New Android Security Study Reminds Users to Just Update Their Phones Already
A disconnect between Android OS and manufacturers spells bad news for users.
A new study from the University of Cambridge has found that, at any given time, as many as 87.7 percent of Android phones are “exposed to…critical vulnerabilities.” The rate of insecurity is so high because Android users just aren’t running the updated software. Maybe Android owners are just lazy and content with outdated operating systems? Well, not quite. They just can’t install the updates.
The paper, “Security Metrics for the Android Ecosystem,” analyzed data from 20,400 devices that had downloaded a Device Analyzer app. Using the data, they determined security levels:
“We consider a device is insecure if it is running a vulnerable version of Android and the device has not received an update which might fix it; it is maybe secure if it is running a vulnerable version but received an update which could have fixed the vulnerability if it contained a backported fix; and it is secure if it is running a secure version.”
Some of the vulnerabilities the researchers found included “improper verification of signatures at installation time… [which] meant that apps could pretend to be signed with system keys and hence be granted system privileges.” An updated phone shouldn’t encounter that bad of a security problem.
They determined that the problem had to be greater than the Android users’ incompetence. The issue was with the manufacturers, who had no legitimate way of knowing when devices needed updates. At times, updates were even available, but they didn’t prompt users to install. Once people figured out they could get new software there was a “bottleneck” of people trying to download it, leading to slower speeds, which, of course, discourages further updating.
The paper, by Daniel R. Thomas, Alastair R. Beresford, and Andrew Rice, reveals a major disconnect between the Android OS providers and the device manufacturers. Android is more widely available than its Apple competitor, but Sony, for example, is less secure than LG. Users may not know exactly what level of vulnerability they’re signing up for. You shouldn’t have to check for software updates every day to know your phone is not at risk.
