On Thursday, September 12, Duo Security, a young-but-respected vendor of two-factor authentication devices, announced the preliminary results of a study of over 20,000 Android devices from a two month old study they performed. Based on the results, they calculated that over half of Android devices on the market have security vulnerabilities that are, as yet, unpatched. The full announcement can be read on their blog at Early Results from X-Ray: Over 50% of Android Devices are Vulnerable.
Duo Security’s report is interesting, because it highlights a problem that’s fundamentally not due to any weakness in Android, but rather its success. In four years’ time, Google’s Android operating system has gone from having no presence at all (0%) to a 68.1% share of the smartphone market (source: IDC), taking away market share from Apple, BlackBerry, Microsoft, Nokia and other developers of smartphone operating systems. One of the reasons for that growth curve is because the cost to manufacturers for using Android is much lower than for competing operating systemsâ€”most of the operating system’s source code, the actual instructions on how it works, can be had for free, making it far less expensive for manufacturers to create devices such as smartphones and tablets using it.
This low cost of entry leads to multiple entrants in the smartphone (and, more recently, tablet) space, including Asus, Lenovo, LG, Motorola, Samsung and Toshiba, to name a few. Each manufacturer creates devices they think will be best for the market, choosing to addâ€”and sometimes, remove or replaceâ€”features from the base operating system. And those smartphones are, in turn, further customized by carriers such as AT&T, Bell, Rogers, Sprint, T-Mobile, Vodafone, Verizon and so forth. Which leads us to the real problem the Android platform has: Fragmentation.
Because there are so many different Android devices out there with such varying hardware, each one ends up with an Android operating system and default set of applications which are slightly different from each other device, and further vary based on the carrier network for the device. In case you’re wondering how many that is, one organization identified just under 3,997 different devices as of mid-2012 (source: Android Fragmentation Visualized, Staircase 3, Inc.).
Unlike desktop operating systems, which are designed to be updated by the user, or smartphones from Apple, which are updated by the manufacturer, but have little to no difference between carriers, this outpouring of Android archetypes makes it difficult for manufacturers and carriers to provide security updates; as in this increasingly competitive market they are more focused on fixing any major problems that are noticed by consumers (short battery life, poor reception, crashes and data loss, etc.) and getting the next device out before their rivals, as opposed to providing a sustained upgrade experience, including security updates, with their current devices. Part of the problem is the cost of testing and deploying updates; it’s expensive to do so, and if a mistake is made, a device could be “bricked,” e.g., rendered inoperable until reset by the factory.
Does this mean that Android is doomed to be plagued by gaping security holes? For the time being, no, and here’s why: Manufacturers and carriers recognize this is a problem, and some have now begun to factor maintenance costs for upgrades into their device life-cycles. Also, the Android community of users itself has come to the rescue, with hobbyists pooling together to create “unofficial” updates for Android devices; ones which include security fixes and updates not provided by the manufacturer. They often perform better than the “stock” operating systems and applications provided at the time of purchase.
The success of Android does mean that criminals are beginning to take notice of it as well and look for ways to take advantage of this new platform. At ESET, only a small fraction of the malware we see on a daily basis is for Android, and almost all of that is either from third-party app stores or actually from PCs, not Android devices, sharing infected apps on peer-to-peer networks. Yesterday, ESET Researcher Pierre-Marc Bureau wrote about one criminal gang looking to monetize the Android platform here in ESET Threat Blog. See Dancing Penguins A Case of Organized Android Pay Per Install for his article.
So, what can a consumer do to keep their Android smartphone or tablet safe from digital intruders? Here are four guidelines to keeping your device safe and secure:
No popular operating system is going to be free of threats; by their very nature, they are going to be targeted. But that doesn’t mean you have to be a victim: With a small amount of caution, education and security software on your side, you can easily manageâ€”and, in fact, greatly reduceâ€” the risk of becoming a statistic in a vulnerability study for your platform of choice.
Aryeh Goretsky, MVP, ZCSE