on the findings of a paper
by Daniel Thomas, Alastair Beresford and Andrew Rice, security researchers at the University of Cambridge. It concluded that 87 percent of all Android devices are vulnerable to at least one of 11 bugs exposed to the public domain during the past five years.
The team argues that this puts user privacy at risk and will ultimately lead to phones becoming riddled with malware and viruses. There is little that Android users can currently do to protect themselves as fixes for bugs in the core of Android have to be issued in operating system updates. Many manufacturers never release these updates, preventing people from getting the protection they should be entitled to.
Over 20,000 Android devices were assessed using the Device Analyzer app to provide the data for the study. Most phones received an average of only 1.26 updates per year even though Google issues monthly security releases to the open-source Android project.
The researchers write in the paper
: "There is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not."
Recently, things have begun to improve. Both Samsung and LG have committed to issuing monthly security updates for recent models of their phones amid widespread coverage of the critical "Stagefright" bug. However, the efforts
of Samsung and LG only go so far and most other manufacturers have yet to follow suit.
HTC has publicly refused to offer monthly updates, saying they are
"unrealistic" because each one has to be approved by the carriers who offer its phones. This is part of the reason why many handsets never receive updates despite Google often releasing fixes within days of being alerted to a vulnerability. The manufacturer has to customise it to work with their own software and then send it for approval with the networks who offer the phone.
Google's own Nexus devices have always received regular security patches as they run stock Android and have no manufacturer or carrier customisations. This led to products from the Nexus line scoring highest overall in a scoring system
devised by the researchers that allows individual hardware vendors to be rated and compared.
Google had a clear lead at 5.2 while LG held a strong second with 4.0. Motorola came third with 3.1 and Samsung picked up fourth with a score of 2.7. Other manufacturers obtained progressively lower scores. Rankings were based on three factors: the proportion of devices free from critical vulnerabilities, the proportion of devices updated to the most recent Android version and the number of as-yet unfixed vulnerabilities in devices.
The team described the Android security market "like the market for lemons", emphasising that hardware manufacturers should do more to help protect the people who buy their phones. Even when devices do receive updates, it is typically for the high-performance flagship units first rather than the high-frequency budget devices that more people own.