Research reveals Android device security lacks update inertia


In their paper ‘Security Metrics for the Android Ecosystem’ published last year, University of Cambridge researchers concluded that “the security of Android depends on the timely delivery of updates to fix critical vulnerabilities,” but found, “on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities.” These two things are not unconnected and have a big affect on Android device security.

Fast forward to 2016 and researchers at Duo Labs have revealed that more than 90% of Android devices are still running outdated versions of the operating system.

Here are some other key findings from that research:

  • Only 1 in 10 Android devices have enabled pre-boot passcode device encryption
  • 1 in 3 Android devices don’t use passcodes on their lock screens, compared to 1 in 20 on Apple devices don’t have passcode lock screens enabled
  • 1 in 20 Android devices are jailbroken, compared to 1 in 250 iPhones are rooted/jailbroken
  • Twenty percent of Android devices are running 5.1.1, a version behind the latest, which is now 6.0.1

What’s more, some 32% of what the Duo Labs team describe as “active Android devices” are actually running on version 4.0 or below. And that means they are more susceptible to the Stagefright vulnerability to name just one problem with not having an up to date OS installation.

Google Nexus devices get those updates pushed out over the air

Not that a new device running Marshmallow is immune from security problems of course. The January Android Security Update fixes a whole bunch of them. Including a remote code execution flaw and four critical elevation of privilege vulnerabilities.

The thing is, if you have an Android 6 device you get access to those security updates. Sort of. That rather depends on your device, truth be told, which is why some of us opt for Google Nexus hardware.

Yes, the security vulnerabilities still crop up, but the patches to fix them roll out every month. Android 6 users can check in their system settings where the ‘Android security patch level’ will be shown; if you have the current month showing you are up to date.

Better yet, the Google Nexus devices get those updates pushed out over the air, there is no requirement to go initiate a download and no waiting for a vendor or carrier to make one available.

Which brings us back to the main point here: the vast majority of Android users are not up-to-date, and are far from being secure. In fact, only something like just 0.7% of devices are currently running Android 6.

This isn’t surprising, and it reveals the main problem with Android security as the sheer number of devices out there. Some sources put the number of unique Android handsets as high as 10,000. That’s a very broad ecosystem comprising myriad manufacturers all with a different outlook on rolling out updates or patches.

According to the Duo Labs research, the most popular (by volume) installed OS versions are distributed as follows:

5.1.1 (20%)

5.0 (16.42%)

4.4.2 (14%)

5.0.1 (14%)

4.4.4 (9%)

Throw in the added complexity of carrier partnerships, which also influences if and when you get an update, and it soon becomes clear that getting a view into Android security reveals some very murky waters.

Google releasing a critical security update is one thing, that update reaching your device is quite another. It doesn’t take a security guru to realise that if a critical vulnerability has become common knowledge, as it will be if a security patch has rolled out to address it, then unpatched devices are at risk of being exploited.

We would like to think that the problem will vanish as more devices running Android 6+ appear on the market and push legacy devices out of play
We would also like to think that unicorns are real

This risk becomes even more critical when you understand that folk with these unpatched devices running outdated versions of the operating system and with sweet diddly squat chance of ever seeing an update are connecting them to corporate networks.

How much of a risk, do you ask? Well according to Duo Labs the number of devices connected to enterprise networks, yet which are no longer supported by the manufacturer (so are update free zones) is as high as 20 million.

Of course, once again that doesn’t mean that the enterprise is inherently insecure as a result. The BYOD threat has been around long enough for any organisation that takes security seriously to have the kind of device visibility that can uncover when they try to access critical applications and take appropriate action.

Duo Labs also says organisations should recommend that users “use Nexus devices that receive more frequent and direct platform update support that doesn’t depend on carrier/OEM deployment to avoid associated delays,” which is, frankly, hard to argue with.

It’s also hard to implement beyond a recommendation, unless BYOD (bring your own device) turns into BTDWTYT (bring the device we tell you to), which just isn’t going to happen unless the organisation is also supplying the device.

Here at IT Security Thing we would like to think that the problem will vanish as more and more devices running Android 6+ appear on the market and slowly push legacy devices out of play.

We would also like to think that unicorns are real. The truth is a much harsher reality where unicorns do not exist, yet millions of legacy Android devices do and are in no danger of becoming extinct any time soon.

In the meantime, the best we can hope for are the likes of Samsung continuing to further adopt the monthly security update mantra that Google has now established, and that other manufacturers do the same.