Feeds

Security takes a backseat on Android in update shambles

Mobe makers sit on new versions for six months

Designing a Defense for Mobile Applications

The majority of Android smartphone users are walking around with insecure devices running out-of-date OS builds, leaving personal and business data at greater risk of attack.

The latest figures from Google's Android developer web site show that 44.4 per cent of users have the latest version of Android (Android 2.3 or later installed) on their devices. A further 1.9 per cent are running developer builds.

That leaves 53.7 per cent running older versions, the majority of which (40.7 per cent of the total userbase) are running Android 2.2 (Froyo). The stats come from users visiting Google's App Store over a fortnight.

A study by application security firm Bit9 found that the sheer complexity of the Android ecosystem - in which updates are distributed in different ways and at different times (if at all) based on manufacturer, phone family, phone model, carrier, and geographic location - has meant security has taken a back seat, leaving smartphone users more vulnerable as a result.

Bit9 looked at the 20 most popular Android handsets from the likes of Samsung, HTC, Motorola, and LG. It found many Android smartphone suppliers launch new phones with outdated software out of the box. To make matters worse, many suffer from tremendous lag times in rolling out updates to later and more secure versions of Android.

Six of the 20 surveyed phones are running Android 2.2, a version that shipped 18 months ago in May 2010. A further seven are running builds of Android that are at least nine months old. Only seven of them were up to date.

The average time between when an update is available from Google and when it is pushed to the phone is 185 days – slightly more than six months. For example, across the Samsung models Bit9 studied, the average lag time is over 240 days (over eight months).

In some cases, the phones are not updated at all as the manufacturers shift their focus to newer models, leaving existing customers stranded with insecure software. In many cases, the only recourse a consumer has, if they want the latest and most secure software, is to purchase a new phone, according to Bit9.

Security nightmare for BOFHs

"Smartphones are the new laptop and represent the fastest emerging threat vector," said Harry Sverdlove, CTO of Bit9. "In our bring-your-own-device-to-work culture, people are using their personal smartphones for both personal and business use, and attacks on these devices are on the rise."

Android smartphone manufacturers are prioritising form and functionality over security, leaving consumers and businesses at greater risk as a result of running out-of-date and insecure smartphone software. The consumerisation of IT, where more people are using their personal devices at work, is putting companies at risk for data leakage and intellectual property theft. Running around with outdated smartphone software is not just bad practice, it creates real security risks.

For example the DroidDream malware, which moved Google to pull at least 50 apps from the Android Market in March and invoke a "kill switch" to remove those applications from more than 250,000 Android users' phones, relied on a specific vulnerability in the operating system that Google fixed in its 2.3 (Gingerbread) release and a point release of 2.2.2 (Froyo).

"The malware itself was delivered as a standard app that users had to choose to install, but its ability to take complete control (root) the phone was dependent on the patch level of the phone," Sverdlove explained.

In August 2011, a vulnerability was discovered that could allow an attacker to hijack the browser. Google fixed this problem in 2.3.5 and 3.1. While no attacks based on the vulnerability have been carried out to date it would be rash to wait until a major attack is underway before patching.

Most minor and major updates of Android include "security updates", and most Android phones come with manufacturer enhancements and third-party components (eg, Java and Flash) as well. Each of those components is equally at risk if they are not properly and regularly updated.

Despite this need for security updates the distribution model adopted by phone manufacturers and their carriers has created a chaotic and insecure environment in which it can take several months for important updates to be distributed, if at all.

"Manufacturers and phone carriers have shown that when they are in the business of owning software updates, they perform poorly," Harry Sverdlove, CTO of Bit9 told El Reg. "Their interest is in selling newer phones and carrier contracts; they are not incentivised to prioritise security for existing phones."

Sverdlove acknowledged there are no easy answers but suggested a number of steps to improve the situation. Much like the PC industry, smartphone manufacturers could relinquish control of the operating system software updates. This process has already been implemented with the Apple iPhone and Google Nexus phone.

Secondly security professionals and consumers need to put pressure on the manufacturers to be more responsible in prioritising security updates. In the meantime, corporations need to evolve to a "secure app store" model and allow only specific devices and trustworthy applications into their environment.

Bit9 does not as yet market services or technology that secures mobile devices. It carried out the research in the interests of raising awareness about what it sees as a growing problem. ®

HP ProLiant Gen8: Integrated lifecycle automation

More from The Register

next story
Scotland's BIG question: Will independence cost me my broadband?
They can take our lives, but they'll never take our SPECTRUM
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Bring back error correction, say Danish 'net boffins
We don't need no steenkin' TCP/IP retransmission and the congestion it causes
NBN Co adds apartments to FTTP rollout
Commercial trial locations to go live in September
GoTenna: How does this 'magic' work?
An ideal product if you believe the Earth is flat
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.