Cambridge University report claims 88 percent of Android devices could be at risk and wants security grading system to monitor manufacturers
Researchers from the University of Cambridge claim many Android smartphones are not being supplied with the proper security protection against the latest threats and attacks, as manufacturers fail to provide fixes in a timely fashion.
The report, from Cambridge Computer Laboratory researchers Daniel R Thomas, Alastair R Beresford, and Andrew Rice estimates that 87.7 percent of devices contained at least one bad vulnerability that could leave handsets at risk, as many users can expect just one update a year.
The researchers monitored the effects of 11 major vulnerabilities, including those which could lock users out of their devices, steal user credentials or even brick the devices entirely, across 20,400 devices.
Google, which develops and pushes out Android, was not blamed in the report, with the manufacturers themselves, who are often slow to provide the latest updates, coming under fire.
Perhaps unsurprisingly then, Google’s Nexus devices is the clear winner, receiving regular updates against the latest threats, although LG is also cited for its fast patching. O2 UK was named as the best UK carrier for supplying over-the-air security fixes, just ahead of T-Mobile and Orange, both part of EE.
“The security of Android depends on the timely delivery of updates to x critical vulnerabilities,” the report concluded. “Unfortunately few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices un-patched for long periods.
“We showed that the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to x critical vulnerabilities. This arises in part because the market for Android security today is like the market for lemons: there is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive updates, and the consumer, who does not.
“Consequently there is little incentive for manufacturers to provide updates.”
Making the grade
The researchers propose giving ‘grades’ Android manufacturers based on their performance in puhsing out ptches, which users and regulators can monitor.
Back in August, Google announced it would be committed to sending out a monthly security updates as the company looks to better protect customers using its mobile OS. Google has been providing Android manufacturers with a monthly bulletin of security issues so that they can keep their users secure, but recent vulnerabilities such as Stagefright forced this improvement.
Users of Google’s Nexus family of devices will be the first to receive the new updates, which are also being released to the public via the Android Open Source Project (AOSP).
Are you a security pro? Try our quiz!