Android’s fragmentation is creating a lot of security holes

This summer OpenSignal published its Android Fragmentation report, finding that there are more than 24,000 distinct types of Android devices by more than 1,000 distinct brands in the market today. That kind of differentiation was bound to produce problems in what was supposed to be a common OS ecosystem, and this week a University of Cambridge study gave us a very good example of just such a problem.

The paper (pdf), published by three Cambridge Computer Laboratory researchers, found that 87.7 percent of all Android devices have major security vulnerabilities. The reason for this is the lax approach Android device makers and carriers take in pushing out security patches.

Google will devise security updates for Android, which it generally publishes on a monthly schedule. But the vast majority of Android devices are built by other manufacturers. Samsung and Xiaomi and hundreds of other smartphone makers aren’t on Google’s patch schedule. They have to test and optimize the security update for their own customized versions of Android, and in many cases operators will go through the same process for devices they specifically authorize for their networks. That produces huge delays before these patches get pushed to the actual smartphones in our hands – if they get pushed at all.

Graphic by Cambridge University AndroidVulnerabilities.org

Graphic by Cambridge University AndroidVulnerabilities.org

For their study, the Cambridge researchers developed an app called Device Analyzer, which they have offered in the Play store since 2011. The app has many similarities to OpenSignal’s own crowdsourced measurement app, collecting data anonymously on how and where consumers use their phones. The researchers compiled data on the Android versions and build numbers of more than 20,000 devices and compared them against 11 known critical vulnerabilities. They found that 88.7 percent of those devices remained exposed to at least one of those threats.

The research group has also set up a site called AndroidVulnerabilities.org, where it ranks different device makers on how secure their devices are. None of them did well, not even Google. Despite Google’s monthly patch regime there are apparently a lot of Nexus devices out there running vulnerable versions of Android.

 

This entry was posted in Android Development, Crowdsourcing and tagged , , , , . Bookmark the permalink.

Leave a Reply