Almost 90% of Android devices , a number altogether impressive, is exposed to at least one critical vulnerability or at least one security flaw. The problems are not related to a lack of “quality” of the operating system code, but to have direct responsibility are the producers of the terminals, which are too often left to their sad fate no longer receive patches and security fixes. The warning is the University of Cambridge.
The problem however seems to be higher up and it seems that there is confusion in understanding who you should release security patches after the release from Google: “There is asymmetry in information between the producer, who knows if the device is Safe and receive security updates, and the customer does not know, “he said Daniel Thomas, Andrew Rice and Alastair Beresford in the document issued by the University.
The market research was conducted by analyzing nearly 20,000 Android devices with the Device Analyzer application, and among them about 87% of the samples were found vulnerable to at least one of the 11 bugs released publicly in the past five years . Among these we find the recent TowelRoot, arranged for example by Cyanogen last year, and FakeID . The researchers also found that Android devices receive on average 1.26 updates per year , very few.
“Our hope is that quantifying the problem we can help people in choosing a smartphone, while promoting manufacturers and operators to release updates,” said Rice. Many manufacturers are working to release quickly security updates, and among these are Samsung and LG said they will release security updates monthly just as does Google with the Nexus devices.
However, there are manufacturers, such as HTC, which they consider unrealistic the hypothesis of monthly updates , especially when they have to intervene even telephone operators in the branded devices.
The study conducted by the University of Cambridge has also tried to give a score on their efforts for security from manufacturers Android . The score (FUM) is based on three criteria: F, the proportion of devices without critical vulnerabilities among those known; U, the proportion of devices updated to the latest version available; M, the number of vulnerabilities that the manufacturer has not properly on devices in circulation.
On a scale of 0 to 10, Google is in a steady first position with a score of 5.2, followed by LG (4,0) and Motorola (3,1). Followed by Samsung, Sony and HTC, with the situation even more disheartening for other less well-known manufacturers. Interestingly, the study was partly sponsored by the same Google that probably wants to give a very strong signal to the partners that produce smartphones and tablets.