BT

Cambridge Study Analyzes State of Android Security

| by Sergio De Simone Follow 14 Followers on Oct 22, 2015. Estimated reading time: 3 minutes |

Researchers at the University of Cambridge have carried through an extensive research to assess security across Android devices, Android versions, and years. Their findings show 87% of Android devices to be vulnerable on average over the last four years.

University of Cambridge’s study focused on critical vulnerabilities that allow an app, either malicious or compromised, to gain root priviliges. Researchers based their methodology on vounteers providing data from across the globe through an app they developed, Device Analyzer.

Proportion of devices running vulnerable versions of Android

Daniel Thomas, lead author of the study, clarified that the results are based on data collected from over 20,000 devices and that his group is looking forward to recruit even more contributors. The data coming from volunteers’ devices is combined with available information about known vulnerabilities to produce a FUM score for each manufacturer. The FUM score takes into account the proportion of devices free from known vulnerabilities, the proportion of devices running the latest Android version, and the mean number of vulnerabilities that a given manufacturer has not fixed on a given device. This gives a score between 0 and 10 that measures how well different manufacturers are doing. At the top of the scale are Google, LG, and Motorola, with scores of 5.2, 4.0, and 3.1 respectively. Samsung, Sony, and HTC follow with scores around 2.5.

According to the researchers, the main reason behind the lack of security on Android devices is poor manufacturers’ policies when it comes to providing regular security updates. Among their recommendations is installing apps exclusively from Google Play Store, although “recent Android security problems have shown that this is not enough to protect users”.

InfoQ has spoken with Daniel Thomas to better understand what the outlook for Android security is and what is the meaning of the FUM score.

Your study found that 87% of all devices running Android over the last four years are vulnerable. Though, from the graph released with your paper, it seems that only very few devices are safe over the last two years.

This change relates to the more regular discovery of vulnerabilities (or at least the more regular inclusion of discovered vulnerabilities in our database) rather than a change in the updating behaviour of manufacturers. That might be the case, but the opposite might also be true, hard to tell. The industry is making a lot of effort to improve things at the moment so I am optimistic that things will get better going forward.

The best manufacturer in your study, Google, got a FUM score of 5.2. Is that a fair score to get for a manufacturer? How hard would it be for Google, or any other manufacturer, to get a 10 out of 10?

I think I would call that a mediocre score. It would be difficult for a manufacturer to get a score of 10/10. For example, they would need to keep shipping updates to all their devices for several years after the release of the devices. They would also have to be very quick at creating and testing security updates, not impossible but it would require better processes than most manufacturers appear to have at present.

Are you planning to carry through the same kind of study on iOS or other mobile platforms as well?

We don’t currently have access to the data on iOS necessary to carry out the study. We suspect that iOS might come out with a better score as it appears to get more regular updates for a longer period than Android. Hard to tell for sure.

The researchers also set up a web site where they provide all relevant details about their study, including a machine readable listing of all vulnerabilities.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT