Android security is a frequent tech topic that most of us read about weekly, if not daily sometimes. Everybody knows that Android phones are exposed to hacks, but no one considered just how vulnerable they really are, until now. Researchers at the University of Cambridge have shown in a study – somewhat funded by Google, that there is a staggering number of Android devices that are exposed to some of the most dangerous vulnerabilities out there. The study found that on average 87.7% of Android phones are exposed to at least one of the 11 known critical vulnerabilities.
Using data collected by the University of Cambridge’s Device Analyzer app, researchers managed to gather from volunteers data from over 20,000 devices. The Device Analyzer data was combined with information collected on critical Android vulnerabilities.
“87% of Android devices are vulnerable to attack by malicious apps. This is because manufacturers have not provided regular security updates. Some manufacturers are much better than others however, and our study shows that devices built by LG and Motorola, as well as those devices shipped under the Google Nexus brand are much better than most,” says Alastair R. Beresford – one of the researchers.
This means that the high security risks are linked to the number of manufacturers that prefer Android.
The FUM score
This rating gives each Android manufacturer a score out of 10, based on the security they have provided to their customers over the last four years.
In this study, researchers have rated device manufacturers with scores from 1 to 10. The FUM score is based on the security that manufacturers have provided to their customers over the last four years. As explained on Beresford’s blog post, the score has 3 components:
F = the proportion of devices free from known critical vulnerabilities.
U = the proportion of devices updated to the most recent version.
M = the number of vulnerabilities the manufacturer has not yet fixed on any device.
FUM score = 4⋅f+3⋅u+3⋅2/(1+em)
The most secure devices
The Nexus devices got the highest score, almost double as the average rating of 2.87. LG won the silver medal with a score of 4.0, and Motorola came in third, with a score of 3.1. The other important players involved in this research – Samsung, Sony, and HTC, received mediocre scores bellow 3. After rating, the score board looks like this:
- Nexus devices | 5.2 (best)
- LG | 4.0
- Motorola | 3.1
- Samsung | 2.7
- Sony | 2.5
- HTC | 2.5
- Asus | 2.4
- Alps | 0.7
- Symphony | 0.3
- Walton | 0.3 (worst)
Top 10 most secure Android devices, based on the same rating method:
- Galaxy Nexus | 4.78 (best)
- Nexus 4 | 4.24
- Nexus 7 | 3.54
- HTC Desire | 3.25
- Desire HD | 2.91
- GT-I9000| 2.63
- DROIDX | 2.48
- HTC Sensation Z710e | 2.44
- GT-I9100 | 2.25
- HTC Desire S | 1.74
Proportion of Android devices running insecure, maybe secure and secure versions of Android over the past 4 years:
To be labeled as insecure in the figure displayed above, a device must be running a version of Android which is vulnerable to at least one of the critical vulnerabilities (example: Gingerbreak, Fake ID, Stagefright), and has not received an update that fixes the problem. A device that is labeled maybe secure has to run a version of Android which is vulnerable to at least one of the critical vulnerabilities, but has received an update that might fix the vulnerability. At the opposite end, to be labeled secure, the device must run a version of Android that is not vulnerable to any of the critical vulnerabilities.
According to the researchers at the University of Cambridge, a large part of the Android security depends on the reaction time of the updates that fix the vulnerabilities. When it comes to Android devices, the overall average of updates is quite low – only 1.26 per year. This means that there is a considerable number of devices that remain unpatched for long periods of time, thus vulnerable.
“Google has done a good job at mitigating many of the risks, and we recommend users only install apps from Google’s Play Store since it performs additional safety checks on apps,” said Alastair R. Beresford in his blog post. “Unfortunately Google can only do so much, and recent Android security problems have shown that this is not enough to protect users. Devices require updates from manufacturers, and the majority of devices aren’t getting them”, concluded the researcher.
Though some improvements might be on the horizon – with Google and some OEMs committing to a monthly security update program, the real solution could still be far away. Manufacturers don’t have much incentive to provide updates yet, so until there is a large scale change in security support, older Android devices will still be vulnerable.