Cambridge study reveals 87% of Android devices to be insecure

[log234]

It's easy to see that the Android ecosystem currently has a rather lax policy toward security, but a recent study from the University of Cambridge put some hard numbers to Android's security failings. The conclusion finds that "on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities."

 

Data for the study was collected through the group's "Device Analyzer" app, which has been available for free on the Play Store since May 2011. After the participants opted into the survey, the University says it collected daily Android version and build number information from over 20,400 devices. The study then compared this version information against 13 critical vulnerabilities (includingthe Stagefright vulnerabilities) dating back to 2010. Each individual device was then labeled "secure" or "insecure" based on whether or not its OS version was patched against these vulnerabilities, or placed in a special "maybe secure" category if it could have gotten a specialized, backported fix.

 

As for why so many Android devices are insecure, the study found that most of the blame sits with OEMs. The group states that "the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities."

 

Along with the study, the University of Cambridge is launching "AndroidVulnerabilities.org," a site that houses this data and grades OEMs based on their security record. The group came up with a 1-10 security rating for OEMs that it calls the "FUM" score.

 

The Nexus program's "high score" of only 5.2 out of 10 might seem a little low, given that all supported Nexus device get updates rather quickly, but we have some theories as to why it scored so poorly. First, the way Google distributes updates for Nexus devices is extremely slow.

Even after the update is developed and released on the Nexus System Image page, pushing the update out to everyone via an OTA usually takes two full weeks. The other issue is probably that this "two years of updates" policy that Google and OEMs have been living by doesn't match up with reality.

 

Original article: http://arstechnica.com/security/2015/10/university-of-cambridge-study-finds-87-of-android-devices-are-insecure/

 

I think it's absolutely absurd that we can accept that OEMs limit the security patches we get.

Edited October 14, 2015 by Whiskers
Fixed for night theme users

[Dabombinable]

Original article: http://arstechnica.com/security/2015/10/university-of-cambridge-study-finds-87-of-android-devices-are-insecure/

 

I think it's absolutely absurd that we can accept that OEMs limit the security patches we get.

Sort of a repost, this is mentioned here: http://linustechtips.com/main/topic/466493-microsoft-says-fu-to-mobile-operators-regarding-updates/

[Arcanekitten]

Original article: http://arstechnica.com/security/2015/10/university-of-cambridge-study-finds-87-of-android-devices-are-insecure/

 

I think it's absolutely absurd that we can accept that OEMs limit the security patches we get.

So what now you want to take my phone? I am not accepting a anti virus scanner si ce the last time I got a virus on a phone is NEVER.

besides I could just plug it in my pc and then scan it

[Castdeath97]

Why can't we get a similar system as android where, google needs to tell OEM's to either limit the number of customisation they make or at least provide proper updates.

[log234]

Sort of a repost, this is mentioned here: http://linustechtips.com/main/topic/466493-microsoft-says-fu-to-mobile-operators-regarding-updates/

I didn't find another post with the same topic. If I missed it I apologize.

[Dabombinable]

I didn't find another post with the same topic. If I missed it I apologize.

Its ok, that's why I said sort of as the name is completely different and it was used as part of the article instead of as the main thing.

[ThatOneRussian]

In other news you cant do any of the customization or functions with an iphone it evens out. Also remember how you could disable an iphone with a text message. 

[TrigrH]

What this really is saying:

 

"Cambridge study reveals 13% of Android devices to be running a recent version of cyanogenmod"

[Valentyn]

What this really is saying:

 

"Cambridge study reveals 13% of Android devices to be running a recent version of cyanogenmod"

 

"..and as such constantly have their dialer crash, and screen freeze when attempting to answer phone calls.."

 

Seriously getting fed up with all these issues from CM. 

[LAwLz]

I don't get why "portion of devices updated to the latest version" is included in the score. So even if an OEM has patched all known vulnerabilities they might still get a low score because they got a lot of devices running lollipop. Seems rather unfair. I would have preferred a more security oriented score to go along with the general updates score.

Its really sad to see such pathetic scores. If Cyanogenmod can keep lots of devices up to date then OEMs like Samsung should be able to do it too.

[suicidalfranco]

Making my note 2 with Resurrection remix look more awesome [emoji41]

[TechStyle]

It's a shame really. It's nearly 2016 and the majority of Android devices are running a 2013 OS.

[deviant88]

Android is garbage from all points of view especially any online browsing on any browser absolute garbage.

[cesrai]

Android is garbage from all points of view especially any online browsing on any browser absolute garbage.

Care to elaborate ?

[FakezZ]

"..and as such constantly have their dialer crash, and screen freeze when attempting to answer phone calls.."

 

Seriously getting fed up with all these issues from CM. 

I am on the latest nightlies 90% of the time and have yet to encounter a bug...

[Jade]

Why can't we get a similar system as android where, google needs to tell OEM's to either limit the number of customisation they make or at least provide proper updates.

Because then OEMs would make their own options; example given: Samsung Tizen. And everyone would throw a fit about "muh customization."

 

Android is garbage from all points of view especially any online browsing on any browser absolute garbage.

Elaborate. iOS is just as trash, if not worse. At least our phones don't brick for having replaced home/volume/power buttons.

 

"..and as such constantly have their dialer crash, and screen freeze when attempting to answer phone calls.."

 

Seriously getting fed up with all these issues from CM. 

What device are you running? Having lived on nightlies for a while (before I switched to Chroma 5.1), that never happened to me.

[Valentyn]

Because then OEMs would make their own options; example given: Samsung Tizen. And everyone would throw a fit about "muh customization."

 

Elaborate. iOS is just as trash, if not worse. At least our phones don't brick for having replaced home/volume/power buttons.

 

What device are you running? Having lived on nightlies for a while (before I switched to Chroma 5.1), that never happened to me.

Oneplus One. Eech OS update since I got the phone as made the experience worse.

 

Looking forward to going back to iOS again after this.

[Jade]

Oneplus One. Eech OS update since I got the phone as made the experience worse.

 

Looking forward to going back to iOS again after this.

I wouldn't call OnePlus / the OnePlusOne good examples of how to run a company or maintain a phone. 

[Valentyn]

I wouldn't call OnePlus / the OnePlusOne good examples of how to run a company or maintain a phone. 

The OS is CM, it's maintained by them, and it's been horrific.

[suicidalfranco]

The OS is CM, it's maintained by them, and it's been horrific.CM is maintained

CM is maintaned by Cyanogen. OnePlus maintains OxygenOS, maybe you should flash that one instead

[rashdanml]

Why can't we get a similar system as android where, google needs to tell OEM's to either limit the number of customisation they make or at least provide proper updates.

Google started decoupling features from Android for the same reason and started releasing their apps/customizations as ... Apps in the Play Store. If all OEMs and carriers did the same, then it'd be pretty simple. Google pushes out core Android updates to all phones first, and send it to OEMs at the same time (to fix driver related issues); OEMs push updates to their UI, apps, etc, on the Play Store so that compatible devices can install it.

[Castdeath97]

Google started decoupling features from Android for the same reason and started releasing their apps/customizations as ... Apps in the Play Store. If all OEMs and carriers did the same, then it'd be pretty simple. Google pushes out core Android updates to all phones first, and send it to OEMs at the same time (to fix driver related issues); OEMs push updates to their UI, apps, etc, on the Play Store so that compatible devices can install it.

Sadly only HTC and motorola does that.

[Akolyte]

This is pretty much expected from me unfortunately.  Google isn't forceful enough with third party manufacturer updates.  They should have a strict policy every manufacterer needs to have for lets say 3-5 years to give it updates throughout its expected lifetime.  

 

The main issue here is software vulnerabilities.  As they can be the most dangerous to the most people, for example the texting vulnerability.  Which allowed someone to send a string of code in a text message to a vulnerable device and get it to perform an action unwanted by the user.  There is probably more ways to do this than one, but its even though Google fixes the vulnerabilities other devices by manufacturers like Samsung and LG etc are all vulnerable and it makes me furious!

 

Google needs better security in Android right off the bat.  And manufacturers need to up their game.  I love the open-ness of Android, and would have bought another for my latest device but didn't because of the horrible junk that is going on right now.  

 

This is as much Google's fault as it is everyone else.  They need to up their game, because believe me.   When REAL Android malware goes widespread, they ARE SCREWED.  I'm saying screwed.  Lets hope everyone at the big, important companies isn't using Android.  Everyone I know who works for big companies (all at Wells Fargo bank) use BlackBerrys.  

 

Everyone NEEDs to up their game.  

 

This is just a mega rant because I'm so angry, its running through my veins which are right now burning with intense rage towards these companies letting Android down as a whole. 

[alextulu]

The main problem with Android is that you can't just get an ISO from Google and install it on your phone, just like you can with Windows on a PC.

 

Now, I know what you're going to say, that you can install a standard ISO on a PC because the PC has standardized hardware, and you can't do that on a phone because the hardware isn't stardardized and there are no standard drivers for storage and display on phones. But that standardization only helps if you're trying to install the OS without the aid of a secondary device. Google could've made a program that people can use on a PC to integrate the drivers in the ISO. There's a program for Windows that does exactly that, it's called nLite, and people used it way back when SATA was first released to intergrate SATA drivers in the Windows XP ISO.

 

I know why Google chose to make Android the way that it is. Microsoft spends a lot of money on testing every update on lots of different hardware configurations. Google wants OEMs to do all the bug testing so that Google doesn't have to spend money on testing. But OEMs aren't interested in supporting their older phones, they want to incentivise people to buy their newer phones by not updating their older ones. It's planned obsolescence and one of the reasons why phones are outselling PC.