Android security still a mess
New figures reveal half of Android devices aren’t receiving important security updates — although Google promises that things are improving. Shaun Prescott investigates.
The best thing about Android is that it’s a relatively open platform and phone manufacturers can adapt it. The worst thing about Android is that, when security updates are left in the hands of phone manufacturers, they too often fall by the wayside. In a recent report on its security progress, Google revealed that its security updates had reached 735 million devices in 2016, which, on the face of it at least, is an impressive sounding statistic. The problem is: this figure only accounts for around half of the Android install base. Globally, there are 1.4 billion active devices running Google’s mobile OS.
That means one in two Android phones could be open to security breaches. The thing is, there’s not much that Google can directly do to address this, because it’s the manufacturers or phone-service providers who generally decide when updates will be rolled out. Reading the report, it seems to be more a matter of coordinating workflow than blatant irresponsibility on their part, but it’s still undeniably a serious problem. It’s one Google is still working to address. “About half of devices in use at the end of 2016 had not received a platform security update in the previous year,” the company wrote in a blog post accompanying the report. “We’re working to increase device security updates by streamlining our security update program to make it easier for manufacturers to deploy security patches and releasing A/B updates to make it easier for users to apply those patches.”
While it’s true that “blatant irresponsibility” may not be the cause for delayed security updates on some Android phones, in the end, it doesn’t really matter why those updates are coming late: all that matters is that they are, and that they shouldn’t. The problem is amplified by the fact that, at a guess, most people won’t even be aware whether their phones are protected or not. Worse still, most will assume they are.
The report follows the great 2015 Stagefright vulnerability scare, which allowed attackers to remotely control a victim’s device. At the time, Samsung announced it would work to get security updates out in a “more timely” manner. Later, the company began issuing updates at roughly the same monthly clip as Google — though these often only appeared in a timely fashion on unlocked phones that had been purchased outright, rather than those on a phone plan.
And that’s seemingly the rub — not all carriers and manufacturers are following Samsung’s footsteps, though the company has cut the roll-out time from 6–9 weeks down to a matter of days. Meanwhile, these parties being slow on the core security updates isn’t the only problem, as outdated phones running old versions of Android are also at risk. Whatever the case, it does add to the list of “things to worry about” when shopping around for a new phone, and a little vigilance after a purchase won’t go astray, either.