Android users left vulnerable, researchers blame manufacturers

Researchers at the University of Cambridge say that 87 percent of Android devices in the market are insecure, placing the blame on manufacturers who do not provide regular security updates.

“The security of Android depends on the timely delivery of updates to critical vulnerabilities. Unfortunately few devices receive prompt updates,” the researchers said in a paper published last week, leaving them exposed for long periods.

“The bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to critical vulnerabilities. This arises in part because the market for Android security today is like the market for lemons: there is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive up-dates, and the consumer, who does not.”

The research is based on data from 20,400 devices with details pulled from an app that’s available through Google Play. The goal was to highlight the issue with patching and help consumers chose a device that is regularly updated (LG, Motorola, Samsung), while pushing the other manufacturers and operators to deliver updates sooner rather than later.

AndroidVulnerabilities.org

In addition to the data collected from their app, the researchers also looked at the number of disclosed vulnerabilities that affect the Android operating system or Android devices. Their conclusion is troubling. At the same time, it’s important to remember that only the known vulnerabilities are counted, which could skew the results some.

Another noteworthy point is that the fragmentation in the Android market could help in some cases – such as when attackers go after the segment of the user base with vulnerable devices – ignoring those where a given attack wouldn’t work.

Either way, the larger picture is that manufacturers aren’t pushing updates quick enough, and no matter how it spins, that’s a problem.

“Google has done a good job at mitigating many of the risks,” said Dr. Alastair Beresford, one of the authors of the paper.

“We recommend users only install apps from Google’s Play Store since it performs additional safety checks on apps. Unfortunately Google can only do so much, and recent Android security problems have shown that this is not enough to protect users. Phones require updates from manufacturers, and the majority of devices aren’t getting them.”

Considering the fragmented state of Android versions in the market, and the issues raised by the research, what can organizations do to protect themselves and their users?

“I think we might see some organizations standardize on a single, more predictable Android platform – maybe phones running the pure Google OS, that gets updates directly from Google (no waiting on a Carrier) or from a single, more enterprise-focused manufacturer, like Samsung. Blackphone and other security-focused Android derivatives might also be clicking their heels right now,” said Adrian Sanabria, Senior Analyst at 451Research.

Organizations could also try taking a hard stance on allowing devices on their network and to access data. For example, they could use MDM and certificates to authenticate the devices allowed to connect to Wi-Fi and to SaaS apps (via vendors like SkyHigh, Netskope, etc. in the CASB/CAC market).

“Keeping insecure devices off Wi-Fi / guest Wi-Fi networks is probably the most popular use case for NAC these days,” added Sanabria.

The problem with this tie down approach are exemptions.

“I’ve seen studies that have shown, after taking away everyone’s admin rights, often you’ll see 70% of them with the rights back again – all through exceptions that were requested and approved. The ‘hard stance’ often softens until it becomes the exception itself, and no longer the rule,” said Sanabria.

While the research is important, Sanabria says the data is misrepresented.

“Mobile operating systems are designed differently and exploited differently. We can’t simply list vulnerabilities and say ‘all these phones can be hacked.’ Even on servers and desktops, vulnerabilities rarely equate to the ideal attacker case, which is ‘exploit in the wild, vulnerability is remotely exploitable and readily available attack path exists.’,” he said.

“Mobile is not a major risk to the enterprise right now, and is certainly not equivalent to the risk on servers and desktops right now. We have plenty of data to back that up, not the least of which is in Verizon’s most recent DBIR.”

For the record, the DBIR states that 0.03% out of tens of millions of mobile devices, the number of them infected with truly malicious exploits was negligible.