Feeds

Security takes a backseat on Android in update shambles

Mobe makers sit on new versions for six months

Providing a secure and efficient Helpdesk

The majority of Android smartphone users are walking around with insecure devices running out-of-date OS builds, leaving personal and business data at greater risk of attack.

The latest figures from Google's Android developer web site show that 44.4 per cent of users have the latest version of Android (Android 2.3 or later installed) on their devices. A further 1.9 per cent are running developer builds.

That leaves 53.7 per cent running older versions, the majority of which (40.7 per cent of the total userbase) are running Android 2.2 (Froyo). The stats come from users visiting Google's App Store over a fortnight.

A study by application security firm Bit9 found that the sheer complexity of the Android ecosystem - in which updates are distributed in different ways and at different times (if at all) based on manufacturer, phone family, phone model, carrier, and geographic location - has meant security has taken a back seat, leaving smartphone users more vulnerable as a result.

Bit9 looked at the 20 most popular Android handsets from the likes of Samsung, HTC, Motorola, and LG. It found many Android smartphone suppliers launch new phones with outdated software out of the box. To make matters worse, many suffer from tremendous lag times in rolling out updates to later and more secure versions of Android.

Six of the 20 surveyed phones are running Android 2.2, a version that shipped 18 months ago in May 2010. A further seven are running builds of Android that are at least nine months old. Only seven of them were up to date.

The average time between when an update is available from Google and when it is pushed to the phone is 185 days – slightly more than six months. For example, across the Samsung models Bit9 studied, the average lag time is over 240 days (over eight months).

In some cases, the phones are not updated at all as the manufacturers shift their focus to newer models, leaving existing customers stranded with insecure software. In many cases, the only recourse a consumer has, if they want the latest and most secure software, is to purchase a new phone, according to Bit9.

Security nightmare for BOFHs

"Smartphones are the new laptop and represent the fastest emerging threat vector," said Harry Sverdlove, CTO of Bit9. "In our bring-your-own-device-to-work culture, people are using their personal smartphones for both personal and business use, and attacks on these devices are on the rise."

Android smartphone manufacturers are prioritising form and functionality over security, leaving consumers and businesses at greater risk as a result of running out-of-date and insecure smartphone software. The consumerisation of IT, where more people are using their personal devices at work, is putting companies at risk for data leakage and intellectual property theft. Running around with outdated smartphone software is not just bad practice, it creates real security risks.

For example the DroidDream malware, which moved Google to pull at least 50 apps from the Android Market in March and invoke a "kill switch" to remove those applications from more than 250,000 Android users' phones, relied on a specific vulnerability in the operating system that Google fixed in its 2.3 (Gingerbread) release and a point release of 2.2.2 (Froyo).

"The malware itself was delivered as a standard app that users had to choose to install, but its ability to take complete control (root) the phone was dependent on the patch level of the phone," Sverdlove explained.

In August 2011, a vulnerability was discovered that could allow an attacker to hijack the browser. Google fixed this problem in 2.3.5 and 3.1. While no attacks based on the vulnerability have been carried out to date it would be rash to wait until a major attack is underway before patching.

Most minor and major updates of Android include "security updates", and most Android phones come with manufacturer enhancements and third-party components (eg, Java and Flash) as well. Each of those components is equally at risk if they are not properly and regularly updated.

Despite this need for security updates the distribution model adopted by phone manufacturers and their carriers has created a chaotic and insecure environment in which it can take several months for important updates to be distributed, if at all.

"Manufacturers and phone carriers have shown that when they are in the business of owning software updates, they perform poorly," Harry Sverdlove, CTO of Bit9 told El Reg. "Their interest is in selling newer phones and carrier contracts; they are not incentivised to prioritise security for existing phones."

Sverdlove acknowledged there are no easy answers but suggested a number of steps to improve the situation. Much like the PC industry, smartphone manufacturers could relinquish control of the operating system software updates. This process has already been implemented with the Apple iPhone and Google Nexus phone.

Secondly security professionals and consumers need to put pressure on the manufacturers to be more responsible in prioritising security updates. In the meantime, corporations need to evolve to a "secure app store" model and allow only specific devices and trustworthy applications into their environment.

Bit9 does not as yet market services or technology that secures mobile devices. It carried out the research in the interests of raising awareness about what it sees as a growing problem. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Same old iPad? NO. The new 'soft SIMs' are BIG NEWS
AppleSIM 'ware to allow quick switch of carriers
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Brits: Google, can you scrape 60k pages from web, pleeease
Hey, c'mon Choc Factory, it's our 'right to be forgotten'
Of COURSE Stephen Elop's to blame for Nokia woes, says author
'Google did have some unique propositions for Nokia'
FCC, Google cast eye over millimetre wireless
The smaller the wave, the bigger 5G's chances of success
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.