If you’re the owner of a mobile device running Google’s Android mobile OS, the chances are pretty good that your device is vulnerable to attack, according to data from the firm Duo Security.
One in two Android devices that installed Duo’s X-Ray mobile vulnerability assessment software found known, unpatched vulnerabilities on the phone that could be used to take “full control of users’ phones,” according to a post by Duo CTO (and security Ninja) Jon Oberhide.
And the 50% number may be a conservative number, Oberhide warned.
Writing on the company’s blog, Oberhide said that carriers’ conservative approach to rolling out patches to fix Android vulnerabilities is a big part of the problem.
Duo’s X-Ray application was released in July and has already been installed on 20,000 devices – a pretty good data set.
The application collects information on the version of the Android operating system a device is running, the carrier and any potentially vulnerable software.
Oberhide said that vulnerabilities on Android devices are a serious security problem and that vulnerable devices “often remain vulnerable for months and even years.”
“Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far,” Oberhide wrote.
Exploitable vulnerabilities are inevitable in complex software applications and operating systems and Duo says that Apple mobile devices like iPhones and iPad could contain vulnerabilities, also.
However, Apple and Google have taken radically different paths to market, with Apple retaining strict control over its operating system and the hardware platform it runs on. That has enabled the Cupertino, California company to easily and quickly push out operating system updates to its entire user base, regardless of carrier.
Google, however, offered its operating system as an open source offering that could run on any hardware.
That’s been great for building a worldwide user base. Carriers and handset makers partnered to roll their own Android devices, each with a different version of the OS and a mélange of different applications and component.
That leaves Android device owners at the mercy of both their carrier and the handset maker if they want to get a security update to patch a serious, remotely exploitable hole; each update from Google has to be tested against a particular hardware platform by the manufacturer, then pushed out through carriers who are reluctant to do anything that might rile their mobile customer base.
“Essentially, in Android ecosystem we are in a worse place than with pre-millennium Windows, before Automatic Updating was released,” said Vanja Svajcer, a principal malware researcher at Sophos. “The main difference is that with Windows we did not have IBM, HP, Toshiba and Dell producing their own versions of the operating system and Best Buy, Walmart and Amazon deciding when to update.”
Svajcer said the current, decentralized system of updates isn’t sustainable: “Something will have to change with Android updating soon if we do not want to witness mass compromises of Android devices of the scale reminiscent Nimda, Code Red and other large Windows outbreaks from the beginning of the decade.”
Oberhide presented the results of his company’s survey of Android devices at the UNITED Security Summit in San Francisco on Friday, September 14.