87% of Android devices insecure, University of Cambridge study

[mmntech]

It's easy to see that the Android ecosystem currently has a rather lax policy toward security, but a recent study from the University of Cambridge put some hard numbers to Android's security failings. The conclusion finds that "on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities."

Data for the study was collected through the group's "Device Analyzer" app, which has been available for free on the Play Store since May 2011. After the participants opted into the survey, the University says it collected daily Android version and build number information from over 20,400 devices. The study then compared this version information against 13 critical vulnerabilities (including the Stagefright vulnerabilities) dating back to 2010. Each individual device was then labeled "secure" or "insecure" based on whether or not its OS version was patched against these vulnerabilities, or placed in a special "maybe secure" category if it could have gotten a specialized, backported fix.

As for why so many Android devices are insecure, the study found that most of the blame sits with OEMs. The group states that "the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities." Along with the study, the University of Cambridge is launching "AndroidVulnerabilities.org," a site that houses this data and grades OEMs based on their security record. The group came up with a 1-10 security rating for OEMs that it calls the "FUM" score. This algorithm takes into account the number of days a proportion of running devices has no known vulnerabilities (Free), the proportion of devices that run the latest version of Android (Update), and the mean number of vulnerabilities not fixed on any device the company sells (Mean). The study found that Google's Nexus devices were the most secure out there, with a FUM score of 5.2 out of 10. Surprisingly, LG was next with 4.0, followed by Motorola, Samsung, Sony, and HTC, respectively.

http://arstechnica.com/security/201...udy-finds-87-of-android-devices-are-insecure/

http://androidvulnerabilities.org/

Looks like there was a massive boost in security over Jelly Bean's lifetime, but it's since trailed off. I'd be interested to see what the stats are for Apple, Microsoft, and BlackBerry. Those companies have direct control over updates.

 

[StrangerGuy]

Vulnerabilities isn't the killer, the near complete inability to channel patches to the end user is.

I was actually hoping there is a blaster worm-esque epic meltdown so Google can finally not sit on their asses to fix the fundamentally screwed update model in Android.

 

[nsafreak]

Part of the problem is Google, but a pretty good portion of the problem has to do with the OEMs & the carriers. Some OEMs are better than others but all too many of them drag their feet when it comes to updating the OS on the phone. And even if they are quick they have to go through the approval process for the carriers which adds time on to the whole thing. Frankly what I'd like to see from Google is that if your phone uses Android and your company chooses not to support the handset anymore you must provide end users with the ability to unlock the bootloader so that they can at least attempt to load an up to date OS.

 

[88keys]

Not really surprising considering the myriad of forks for android (like how every brand and carrier has to have their own special bloated version just for them) along with various broken updates and the amount of half working shady apps and the inability of the average user to figure out how to basic things on their Android phone let alone the daunting task of keeping malware and other crap off of it.

Say what you want about Apple, but being restrictive on the available apps and limiting functionality aren't necessarily a bad thing when it comes to security and reliability.

 

[Mopetar]

It seems like every few months a similar story comes out, but I don't think there's ever been a widespread breakout infection on Android for all the fuss over security.

 

[Commodus]

It seems like every few months a similar story comes out, but I don't think there's ever been a widespread breakout infection on Android for all the fuss over security.

The big issue is in countries where Google Play either isn't available or isn't common, particularly China. Vendors have to allow apps from third-party sources to get any apps at all, and that opens devices to shady app stores, web-delivered malware and all kinds of other trouble. It's true that there hasn't been a big, Blaster-worm-circa-Windows-XP breakout, but it is a significant problem in some places.

It's no wonder then that Apple isn't in a rush to allow apps from outside the App Store for non-enterprise users... it'd rather have the near-spotless track record, thank you. I'm always amused by the antivirus makers demanding that Apple open things up so that they can offer their AV apps, which boils down to "please make your platform less secure so we can make money by securing it."

 

[StrangerGuy]

The big issue is in countries where Google Play either isn't available or isn't common, particularly China. Vendors have to allow apps from third-party sources to get any apps at all, and that opens devices to shady app stores, web-delivered malware and all kinds of other trouble. It's true that there hasn't been a big, Blaster-worm-circa-Windows-XP breakout, but it is a significant problem in some places.

It's no wonder then that Apple isn't in a rush to allow apps from outside the App Store for non-enterprise users... it'd rather have the near-spotless track record, thank you. I'm always amused by the antivirus makers demanding that Apple open things up so that they can offer their AV apps, which boils down to "please make your platform less secure so we can make money by securing it."

Ahaha, Play Store as the bastion of Android security? Thanks for the laugh, There are tons of Play Store apps that have no legitimate business of reading contact information, access phone calls or send SMSes, but do anyway because Google can care less.

 

[ImpulsE69]

They use OS's as another way to push people to upgrade their phones. They have very little incentive to push out regular updates for anything that wasn't released that year.

 

[VirtualLarry]

You all basically laughed at me in my thread where I said I supported legislation. But more reports of these issues, and the "industry" (Google, OEMs, and carriers) complete inability to deal with this issue, means that unless they get their act together, then legislation is... inevitable. Remember, there was a time where seat belts weren't required by law, and like update patches, were only available on "luxury" vehicles. Arguably, legislation, requiring seat belts, air bags, and other safety features (Edit: For ALL cars), has indeed made our roads safer.

We don't need a botnet of 5 billion 4G LTE user's phones developing overnight due to some remote exploit, and then being used to DDoS critical internet infrastructure or commerce.

The time to act, is NOW, and that's why I support legislation, because the industry is putting profits from "hit and run phones" ahead of security.

 

[Kaido]

Vulnerabilities isn't the killer, the near complete inability to channel patches to the end user is.

I was actually hoping there is a blaster worm-esque epic meltdown so Google can finally not sit on their asses to fix the fundamentally screwed update model in Android.

This is one of the things I like about Apple's walled garden. Their not 100% security-focused like they should be, but given how tight their stock, non-jailbroken system is, it's pretty decent. Vulnerabilities will always exist (just look at the Hacking Team scandal), but whatever protection you can get is always good.

 

[Kaido]

You all basically laughed at me in my thread where I said I supported legislation. But more reports of these issues, and the "industry" (Google, OEMs, and carriers) complete inability to deal with this issue, means that unless they get their act together, then legislation is... inevitable. Remember, there was a time where seat belts weren't required by law, and like update patches, were only available on "luxury" vehicles. Arguably, legislation, requiring seat belts, air bags, and other safety features (Edit: For ALL cars), has indeed made our roads safer.

We don't need a botnet of 5 billion 4G LTE user's phones developing overnight due to some remote exploit, and then being used to DDoS critical internet infrastructure or commerce.

The time to act, is NOW, and that's why I support legislation, because the industry is putting profits from "hit and run phones" ahead of security.

It makes sense. Think of what you do on your phone & everything that could be manipulated...calls could be recorded, passwords saved, mic turned on remotely for spying, the works. It's kind of scary how much crap a lot of programs "require" access to in order to be installed under Android. Your whole life could be turned upside down if someone hacks your phone with malicious intentions - all of your private photos, emails, text, banking & credit information, etc. would be available to them. There's like zero legislation & enforcement of this stuff. We had to pass laws to get people to wear seatbelts so they wouldn't die in accidents, it will have to be the same way for Android to do anything since they're already on version 6 & haven't done it yet.

The lack of patching & updating is also frustrating for the end user...at least with Apple, I know I'll get a solid two years of usable life out of my portable, but exactly zero of my Android devices have ever updated past one point update (ex. 4.3 to 4.4), not even a full update. I know some flagship devices get upgrades, sometimes, but Google has a hard time keeping their own hardware off the chopping block (Nexus Q etc.). I wonder if the change to Alphabet will allow for more focus on Android & perhaps a dedicated security branch...

 

[poofyhairguy]

Say what you want about Apple, but being restrictive on the available apps and limiting functionality aren't necessarily a bad thing when it comes to security and reliability.

I honestly feel Apple's model gives a false sense of security:

http://researchcenter.paloaltonetwo...ilbroken-ios-devices-by-abusing-private-apis/

Any computer can be an attack vector if you aren't careful. Even iStuff.

 

[lopri]

You all basically laughed at me in my thread where I said I supported legislation. But more reports of these issues, and the "industry" (Google, OEMs, and carriers) complete inability to deal with this issue, means that unless they get their act together, then legislation is... inevitable. Remember, there was a time where seat belts weren't required by law, and like update patches, were only available on "luxury" vehicles. Arguably, legislation, requiring seat belts, air bags, and other safety features (Edit: For ALL cars), has indeed made our roads safer.

We don't need a botnet of 5 billion 4G LTE user's phones developing overnight due to some remote exploit, and then being used to DDoS critical internet infrastructure or commerce.

The time to act, is NOW, and that's why I support legislation, because the industry is putting profits from "hit and run phones" ahead of security.

I would support such a legislation.

 

[mmntech]

I honestly feel Apple's model gives a false sense of security:

http://researchcenter.paloaltonetwo...ilbroken-ios-devices-by-abusing-private-apis/

Any computer can be an attack vector if you aren't careful. Even iStuff.

iOS certainly isn't invulnerable to attacks and has a long history of hacking. Yispecter is different though since it doesn't require root access to work, or even the device to be physically connected to a computer via USB.

Apple does have the advantage in that they have full control of hardware and software. Meaning patches can be pushed out to all devices quickly. They've also gotten much better at supporting older devices.

Same rules apply for Microsoft and Windows Phone. While they don't control the entire hardware chain, they don't allow custom ROMs. They also have a plan for long term support. 10 years for the desktop. Not sure about mobile but I can't see it being significantly different.

Google just gave up too much control to the hardware supply chain, and it's really doing damage to Android's reputation. At least in the tech community. I whole heartedly support the concept of open source, but the OS has become too fragmented for its own good. It's souring me off buying an Android device. At least one that's not a Nexus.

 

[lopri]

But isn't openness correlated to risks? You want to avoid unwanted pregnancy, STDs, or whatever else, the most secure way to go about is abstinence. I do not know how many would be willing to take that as an option.

iOS does and will do better at security as long as Apple maintains the policy of controlling what contents can be shown and what users can do. Android will remain a platform where users have more freedom with their devices at the cost of higher vulnerability. Freedom is never free.

 

[Red Storm]

But isn't openness correlated to risks? You want to avoid unwanted pregnancy, STDs, or whatever else, the most secure way to go about is abstinence. I do not know how many would be willing to take that as an option.

iOS does and will do better at security as long as Apple maintains the policy of controlling what contents can be shown and what users can do. Android will remain a platform where users have more freedom with their devices at the cost of higher vulnerability. Freedom is never free.

Nexus gives you freedom and security. It's the best combination.

 

[Oyeve]

In other news, all computers are targets, hackable and insecure. News at 11.

 

[StrangerGuy]

iOS certainly isn't vulnerable to attacks. Yispecter is different though since it doesn't require root access to work, or even the device to be physically connected to a computer via USB.

Apple does have the advantage in that they have full control of hardware and software. Meaning patches can be pushed out to all devices quickly. They've also gotten much better at supporting older devices.

Same rules apply for Microsoft and Windows Phone. While they don't control the entire hardware chain, they don't allow custom ROMs. They also have a plan for long term support. 10 years for the desktop. Not sure about mobile but I can't see it being significantly different.

Google just gave up too much control to the hardware supply chain, and it's really doing damage to Android's reputation. At least in the tech community. I whole heartedly support the concept of open source, but the OS has become too fragmented for its own good. It's souring me off buying an Android device. At least one that's not a Nexus.

All the Android players signed a deal with the devil for marketshare against iPhone at all costs, and are now paying the price where Android is simply too good at what it does best (disposable low end phones with Gapps/Play Store) but lousy additional value proposition elsewhere.

 

[openwheel]

13% of an open platform OS is secure? That number seems quite high. I don't know if the source is credible.

 

[ControlD]

13% of an open platform OS is secure? That number seems quite high. I don't know if the source is credible.

They are only talking about 11 known vulnerabilities. If 13% of the Android phones out there are running with phones patched against those 11 hacks then they are considered "secure" in this study. They aren't trying to speculate on what else might be out there hidden or non-disclosed.

 

[Artdeco]

You all basically laughed at me in my thread where I said I supported legislation. But more reports of these issues, and the "industry" (Google, OEMs, and carriers) complete inability to deal with this issue, means that unless they get their act together, then legislation is... inevitable. Remember, there was a time where seat belts weren't required by law, and like update patches, were only available on "luxury" vehicles. Arguably, legislation, requiring seat belts, air bags, and other safety features (Edit: For ALL cars), has indeed made our roads safer.

We don't need a botnet of 5 billion 4G LTE user's phones developing overnight due to some remote exploit, and then being used to DDoS critical internet infrastructure or commerce.

The time to act, is NOW, and that's why I support legislation, because the industry is putting profits from "hit and run phones" ahead of security.

That would be a nightmare, yikes...

 

[Commodus]

Ahaha, Play Store as the bastion of Android security? Thanks for the laugh, There are tons of Play Store apps that have no legitimate business of reading contact information, access phone calls or send SMSes, but do anyway because Google can care less.

Oh, I didn't say it was perfectly secure. However, most of the dangerous apps tend to exist outside of Google Play, since there's less screening that could keep them out. It's like having a combination lock on a door. Sure, someone could guess the code or bust the lock open, but it's still much better than having no lock at all.

 

[openwheel]

Only idiots install rogue apps and open viruses anyway. It doesn't matter what they use, they'll get it one way or another. Lazy people don't manage their digital data, therefore they are vulnerable for attacks. Having a walled garden to keep lazy people from security exploits is only enabling the laziness. Truth.

 

[sweenish]

You all basically laughed at me in my thread where I said I supported legislation. But more reports of these issues, and the "industry" (Google, OEMs, and carriers) complete inability to deal with this issue, means that unless they get their act together, then legislation is... inevitable. Remember, there was a time where seat belts weren't required by law, and like update patches, were only available on "luxury" vehicles. Arguably, legislation, requiring seat belts, air bags, and other safety features (Edit: For ALL cars), has indeed made our roads safer.

We don't need a botnet of 5 billion 4G LTE user's phones developing overnight due to some remote exploit, and then being used to DDoS critical internet infrastructure or commerce.

The time to act, is NOW, and that's why I support legislation, because the industry is putting profits from "hit and run phones" ahead of security.

And I'm going to keep laughing, until an exploit is actually shown "in the wild."

For all it's supposed holes and security issues, it's still never happened. For years, it's never happened.

 

[Red Storm]

Does their study actually show which devices (and how many) from each manufacturer? "Samsung" by itself means absolutely nothing to me without more detail about specific models and how many of them.