SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
14 Oct 2015

87% of Android devices are insecure

It's easy to see that the Android ecosystem currently has a rather lax policy toward security, but a recent study from the University of Cambridge put some hard numbers to Android's security failings.

The conclusion finds that "on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities." Data for the study was collected through the group's "Device Analyzer" app, which has been available for free on the Play Store since May 2011.

After the participants opted into the survey, the University says it collected daily Android version and build number information from over 20,400 devices. The study then compared this version information against 13 critical vulnerabilities (including the Stagefright vulnerabilities) dating back to 2010. Each individual device was then labeled "secure" or "insecure" based on whether or not its OS version was patched against these vulnerabilities, or placed in a special "maybe secure" category if it could have gotten a specialized, backported fix.

As for why so many Android devices are insecure, the study found that most of the blame sits with OEMs. The group states that "the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities." Along with the study, the University of Cambridge is launching "AndroidVulnerabilities.org," a site that houses this data and grades OEMs based on their security record.

The group came up with a 1-10 security rating for OEMs that it calls the "FUM" score. This algorithm takes into account the number of days a proportion of running devices has no known vulnerabilities (Free), the proportion of devices that run the latest version of Android (Update), and the mean number of vulnerabilities not fixed on any device the company sells (Mean). The study found that Google's Nexus devices were the most secure out there, with a FUM score of 5.2 out of 10. Surprisingly, LG was next with 4.0, followed by Motorola, Samsung, Sony, and HTC, respectively.

The Nexus program's "high score" of only 5.2 out of 10 might seem a little low, given that all supported Nexus device get updates rather quickly, but we have some theories as to why it scored so poorly. First, the way Google distributes updates for Nexus devices is extremely slow. Even after the update is developed and released on the Nexus System Image page, pushing the update out to everyone via an OTA usually takes two full weeks. The other issue is probably that this "two years of updates" policy that Google and OEMs have been living by doesn't match up with reality. As a survey of every active device, it probably includes old, unsupported Nexus devices like the Galaxy Nexus.

One of the strange things about the study is its choice of Android OEMs. According to IDC Research, the top four Android OEMs worldwide are Samsung, Huawei, Xiaomi, and Lenovo, respectively. With only Samsung in the study's FUM scores, the study omits three of the top four Android OEMs. It's especially odd considering the list goes down to relative no-name OEMs on there like Symphony and Walton. And since the app is distributed through Google Play, we'd imagine the results exclude non-Google Play countries, like China.

With 87% of devices flagged as insecure on any given day, the study really shows how far the Android ecosystem has to go to protect its users. Google and some OEMs have committed to a monthly security update program, but that is usually for devices that are less than two years old (Google recently bumped Nexus devices to three years) and only for flagship devices. The vast majority of Android sales are not flagship devices. Until Google rearchitects Android to support centralized, device-agnostic updates, we just don't see a solution to Android's security problems.

Tags:
Android information leaks
Source:
Ars Technica
1843
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015