Android Buyers Find Smartphone Update Chaos

After Google releases a new version of Android, the time it takes carriers to update your phone varies wildly right now. One security expert says consumers must vote with their wallets.
Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
How can consumers who want to buy a new smartphone, or businesses that want to issue smartphone recommendations to employees, assess which devices offer the best security?

That was the question posed by Harry Sverdlove, CTO of Bit9, in his recent quest to ascertain which of the world's 20 most popular smartphones were the least secure.

One of his most interesting findings is just how much time it takes for phones to be updated, after Google releases a new version of Android. Some manufacturers, however, are better than others. "Of the top three Android manufacturers--Samsung, HTC, Motorola--Samsung is the worst offender by far, then HTC, then Motorola," said Sverdlove in an interview. "So Motorola, for what it's worth, was the best at maintaining their updates."

What counts as the worst at updating? Samsung took 316 days to patch its Galaxy Mini, after Google released an Android update. The fastest Motorola update, meanwhile, was for Droid X--and still required 141 days to appear.

[Google shared some interesting statistics about its Android platform during the recent Google Music press conference. See Android Hits 200 Million Activations.]

Coming by that data wasn't easy. Bit9 has long released an annual study rounding up the top Windows vulnerabilities, to help IT administrators know what to patch first. Sverdlove said he wanted to do the same for smartphones, especially in light of the "bring your own device" trend in the workplace. But writing the Windows report, which relied on publicly compiled vulnerability information, was a cakewalk compared to researching Android variants, he said, because anyone can take the open-source operating system and literally do anything that they want to it.

"As a security professional, it's the most chaotic thing I've ever seen. For creativity, innovation, growth, speed of change, it's a great, open space," he said. "But as a security professional trying to understand as a consumer, how secure is my phone, and as a company, how secure is my company if my users are bringing phones to work? It's a nightmare."

Ranking the security of the top 20 smartphones was further complicated by the dearth of easily accessible information about updates. "We went to the manufacturers' websites, the carriers' websites, we looked at release notes, and they'll claim to have an update available, but typically it's a highly intensive process," said Sverdlove. By intensive, he means "going through this process that the average human being isn't going to do," including locating the update, downloading and unzipping it, and then manually rooting the smartphone to be able to install the update.

Another complication was that although some carriers list update release dates, they fail to note "unrelease" dates. "There were at least three different cases where the manufacturer rolled out an update and then pulled it within two weeks, because it was completely unstable for their overlays," he said, referring to the skins or enhancements that carriers often make to the basic Android operating system. In two cases, a replacement update appeared about a month later. But the LG Optimus S still hasn't been updated, since LG rolled back the latest update in September.

With consumers bringing their own phones to work, there's not a lot that IT professionals can do to attack the smartphone security problem at the source. "The manufacturers are incented to come out with new phones," he said. "On average, we found that phones are getting 'end-of-lifed' within a year of being released," meaning phones then see no further updates. "But in most cases, you're signing two-year contracts."

Accordingly, "something about the Android ecosystem needs to change," he said. "Either the manufacturers need to prioritize security...or they need to relinquish control of the software and the security updates to the software vendors." He cites two good models for the latter approach: Apple iOS, and the Google Nexus smartphone. "Google makes it through Samsung, but it essentially behaves like Apple's model. When the update comes out, everyone with a Google Nexus has it within a day," he said.

Until one of those two Android ecosystem-level fixes happens, Sverdlove recommends that consumers vote on smartphone security with their wallets. "Right now, we vote by liking a keyboard or not, two cameras, the screen quality," he said. "We don't think, 'Is this phone going to be regularly updated and secure?' But if we started purchasing devices that are more secure and frequently updated, that's the loudest voice you can have."

InformationWeek is conducting a survey on the current state of encryption within the enterprise: What assets are, and are not, being encrypted to reduce the risk of exposure? Where sensitive data is going unencrypted, what's holding you back? Upon completion, you will be eligible to enter a drawing to receive an Apple 32-GB iPod Touch. Take the survey now. Survey ends Dec. 2.