87% of Android devices are at risk for security attacks
Data collected from more than 20,000 volunteers found that 87% of Android devices are exposed to at least one of 11 known critical vulnerabilities. The study places the blame for Android devices' high risk on the manufacturers themselves, noting that all large software companies today uncover security risks and then release software updates to protect users.
"Unfortunately something has gone wrong with the provision of security updates in the Android market," the study reads. "Many smartphones are sold on 12-24 month contracts, and yet our data shows few Android devices receive many security updates."
Android devices receive, on average, 1.26 security updates per year, resulting in long stretches of time where the devices are at risk.
"The difficulty is that the market for Android security today is like the market for lemons," the study says. "There is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not."
The researchers developed a scoring system, called the FUM score, to rank what Android devices are the most secure. The FUM score looks at the proportion of devices free from known critical vulnerabilities, the proportion of devices updated to the most recent version, and the number of vulnerabilities that have not been fixed on any device.
The score is out of ten with Nexus doing better than average with a score of 5.7. The study notes that LG is the best manufacturer with a score of 3.97. From there the ranking is as follows:
- Motorola: 3.1
- Samsung: 2.7
- Sony: 2.5
- HTC: 2.5
- Asus: 2.4
- Alps: .7
- Symphony: .3
- Walton: .3
Although Symphony and Walton received the lowest scores, the researchers note that because they are unpopular manufacturers their phones do not pose the greatest risk. "The total risk to users from the higher scoring popular manufacturers is higher than the risk from the lower scoring unpopular manufacturers," the study reads. That doesn't bode well for Samsung, Sony, or HTC.
Google's Nexus receiving the best FUM score is notable. The study emphasizes that "the main update bottleneck lies with manufacturers rather than Google, operators, or users."
The researchers also constructed a graph that shows the proportion of Android devices that are running vulnerable versions of Android over time. The graph shows that as time progressed from 2011 to the present, Android devices have become increasingly more vulnerable.
AndroidVulnerabilities.org
The graph was constructed based on the devices' exposure to 13 known vulnerabilities.
The study was partially funded via a Google focused funding award.