Mobile
News
11/22/2011
11:18 AM
Connect Directly
RSS
E-Mail
50%
50%

Android Buyer Beware: 12 Least Secure Phones

More than half of most popular Android smartphones run outdated--and insecure--versions of the OS. And update policies vary.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Buying a smartphone during the holiday season? Be careful. Some 56% of the top 20 smartphones on the market are running outdated and insecure versions of the Android operating system. Furthermore, despite the prevalence of two-year contracts with carriers, most manufacturers cease updating their phones after they've been on the market for just one year.

Which smartphones are the worst security offenders? A new study of the world's 20 most popular smartphones found that the least secure models (in order) are the Samsung Galaxy Mini, HTC Desire, Sony Ericsson Xperia X10, Sanyo Zio, and HTC Wildfire. Those phones are followed, still in order of decreasing insecurity, by the Samsung Epic 4G, LG Optimus S, Samsung Galaxy S, Motorola Droid X, LG Optimus One, Motorola Droid 2, and HTC Evo 4G.

Of course, some Android smartphones are more secure than others. In particular, of the top 20 smartphones studied, the most secure were the Samsung Nexus S, HTC Droid Incredible, Samsung Galaxy S2, HTC Sensation, and the T-Mobile G2.

[ How big of a problem is smartphone security, really? Read Android Security Becomes FUD Fest. ]

To assemble that list, researchers at security vendor Bit9 looked at the top 20 smartphones by market share--as of Oct., 26, 2011--and then ranked them based on which ones were running the most out-of-date and insecure software, and which had the slowest update cycles. It subtracted further points for carriers that released updates via their support forums--requiring users to jump through hoops with a manual download, followed by unzipping the file and having to root their phone--rather than pushing updates automatically, over the air.

Updating the operating system quickly is key, since many smartphone attacks come by way of malicious applications that exploit known operating system vulnerabilities. That's how the DroidDream malware seen earlier this year spread so rapidly. Ultimately, Google used its "kill switch" to remove the malware from about 300,000 phones, and released a new version of Android that blocks the attack. But almost none of the top 20 smartphones reviewed by Bit9 last month had yet been updated by carriers or manufacturers to the newer, safer version of Android.

As that suggests, don't blame poor smartphone security on users failing to install updates. In fact, the Bit9 report places the blame fully on phone manufacturers--for failing to release timely updates--as well as on telephone carriers who insist on "skinning" their versions of Android, which may introduce entirely new vulnerabilities, and which invariably delays updates. Indeed, 56% of the top 20 Android smartphones now run a version of the operating system--Android 2.2 and earlier--that's at least 18 months out of date.

Furthermore, after Google released a new version of Android, it took manufacturers and carriers another 198 days, on average, to actually get it onto their handsets. "The problem with Android is that the distribution of their updates, the responsibility falls on the manufacturer, not on Google," said Harry Sverdlove, CTO of Bit9. "The metaphor I used to use was it would be akin to buying a personal computer from Dell, and having Dell be responsible for updating Windows for you."

But he said the smartphone situation is even more opaque now, because manufacturers vary their release schedule based on different carriers, and may--Sverdlove has no hard evidence for this, he's only heard rumors--even charge carriers for releasing updates. Meanwhile, carriers typically ship smartphones with versions of Android that are already six months out of date, and then delay or even fail to release updates, based on cost or geographical considerations. "So it would be akin to buying a PC from Dell, and having Dell work with your Internet service provider, and having the combination of those two controlling when you get software updates," he said. "And it would be complete chaos."

While the top 12 most vulnerable phones share a commonality--they all run flavors of Android--Sverdlove stressed that the report isn't meant to be read as a "who's more secure?" contest. "We're not saying that Android is more vulnerable than iOS; all operating systems have vulnerabilities," he said. "And iOS actually has more than Android in terms of known vulnerabilities, which are logged in the National Vulnerability Database."

Furthermore, Android now commands 52.3% of the worldwide smartphone market, according to Gartner Group. All told, 60 million Android smartphones shipped in the third quarter of this year, it said, compared with 20 million Symbian handsets, and 17 million iPhones. Accordingly, there are simply more Android phones at large.

But Bit9 did award the iPhone 4 and earlier models an honorary thirteenth place on its most-vulnerable list. Because the iPhone 4S features over-the-air updates, it's not included. Based on highly anecdotal evidence--a local news station's interview with an employee at an Apple Genius Bar--cited by Sverdlove, about 50% of pre-iPhone 4S users may have never docked their device, meaning that post-purchase, they would never have updated it. But it's tough to judge how iPhone security stacks up against Android security, especially since Apple didn't release iOS adoption rates before version 4.

On the plus side, however, at least one-third of iOS users are now on version 5, even though it was only released about a month ago. On the downside, however, "if you happen to be one of the owners of the original iPhone or iPhone 3, they've been 'end of lifed'--they're orphaned and don't get updates," he said. With obsolescence comes decreasing security, no matter the make or model of smartphone.

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 25-29 in Orlando, Fla. Find out more.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Moderator
11/23/2011 | 5:07:18 PM
re: Android Buyer Beware: 12 Least Secure Phones
@ANON1243535255282:
Great point. I hadn't realized that OTA updates working for older devices with iOS5 too, thanks for the heads-up. There's another reason to update to iOS5 if you're using an older version. And yes, the "iron grip" has upsides and downsides. But I doubt this research will convince anyone to go for one platform over the other. More to beware of companies pushing Android handsets that don't get updated. (Besides the security downside, that means you're also missing out on the latest features.)

@PK3372:
Must disagree. Security 101: Older versions of any operating system have more known vulnerabilities, which makes using them more risky, because they're easier to attack/exploit. Goes for Windows, Mac OS, Linux, Android, or iOS. (Orphaned iOS devices, notably, are susceptible to a well-known man-in-the-middle data sniffing attack.) But whereas Windows and iOS push updates in a relatively timely fashion, *many* of the manufacturers and carriers that use Android do not. If you find nothing wrong with that situation, more power to you.

@DLORD330:
Apologies for the lack of easy scannability. Bullet-listing all of the phones is a great idea, though seemed like it might take up quite a lot of vertical space. But we'll add a link to the actual report, which offers the info in a more easily digestible fashion. And I'll talk to the website elves about a bandwidth infusion.
Leo Regulus
50%
50%
Leo Regulus,
User Rank: Apprentice
11/23/2011 | 3:13:16 PM
re: Android Buyer Beware: 12 Least Secure Phones
hmmmm....... There wasn't really a 'list' here, was there? You had two sentences with the cited subjects separated by commas. Not really 'reader-friendly' (IMHO). So, I pasted the whole thing into a Word Doc and hit Enter after each one of those commas. I blocked the resulting column and hit the columns function for 3 columns. VOILA !! Something that I can read and grasp at a glance. Okay, so I've got too much time on my hands, but you've got to do better for us dyslectic kids. And one more thing, your pages are loading MUCH to slow and I often open several at a time while others are continuing to load. You probably need to add some more bandwidth to you budget. Have a Happy Holiday !
PK3372
50%
50%
PK3372,
User Rank: Apprentice
11/23/2011 | 12:00:17 AM
re: Android Buyer Beware: 12 Least Secure Phones
That is the most ill informed story I have ever read about Android security.

It cites pretty much one source and an Apple genius bar. Earlier versions don't make Android a security threat. People downloading third party apps after unselecting a check mark for allowing third-party apps, going to some shifty site in Russia, downloading, ignoring the permissions warning and then using app. Besides even spreading a virus though a phone network is highly unlikely.

Android security apps are a scam.

This story more like an Apple products PR plant.
ANON1243535255282
50%
50%
ANON1243535255282,
User Rank: Apprentice
11/22/2011 | 11:29:41 PM
re: Android Buyer Beware: 12 Least Secure Phones
Um ... my iPhone 4 can do over-the-air updates, as can the 3GS ... once iOS 5 is installed. When the 5.01 update came out it definitely surprised me since I was used to "gotta dock it to update it." But it went without a hitch.

That by itself doesn't make the iPhone more or less secure than its Android brethren, but I think Apple's iron grip on iOS might.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.