Exploring Android insecurities

Nearly 88 percent of Android devices have been exposed to at least one critical vulnerability, according to research from the University of Cambridge.

Android security is in the eye of the beholder
Android security is in the eye of the beholder

Researchers Daniel R Thomas, Alastair R Beresford and Andrew Rice of the Computer Laboratory at the University of Cambridge have published a paper called 'Security Metrics for the Android Ecosystem' (also available on the Android Vulnerabilities site), claiming that 87.7 percent of Android devices have been exposed to at least one out of eleven critical vulnerabilities.

To put this into some perspective, the data was collected from a corpus of 20,400 devices in total. Bear in mind that last year alone there were more than 1 billion Android devices shipped globally, so just how representative the numbers from this study are must be left for you to decide.

However, there can be no doubt about the fragmentation of the Android market, with so many different versions on so many different devices and so little information passed on from device manufacturers or carriers to end users regarding when (or if) security updates will be pushed to them.

As the researchers said, on average, an Android device will receive just 1.26 updates per year –unless you are an owner of a Google Nexus device, which Google has committed to scheduling for monthly security updates with the release of Marshmallow.

Samsung and LG say they will do the same, although it still remains to be seen exactly which devices get the monthly patching and when devices are deemed to be have reached end of life status for such things.

HTC has already said that such patching is unrealistic, and other manufacturers are quiet on the matter.

As far current patching efforts are concerned, the report shows that Google, LG and Motorola lead the way using a 'FUM' scoring system where F is the number free from critical vulnerability, U the proportion updated to the latest OS version and M is how many vulnerabilities remain unfixed.

Of course, this research is only the latest in a stream of surveys which seem to all point at Android being the most insecure of the main smartphone platforms.

We wondered if this was really fair, in a real world sense?

"Mobile security shouldn't be an Android versus iOS versus Windows Mobile device debate," insists Gert-Jan Schenk, vice president for EMEA at Lookout. “We've seen a lot of incidences recently that have shown we can't rely solely on Google, Microsoft or Apple to police the app landscape and ensure their operating systems are buttoned up and without back doors."

He has a point, and Apple fans surely won't need reminding about XcodeGhost. Schenk also reminds us we are not only talking about the 'big three' any longer, with an estimated 50 million users out there on the open source Cyanogen OS already.

"If you're an enterprise, this changing landscape means one important thing," Schenk says. "These new devices – which you're not used to seeing – are soon going to start popping up on your network as employees bring them through the front door and they present new security challenges." 

Page 1 of 3