Tardiness in providing security updates is leaving the vast majority of Android devices hopelessly insecure, according to researchers at the University of Cambridge.
Over the last four years, an average of 87 per cent of Android devices were vulnerable to attack by malicious apps, according to the research, which blames a failure of some manufacturers to provide regular security updates for the problem.
“Some manufacturers are much better than others however, and our study shows that devices built by LG and Motorola, as well as those devices shipped under the Google Nexus brand are much better than most,” researchers Daniel Thomas and Alastair Beresford explain in a blog post.
The long-term analysis is partly based on data collected through a Device Analyzer app, available from the Google Play Store, developed by the computer scientists, and used by 20,000 volunteers worldwide.
Information from the app was combined with an assessment on the seriousness of Android vulnerabilities to give each manufacturer a security rating.
Users, corporate buyers and regulators can find further details on manufacturer performance at AndroidVulnerabilities.org. Rather than “naming and shaming” device manufacturers the exercise is designed to promote greater transparency to buyers.
“Our hope is that by quantifying the problem we can help people in choosing a device and that this in turn will provide an incentive for other manufacturers and operators to deliver updates,” Thomas and Beresford explain.
Security watchers have been banging on about the lack of updates to Android devices for months, if not years. Manufacturers are finally beginning to grapple with the problem in the wake of the infamous Stagefright vulnerability. For example, Google and Samsung have committed to shipping security updates every month.
The Cambridge boffins are presenting a paper (PDF) on their research at the SPSM conference in Denver, Colorado this week. SPSM refers to the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, to give the meeting its full title. ®