Researchers at the University of Cambridge have carried through an extensive research to assess security across Android devices, Android versions, and years. Their findings show 87% of Android devices to be vulnerable on average over the last four years.
University of Cambridge’s study focused on critical vulnerabilities that allow an app, either malicious or compromised, to gain root priviliges. Researchers based their methodology on vounteers providing data from across the globe through an app they developed, Device Analyzer.
Daniel Thomas, lead author of the study, clarified that the results are based on data collected from over 20,000 devices and that his group is looking forward to recruit even more contributors. The data coming from volunteers’ devices is combined with available information about known vulnerabilities to produce a FUM score for each manufacturer. The FUM score takes into account the proportion of devices free from known vulnerabilities, the proportion of devices running the latest Android version, and the mean number of vulnerabilities that a given manufacturer has not fixed on a given device. This gives a score between 0 and 10 that measures how well different manufacturers are doing. At the top of the scale are Google, LG, and Motorola, with scores of 5.2, 4.0, and 3.1 respectively. Samsung, Sony, and HTC follow with scores around 2.5.
According to the researchers, the main reason behind the lack of security on Android devices is poor manufacturers’ policies when it comes to providing regular security updates. Among their recommendations is installing apps exclusively from Google Play Store, although “recent Android security problems have shown that this is not enough to protect users”.
InfoQ has spoken with Daniel Thomas to better understand what the outlook for Android security is and what is the meaning of the FUM score.
Your study found that 87% of all devices running Android over the last four years are vulnerable. Though, from the graph released with your paper, it seems that only very few devices are safe over the last two years.
This change relates to the more regular discovery of vulnerabilities (or at least the more regular inclusion of discovered vulnerabilities in our database) rather than a change in the updating behaviour of manufacturers. That might be the case, but the opposite might also be true, hard to tell. The industry is making a lot of effort to improve things at the moment so I am optimistic that things will get better going forward.
The best manufacturer in your study, Google, got a FUM score of 5.2. Is that a fair score to get for a manufacturer? How hard would it be for Google, or any other manufacturer, to get a 10 out of 10?
I think I would call that a mediocre score. It would be difficult for a manufacturer to get a score of 10/10. For example, they would need to keep shipping updates to all their devices for several years after the release of the devices. They would also have to be very quick at creating and testing security updates, not impossible but it would require better processes than most manufacturers appear to have at present.
Are you planning to carry through the same kind of study on iOS or other mobile platforms as well?
We don’t currently have access to the data on iOS necessary to carry out the study. We suspect that iOS might come out with a better score as it appears to get more regular updates for a longer period than Android. Hard to tell for sure.
The researchers also set up a web site where they provide all relevant details about their study, including a machine readable listing of all vulnerabilities.