Exploring Android insecurities

News by Davey Winder

Nearly 88 percent of Android devices have been exposed to at least one critical vulnerability, according to research from the University of Cambridge.

Researchers Daniel R Thomas, Alastair R Beresford and Andrew Rice of the Computer Laboratory at the University of Cambridge have published a paper called 'Security Metrics for the Android Ecosystem' (also available on the Android Vulnerabilities site), claiming that 87.7 percent of Android devices have been exposed to at least one out of eleven critical vulnerabilities.

To put this into some perspective, the data was collected from a corpus of 20,400 devices in total. Bear in mind that last year alone there were more than 1 billion Android devices shipped globally, so just how representative the numbers from this study are must be left for you to decide.

However, there can be no doubt about the fragmentation of the Android market, with so many different versions on so many different devices and so little information passed on from device manufacturers or carriers to end users regarding when (or if) security updates will be pushed to them.

As the researchers said, on average, an Android device will receive just 1.26 updates per year –unless you are an owner of a Google Nexus device, which Google has committed to scheduling for monthly security updates with the release of Marshmallow.

Samsung and LG say they will do the same, although it still remains to be seen exactly which devices get the monthly patching and when devices are deemed to be have reached end of life status for such things.

HTC has already said that such patching is unrealistic, and other manufacturers are quiet on the matter.

As far current patching efforts are concerned, the report shows that Google, LG and Motorola lead the way using a 'FUM' scoring system where F is the number free from critical vulnerability, U the proportion updated to the latest OS version and M is how many vulnerabilities remain unfixed.

Of course, this research is only the latest in a stream of surveys which seem to all point at Android being the most insecure of the main smartphone platforms.

We wondered if this was really fair, in a real world sense?

"Mobile security shouldn't be an Android versus iOS versus Windows Mobile device debate," insists Gert-Jan Schenk, vice president for EMEA at Lookout. “We've seen a lot of incidences recently that have shown we can't rely solely on Google, Microsoft or Apple to police the app landscape and ensure their operating systems are buttoned up and without back doors."

He has a point, and Apple fans surely won't need reminding about XcodeGhost. Schenk also reminds us we are not only talking about the 'big three' any longer, with an estimated 50 million users out there on the open source Cyanogen OS already.

"If you're an enterprise, this changing landscape means one important thing," Schenk says. "These new devices – which you're not used to seeing – are soon going to start popping up on your network as employees bring them through the front door and they present new security challenges." 

Indeed, the Android versus iOS debate may be the wrong one entirely. Thierry Karsenti, technical director with Check Point, refers to a study of the communications of more than 900,000 mobile devices through Wi-Fi access points at large enterprises that Check Point carried out earlier this year which looked for mobile remote access Trojan infections.

"We found that infection rates were as high as one in 500 devices," Karsenti says, "and were evenly distributed between Android and iOS mobiles, and a mix of corporate-issued and personal devices."

Maybe what we need to consider is how security of any device is largely dependent on how it is used? "Android devices are designed to offer users control over their mobile environment," Bernard Wagner, head of mobile security at MWR InfoSecurity told SCMagazineUK.com. "Consequently, Android users can install whatever they want from wherever they want, which exposes them to a comparatively high level of risk."

If a user only loads applications from official stores and keeps their device and its applications up to date, they will have a generally secure experience.

As Paco Hope, principal security evangelist at Cigital puts it, "If Android users behave like iOS users voluntarily, they are as very nearly as secure as iOS users."

Of course, the University of Cambridge research was looking at critical vulnerabilities in Android rather than malware or app vulnerabilities. Does this change things when it comes to the device wars debate at all?

According to Adam Tyler, chief innovation officer at CSID, it makes Android "the most insecure and exploitable mobile platform currently on the market".

He cites a number of reasons for this, not least the "huge fragmentation in the current Android eco-system" which means historic devices never get patched at all.

"An example is the Webview exploit targeting Android 4.3 and below," he told SC. "This is an exploit that affects tens if not hundreds of millions of devices, but will never be patched."

This was not lost on the research team. The first fifteen words of the Cambridge University research paper abstract pretty much hit the nail on the head by stating: "The security of Android depends on the timely delivery of updates to fix critical vulnerabilities."

In fact, the only thing you need change about that is to replace 'Android' with 'any operating system' and you have a universal truth.

Nevertheless, the question does need to be asked of Android, given the fractured nature of the installed user base and the inherent unwillingness of manufacturers and carriers to push out regular security patching – if, indeed, these patches are the real answer to the ongoing security problems facing smartphone users.

Indeed, some have argued that the Marshmallow 'security patch level' feature designed to show when the OS was last updated, along with the (admittedly somewhat muddy) promise of monthly security patches, is good enough. 

The thing is, while Google may make monthly patches available that doesn't mean monthly patches will be rolled out to every device, and especially not to older ones, running older and more vulnerable versions of the OS.

Forget ever seeing the kind of updating we are used to with the Chrome browser client.

So maybe a better answer sits with user education and risk awareness when it comes to securing our devices? We put these points to our industry insiders.

Jeremiah Grossman, founder of WhiteHat Security, told SC: "There is no reason to dispute the numbers presented in the University of Cambridge research. What they've done is simply reiterate what the InfoSec community already intuitively knew to be the case — that the vast majority of Android devices are not up-to-date on their patches. This is a ticking time bomb of a security problem."

Regular patching is the answer to many vulnerabilities, of that Paco Hope from Cigital is in no doubt. "Even when patches are available, a lot of calendar time elapses before a patch goes from Google, to a manufacturer, to a carrier, to the end user," he said.

Compare that to the iOS world where, if a user's device is running a vulnerable OS, the user frankly bears a lot of blame. "In the Android world, even users who want to be up to date are sometimes hamstrung or hindered by forces outside their control that are inherent parts of the Android ecosystem," Hope insists.

Not that everyone thinks patching is the magic bullet for Android.

Pete Shoard, chief architect at SecureData, told SC that it isn't the answer in isolation. "A strong security posture includes: patch management, vulnerability identification, monitoring and response plans," Shoard says. "However, patching does reduce the attack surface, and therefore risk."

User education is key and effective monitoring of such systems must be part of a security strategy to ensure that attacks are identified and threats mitigated at the earliest possible juncture, Shoard insists.

Bernard Wagner agrees, adding that “user education is vital, and will remain vital even if the patching policy of vendors is improved”.

“Android is a platform that is intended to provide users with a large degree of freedom,” he said. “While this remains a core component of the Android platform, the security of individual Android devices will be subject to the practices of its owner.”

Winston Bond, european technical manager at Arxan Technologies, also thinks we are missing the point. “Patching won't help if apps are fundamentally open to reverse engineering and tampering,” he says. “Developers need to be more proactive with their app protection by baking advanced anti-tamper and key protection security measures into the apps before they are released in the wild.”

He does have a point, as while there will never be 100 percent assurance of mobile device security, run-time application self-protection can greatly reduce security risks on mobile devices by reducing the attack surface, no matter on which device those apps may be running.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews