More than half of most popular Android smartphones run outdated--and insecure--versions of the OS. And update policies vary.

Mathew J. Schwartz, Contributor

November 22, 2011

5 Min Read

10 Companies Driving Mobile Security

10 Companies Driving Mobile Security

10 Companies Driving Mobile Security (click image for larger view and for slideshow)

Buying a smartphone during the holiday season? Be careful. Some 56% of the top 20 smartphones on the market are running outdated and insecure versions of the Android operating system. Furthermore, despite the prevalence of two-year contracts with carriers, most manufacturers cease updating their phones after they've been on the market for just one year.

Which smartphones are the worst security offenders? A new study of the world's 20 most popular smartphones found that the least secure models (in order) are the Samsung Galaxy Mini, HTC Desire, Sony Ericsson Xperia X10, Sanyo Zio, and HTC Wildfire. Those phones are followed, still in order of decreasing insecurity, by the Samsung Epic 4G, LG Optimus S, Samsung Galaxy S, Motorola Droid X, LG Optimus One, Motorola Droid 2, and HTC Evo 4G.

Of course, some Android smartphones are more secure than others. In particular, of the top 20 smartphones studied, the most secure were the Samsung Nexus S, HTC Droid Incredible, Samsung Galaxy S2, HTC Sensation, and the T-Mobile G2.

[ How big of a problem is smartphone security, really? Read Android Security Becomes FUD Fest. ]

To assemble that list, researchers at security vendor Bit9 looked at the top 20 smartphones by market share--as of Oct., 26, 2011--and then ranked them based on which ones were running the most out-of-date and insecure software, and which had the slowest update cycles. It subtracted further points for carriers that released updates via their support forums--requiring users to jump through hoops with a manual download, followed by unzipping the file and having to root their phone--rather than pushing updates automatically, over the air.

Updating the operating system quickly is key, since many smartphone attacks come by way of malicious applications that exploit known operating system vulnerabilities. That's how the DroidDream malware seen earlier this year spread so rapidly. Ultimately, Google used its "kill switch" to remove the malware from about 300,000 phones, and released a new version of Android that blocks the attack. But almost none of the top 20 smartphones reviewed by Bit9 last month had yet been updated by carriers or manufacturers to the newer, safer version of Android.

As that suggests, don't blame poor smartphone security on users failing to install updates. In fact, the Bit9 report places the blame fully on phone manufacturers--for failing to release timely updates--as well as on telephone carriers who insist on "skinning" their versions of Android, which may introduce entirely new vulnerabilities, and which invariably delays updates. Indeed, 56% of the top 20 Android smartphones now run a version of the operating system--Android 2.2 and earlier--that's at least 18 months out of date.

Furthermore, after Google released a new version of Android, it took manufacturers and carriers another 198 days, on average, to actually get it onto their handsets. "The problem with Android is that the distribution of their updates, the responsibility falls on the manufacturer, not on Google," said Harry Sverdlove, CTO of Bit9. "The metaphor I used to use was it would be akin to buying a personal computer from Dell, and having Dell be responsible for updating Windows for you."

But he said the smartphone situation is even more opaque now, because manufacturers vary their release schedule based on different carriers, and may--Sverdlove has no hard evidence for this, he's only heard rumors--even charge carriers for releasing updates. Meanwhile, carriers typically ship smartphones with versions of Android that are already six months out of date, and then delay or even fail to release updates, based on cost or geographical considerations. "So it would be akin to buying a PC from Dell, and having Dell work with your Internet service provider, and having the combination of those two controlling when you get software updates," he said. "And it would be complete chaos."

While the top 12 most vulnerable phones share a commonality--they all run flavors of Android--Sverdlove stressed that the report isn't meant to be read as a "who's more secure?" contest. "We're not saying that Android is more vulnerable than iOS; all operating systems have vulnerabilities," he said. "And iOS actually has more than Android in terms of known vulnerabilities, which are logged in the National Vulnerability Database."

Furthermore, Android now commands 52.3% of the worldwide smartphone market, according to Gartner Group. All told, 60 million Android smartphones shipped in the third quarter of this year, it said, compared with 20 million Symbian handsets, and 17 million iPhones. Accordingly, there are simply more Android phones at large.

But Bit9 did award the iPhone 4 and earlier models an honorary thirteenth place on its most-vulnerable list. Because the iPhone 4S features over-the-air updates, it's not included. Based on highly anecdotal evidence--a local news station's interview with an employee at an Apple Genius Bar--cited by Sverdlove, about 50% of pre-iPhone 4S users may have never docked their device, meaning that post-purchase, they would never have updated it. But it's tough to judge how iPhone security stacks up against Android security, especially since Apple didn't release iOS adoption rates before version 4.

On the plus side, however, at least one-third of iOS users are now on version 5, even though it was only released about a month ago. On the downside, however, "if you happen to be one of the owners of the original iPhone or iPhone 3, they've been 'end of lifed'--they're orphaned and don't get updates," he said. With obsolescence comes decreasing security, no matter the make or model of smartphone.

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 25-29 in Orlando, Fla. Find out more.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights