ISLAMABAD ( MEDIA REPORT )
There is a major problem with the Android market: Nearly 90% of Android handsets are exposed to at least one critical vulnerability because manufacturers fail to deliver patches, a research from the UK’s University of Cambridge has found.
Fact is, the problem isn’t new; it’s been in the headlines for years now. My biggest problem with it is that no one is doing anything to change it. Manufacturers point to carriers, and vice versa, when asked who will supply patches after Google develops fixes for Android security bugs.
Until then, the Android device owner’s sensitive data is exposed to hackers.
“The difficulty is that the market for Android security today is like the market for lemons,” Cambridge researchers Daniel Thomas, Alastair Beresford, and Andrew Rice note in a new paper.
“There is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not.”
The findings are based on analysis of data collected from more than 20,000 Android devices with the Device Analyzer app installed. What they found is the following: 87% of devices running Android were vulnerable to at least one of the 11 bugs that have been in the public domain over the past five years, including the recently uncovered TowelRoot bug, which Cyanogen fixed last year, and FakeID.
When it comes to updates, well, Android doesn’t look too good: On average, devices receive 1.26 updates per year.
This research represents only one, quantitative side of reality. On the other side of the story are the manufacturers, such as HTC, which says monthly updates are unrealistic because of a bottleneck at carriers’ testing pages for carrier-certified devices.
On AndroidVulnerabilities.org you’ll also find an FUM score for each vendor, released by the researchers. Of the three letter codes, “f” stands for the proportion of devices free from known critical vulnerabilities; “u”, the proportion of devices updated to the most recent version; and “m”, the number of vulnerabilities the manufacturer has not yet fixed on any device.