“Dirty dozen” insecure Android smartphones

Android manufacturers failing to keep pace with upgrades and creating security risks
Kerry Butters

November 22, 2011
Android Logo

A new report from Bit9 has revealed the “Dirty Dozen” smartphone manufacturers whose update practices put users at risk, by failing to release security updates for phone operating systems.

Given the ongoing malware threat to the Android platform, it comes as no real surprise to learn that phones running the OS make up every spot on the list of the twelve most vulnerable devices.

This, Bit9 say, “poses a serious risk to privacy and security” and confirms what many of us already know, that the iPhone is a safer device in terms of security, both personal and corporate.

Although even the iPhone isn’t completely water-tight, of course, and any smartphone owner would do well to remember that safety first should be a constant rule when you’re online.

The Samsung Galaxy mini takes the number one spot on the list, with the HTC Desire and Sony Ericsson Xperia X10 coming in at second and third.

According to research carried out by Bit9, 56% of Android phones in the marketplace run old and insecure versions of Google’s operating system.

It was also found that many of the top smartphone manufacturers, such as Samsung, HTC and LG, release devices with preinstalled out-of-date software, are slow to provide updates to owners and don’t do so regularly.

Indeed, as later models are produced, many manufacturers don’t provide updates at all, “leaving existing customers stranded with insecure software.”

“Smartphones are the new laptop and represent the fastest emerging threat vector,” said Harry Sverdlove, CTO of Bit9.

“In our bring-your-own-device work culture, people are using their smartphones for both personal and business use, and attacks on these devices are on the rise. This dynamic is changing the way corporations think about protecting their confidential data and intellectual property. This is the new security frontier.”

The report also gave the older Apple iPhone 4 an “honorary mention” at number thirteen on the list.

The research found that consumers only use their device as a traditional phone about 3% of the time, “illustrating that these devices are essentially the next generation of portable computers.”

Whilst the open nature of the Android platform has encouraged innovation, the model adopted by manufacturers and carriers “has created a chaotic and insecure environment.”

Vital security updates are often not distributed for months, if they are at all, and these are currently the responsibility of the manufacturers and mobile companies, not Android developers.

“This would be akin to buying a PC from Dell and relying on Dell to coordinate with your home Internet provider, instead of Microsoft, to update your Windows software,” Bit9 point out.

This means that smartphone customers who want the most up-to-date version of Android only really have the option of buying a new handset to obtain it, a situation which is plainly ridiculous.

Bit9 say that there is no simple solution to the problem, but consumers and security professionals need to begin putting pressure on manufacturers to be more responsible and timely in producing updates.

Alternatively, smartphone makers could “relinquish control of the operating system software updates.”

Businesses also need to be aware that the current trend of BYOD (bring your own device to work) could be putting their data at risk.

However, due to the way the Android ecosystem works, solving this could prove an impossible task.

It seems clear what with the continued rise in Android malware that something needs to be done to more effectively secure the platform.

Whilst the open source nature of Android is in some respects a good thing, responsibility to protect its users must lie somewhere. Manufacturers don’t appear to understand the necessity of security updates, or perhaps they do but there are cost implications that deter them from providing them.

Google also needs to look at overhauling the submission process for app developers so that it’s not up to users alone to alert the Market to malicious apps.

The “Dirty Dozen” devices on the list from Bit9 is as follows:

1: Samsung Galaxy Mini
2: HTC Desire
3: Sony Ericsson Xperia X10
4: Sanyo Zio
5: HTC Wildfire
6: Samsung Epic 4G
7: LG Optimus S
8: Samsung Galaxy S
9: Motorola Droid X
10: LG Optimus One
11: Motorola Droid 2
12: HTC Evo 4G






 

Post a comment

Your email address will not be published. Required fields are marked *

Visited 3331 times, 1 so far today