Android Blasted For Software Update Chaos

Security firm Bit9 on 21 November released its “Dirty Dozen” list of insecure smartphones. The list focused on Android smartphones because approximately 56 percent of Android phones in the marketplace are running out-of-date and insecure versions of the mobile operating system, Harry Svedlove, CTO of Bit9, told eWEEK.

Smartphone manufacturers Samsung, HTC, Motorola and LG are slow to upgrade these phones to the latest and most secure version of Android, Bit9 said in its report. The manufacturers are focused on pushing out the latest new models every few months, but users are generally locked into two-year contracts, Svedlove said.

Wireless carriers and manufacturers don’t bother to support users on older handsets because it’s in their financial interest to have users keep buying new handsets, he said.

Update failure

Wireless service carriers and smartphone manufacturers have thus far failed to effectively handle the software update process, causing unbelievable fragmentation in the Android ecosystem, Svedlove said.

On the Dirty Dozen list are the Samsung Galaxy Mini, HTC Desire, Sony Ericsson Xperia X10, Sanyo Zio, HTC Wildfire, Samsung Epic 4G, LG Optimus S, Samsung Galaxy S, Motorola Droid X, LG Optimus One, Motorola Droid 2 and HTC Evo 4G. Bit9 looked at phones having the highest market share, running out-of-date Android and having the slowest update cycles.

The most secure were the Samsung Nexus X, HTC Droid Incredible, Samsung Galaxy S2, HTC Sensation and the T-Mobile G2. Even though the Nexus is made by Samsung, Google controls the handset entirely, so Nexus owners receive updates almost instantly, Bit9 said.

The T-Mobile G2 was originally launched with Froyo a year ago, but T-Mobile has pushed out several updates over the air to its users since then.

The Samsung Galaxy Mini was called out specifically because it was released in April with a version of Android that was already almost a year out-of-date. Instead of running Gingerbread (2.3.3 or 2.3.4), which was already available, Samsung launched the phone running the older Froyo (2.2), according to Bit9.

Samsung took 316 days to patch the Galaxy Mini after Google released an Android update, and Motorola took 141 days to update the Droid X.

iPhone updates

The goal of the list was not to gang up on Android, since “all operating systems have vulnerabilities”, Svedlove said, noting that iOS has more reported issues than Android in the National Vulnerability Database.

But the true test of security is how quickly and effectively the OS gets fixed, and that’s where manufacturers and carriers are failing when it comes to Android, according to Svedlove.

The iPhone 4 and older models were given an “honorable mention” at No. 13 because, up until iOS 5 and the iPhone 4S, users had to physically connect their devices to a computer and launch a manual update.

Practically no one ever docked their phones on the computer, and very few people ever bothered to download and install the various security updates issued by Apple, Svedlove said.

The iOS 5 update, which gives users access to iCloud, was often the first time longtime iPhone owners had ever tried the update process. The over-the-air update process introduced in iOS 5 will make it much easier for iPhone and iPad owners to stay up-to-date from this point on, Svedlove said.

Manufacturers to blame

Bit9 placed the blame for these insecure phones squarely on phone manufacturers and wireless carriers, not Google or the end users, for not releasing timely updates and adding new features to their versions, which often delays the updates even further.

Carriers that released updates via their support forums were also criticised because users shouldn’t have to jump through hoops to update their devices, according to Bit9. Users should just have to hit “OK” to approve updates and receive them over the air, Svedlove said.

Android’s update infrastructure is analogous to “buying a computer from Dell and expecting Dell to work with the Internet service provider to coordinate Windows updates,” Svedlove said.