A group of Cambridge researchers discovered that as many as 87 percent of the existing Android devices on the market are exposed to at least one of 11 bugs that were made public in the last five years. The researchers acquired the data by getting over 20,000 Android users to install their Device Analyzer app, which checks the phones for those vulnerabilities.
The researchers found that Android devices get an average of only 1.26 updates per year. Even enterprise customers, who need prompt updates and long periods of support, don't have an easy way of identifying which Android OEMs are best at patching their phones, and which phone models get patched the most.
“The difficulty is that the market for Android security today is like the market for lemons: there is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not," said the research paper.
To fix this information asymmetry problem, the research group, which was partly sponsored by Google, created a security update scoring system called FUM. The letters have the following meaning:
F - the proportion of existing devices that are free from critical vulnerabilities over time.U - the proportion of devices that run the latest version of Android shipped to any device produced by that device manufacturer.M - mean number of outstanding vulnerabilities affecting devices not fixed on any device shipped by the device manufacturer.
The researchers believe this score will help both consumers and enterprise customers determine from which device manufacturer they should buy their smartphones. It should also ultimately encourage OEMs to improve their update stories, unless they want more and more customers to stop buying from them.
As the paper has already determined, the bottleneck in patching Android devices lies not with Google, or the consumers, but with the OEMs, which are slow to deliver those updates.
The researchers found that out of a score of 10, Android as a whole gets only 2.87 for how updates are handled in general. The devices with the best historical update support are Nexus phones, which received a score of 5.2. LG follows up with 4.0 for its devices, and then Motorola with 3.1. Samsung, Sony, HTC and Asus all score under 3.
The FUM scores will be released and updated on the AndroidVulnerabilities.org website. Users can install the Device Analyzer app to see how their device rates, and it will also help the researchers gather more data about how the various Android devices are doing with updates within the ecosystem. Ultimately, this may incentivize device manufacturers to become much more serious about providing updates to the products they want their customers to buy.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.