Skip to content

Bit9

← Back to Blog
21 Nov 2011

Orphan Android: The Not-So-Smartphones of 2011

Harry Sverdlove

It’s that time of the year again, when Bit9 releases its annual Dirty Dozen report to highlight software vulnerabilities and the risks they pose to both consumers and corporations – except this year is different. Instead of our usual report on the most vulnerable applications, we decided to tackle the fastest emerging threat vector facing the security industry… smartphones. There will soon be over ½ billion smartphones in use worldwide, with the majority of consumers using their devices for both personal and business use.

Smartphones running the Android operating system represent the majority of all new phone purchases. Unlike Apple iOS, RIM Blackberry or Windows Phone, the phone manufacturer – not the software vendor – is responsible for providing Android software updates to their smartphone.  Phone carriers also inject themselves into the process, selling further customized models and sometimes charging data usage for software updates. The result is chaos. As anyone who has ever owned an Android phone can attest, waiting for your phone to receive the latest Android release is like walking through prickly bushes – slow, painful, and sometimes buggy (except for the Google Nexus phone, the only model where Google is responsible for the software updates).

It should come as no surprise that all of the top 12 most vulnerable smartphones of 2011, are Android phones. More than half of all Android devices are running a version of the operating system that is over 18 months old. In this year’s report, we dove deep into the waters to understand how well manufacturers perform with regard to updates. The results were disappointing at best.

Most Android phones come to market at least one major version behind the latest Android release, and they stay around six months behind the update curve moving forward. Manufacturers come out with newer models every 12 to 18 months and quickly end-of-life their previous models, usually well before the two year contracts most users sign with their carriers. Many times, updates are not pushed over-the-air (OTA). Users are required to go to support websites, download and unzip packages, manually backup their data, and wade through painful processes to get the latest updates. When OTA updates are released, they are staggered across geographies and phone carriers and can take months before reaching all affected models. Samsung – recently declared the world’s biggest smartphone vendor – performed the worst of the top four Android manufacturers. Initial releases and updates to Samsung Android phones fall, on average, eight months behind Android’s release schedule (that’s counting when they start rolling out updates; no one knows how long the process actually takes).

Why does any of this matter? Because the average smartphone user only spends about 3% of their device time actually using the phone. These are not phones which happen to be “smart”; these are small computers which happen to be phones. We use them for email, business documents, web browsing, online shopping, banking and more. They contain our private information and confidential data. We need to start viewing these devices with the same security scrutiny as we view normal computers and laptops.

All software has vulnerabilities. The Android code is no more vulnerable than Apple iOS or any other operating system. The issue is what happens when a flaw is discovered. The quicker a software update can be distributed, the more secure you are. The longer a device remains outdated with known vulnerabilities, the greater the risk.

The Android market has cultivated innovation and significant growth in the smartphone industry, but there are systemic problems in the distribution ecosystem which adversely impact security. It’s time to raise industry awareness and put pressure on the manufacturers and carriers to do better.

To read the complete Bit9 Report of The Most Vulnerable Smartphones of 2011, click here.

If you like this blog post, please follow us on Twitter @Bit9Facebook and Google+.

* All information provided is accurate as of Nov. 3, 2011. As you can image, this information is constantly evolving and subject to change.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US