), the proportion of devices that run the latest version of Android (Update), and the mean number of vulnerabilities not fixed on any device the company sells (Mean). The study found that Google's Nexus devices were the most secure out there, with a FUM score of 5.2 out of 10. Surprisingly, LG was next with 4.0, followed by Motorola, Samsung, Sony, and HTC, respectively.
The Nexus program's "high score" of only 5.2 out of 10 might seem a little low, given that all supported Nexus device get updates rather quickly, but we have some theories as to why it scored so poorly. First, the way Google distributes updates for Nexus devices is extremely slow. Even after the update is developed and released on the Nexus System Image page, pushing the update out to everyone via an OTA usually takes two full weeks. The other issue is probably that this "two years of updates" policy that Google and OEMs have been living by doesn't match up with reality. As a survey of every active device, it probably includes old, unsupported Nexus devices like the Galaxy Nexus.
One of the strange things about the study is its choice of Android OEMs. According to IDC Research, the top four Android OEMs worldwide are Samsung, Huawei, Xiaomi, and Lenovo, respectively. With only Samsung in the study's FUM scores, the study omits three of the top four Android OEMs. It's especially odd considering the list goes down to relative no-name OEMs on there like Symphony and Walton. And since the app is distributed through Google Play, we'd imagine the results exclude non-Google Play countries, like China.
With 87% of devices flagged as insecure on any given day, the study really shows how far the Android ecosystem has to go to protect its users. Google and some OEMs have committed to a monthly security update program, but that is usually for devices that are less than two years old (Google recently bumped Nexus devices to three years) and only for flagship devices. The vast majority of Android sales are not flagship devices. Until Google rearchitects Android to support centralized, device-agnostic updates, we just don't see a solution to Android's security problems.