Android Buyer Beware: 12 Least Secure Phones - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Buyer Beware: 12 Least Secure Phones

More than half of most popular Android smartphones run outdated--and insecure--versions of the OS. And update policies vary.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Buying a smartphone during the holiday season? Be careful. Some 56% of the top 20 smartphones on the market are running outdated and insecure versions of the Android operating system. Furthermore, despite the prevalence of two-year contracts with carriers, most manufacturers cease updating their phones after they've been on the market for just one year.

Which smartphones are the worst security offenders? A new study of the world's 20 most popular smartphones found that the least secure models (in order) are the Samsung Galaxy Mini, HTC Desire, Sony Ericsson Xperia X10, Sanyo Zio, and HTC Wildfire. Those phones are followed, still in order of decreasing insecurity, by the Samsung Epic 4G, LG Optimus S, Samsung Galaxy S, Motorola Droid X, LG Optimus One, Motorola Droid 2, and HTC Evo 4G.

Of course, some Android smartphones are more secure than others. In particular, of the top 20 smartphones studied, the most secure were the Samsung Nexus S, HTC Droid Incredible, Samsung Galaxy S2, HTC Sensation, and the T-Mobile G2.

[ How big of a problem is smartphone security, really? Read Android Security Becomes FUD Fest. ]

To assemble that list, researchers at security vendor Bit9 looked at the top 20 smartphones by market share--as of Oct., 26, 2011--and then ranked them based on which ones were running the most out-of-date and insecure software, and which had the slowest update cycles. It subtracted further points for carriers that released updates via their support forums--requiring users to jump through hoops with a manual download, followed by unzipping the file and having to root their phone--rather than pushing updates automatically, over the air.

Updating the operating system quickly is key, since many smartphone attacks come by way of malicious applications that exploit known operating system vulnerabilities. That's how the DroidDream malware seen earlier this year spread so rapidly. Ultimately, Google used its "kill switch" to remove the malware from about 300,000 phones, and released a new version of Android that blocks the attack. But almost none of the top 20 smartphones reviewed by Bit9 last month had yet been updated by carriers or manufacturers to the newer, safer version of Android.

As that suggests, don't blame poor smartphone security on users failing to install updates. In fact, the Bit9 report places the blame fully on phone manufacturers--for failing to release timely updates--as well as on telephone carriers who insist on "skinning" their versions of Android, which may introduce entirely new vulnerabilities, and which invariably delays updates. Indeed, 56% of the top 20 Android smartphones now run a version of the operating system--Android 2.2 and earlier--that's at least 18 months out of date.

Furthermore, after Google released a new version of Android, it took manufacturers and carriers another 198 days, on average, to actually get it onto their handsets. "The problem with Android is that the distribution of their updates, the responsibility falls on the manufacturer, not on Google," said Harry Sverdlove, CTO of Bit9. "The metaphor I used to use was it would be akin to buying a personal computer from Dell, and having Dell be responsible for updating Windows for you."

But he said the smartphone situation is even more opaque now, because manufacturers vary their release schedule based on different carriers, and may--Sverdlove has no hard evidence for this, he's only heard rumors--even charge carriers for releasing updates. Meanwhile, carriers typically ship smartphones with versions of Android that are already six months out of date, and then delay or even fail to release updates, based on cost or geographical considerations. "So it would be akin to buying a PC from Dell, and having Dell work with your Internet service provider, and having the combination of those two controlling when you get software updates," he said. "And it would be complete chaos."

While the top 12 most vulnerable phones share a commonality--they all run flavors of Android--Sverdlove stressed that the report isn't meant to be read as a "who's more secure?" contest. "We're not saying that Android is more vulnerable than iOS; all operating systems have vulnerabilities," he said. "And iOS actually has more than Android in terms of known vulnerabilities, which are logged in the National Vulnerability Database."

Furthermore, Android now commands 52.3% of the worldwide smartphone market, according to Gartner Group. All told, 60 million Android smartphones shipped in the third quarter of this year, it said, compared with 20 million Symbian handsets, and 17 million iPhones. Accordingly, there are simply more Android phones at large.

But Bit9 did award the iPhone 4 and earlier models an honorary thirteenth place on its most-vulnerable list. Because the iPhone 4S features over-the-air updates, it's not included. Based on highly anecdotal evidence--a local news station's interview with an employee at an Apple Genius Bar--cited by Sverdlove, about 50% of pre-iPhone 4S users may have never docked their device, meaning that post-purchase, they would never have updated it. But it's tough to judge how iPhone security stacks up against Android security, especially since Apple didn't release iOS adoption rates before version 4.

On the plus side, however, at least one-third of iOS users are now on version 5, even though it was only released about a month ago. On the downside, however, "if you happen to be one of the owners of the original iPhone or iPhone 3, they've been 'end of lifed'--they're orphaned and don't get updates," he said. With obsolescence comes decreasing security, no matter the make or model of smartphone.

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 25-29 in Orlando, Fla. Find out more.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll