Android Smartphone Security Continues to Cause Concern

How Secure is an Android Smartphone?

Android Smartphone security continues to cause concern, even after Google’s decision to start issuing monthly security updates for the Android platform. Fears about Android device security were not alleviated by a new University of Cambridge (UK) study (partially funded by Google) which suggests that despite the new monthly security updates, 87.7% of Android Smartphones contain at least one critical security vulnerability.

Study Confirms Serious Android Smartphone Security Issues

The study involved researchers collecting version numbers and build numbers of over 20,400 devices, via the Device Analyzer App available through Google Play Store. Each phone was also tested against 13 known “critical” security vulnerabilities.

The study looked at different Android mobile phone manufacturers and assessed the security of the devices, revealing there are considerable differences in the degree of protection offered to users. Each manufacturer was assigned a security score by the research team, the calculation of which involved an analysis of a number of different factors, including the speed at which device manufacturers rolled out Google Android Smartphone security updates. Not all mobile phone manufacturers are quick to address security flaws in the devices.

Lexus Smartphones Determined to be the Most Secure Android Devices

The Smartphone security assessment was conducted on a wide range of phones, including some of the leading manufacturers of Android phones (with some notable omissions). LG, Samsung, Sony, HTC, Motorola and Lexus were all put to the test, yet Huawei, Xiaomi, and Lenovo were not, even though they are three of the top ten brands worldwide. Also, China, which doesn’t not permit Google Play, was excluded from the study.

Of the brands tested, each was given a security rating out of 10. Lexus, perhaps unsurprisingly, received the highest security score of 5.2. In second place was LG with a score of 4.0, and Motorola was third with a rating of 3.1.

Samsung was awarded a particularly low score and came in fourth place with 2.1. Sony was second to last with HTC bottom of the list of major manufacturers. One of the reasons HTC scored so badly was the decision made by the phone manufacturer not to roll out the monthly Google updates. It deemed this to be impractical due to carrier testing: Bad news for any user of an HTC phone. Samsung, which has a 38% share of all Android phone sales, received a reasonably low score even though the popular phone manufacturer has taken the decision to roll out the monthly Google updates.

One problem that exists with mobile phone security is that even though some Android phone manufacturers have agreed to roll out updates to incorporate Google bug fixes, security updates are slow to roll out. Most Android phones will therefore be at least one version behind, probably two, and that means the phones will always contain security vulnerabilities, and if vulnerabilities exist, they can be exploited.


Why is the Android Platform Insecure?

Google may be issuing security fixes for Android, but that is only part of the story. An Android phone will usually have two different systems installed. There is the Google Android OS, but also an interface installed by the original equipment manufacturer(OEM). Then there are the apps on the phones, some of which come from Google, others are installed by the OEM. When Google issues security updates, it doesn’t mean that the OEM will also issue fixes for its own system and apps.

The reason Nexus mobile phones were rated so highly is because the phones are updated directly by Google. Every time Google releases a major Android update, which is approximately every 6 months, Nexus phones will be the first to receive it, although even with Nexus there is a two-week delay. Smaller bug fixes, such as the monthly security updates, will also be installed rapidly.

It is only after the monthly (or 6-monthly) update is issued by Google that many phone manufacturers get to work on their own interface and apps. This means that there is a time delay before those updates are issued, which can take around 3-6 months. During that time, the phone will potentially be vulnerable to attack and will never be totally up to date. Add to that the fact that some phone models are rapidly discontinued. It is unlikely that they will ever be updated.

Furthermore, once the updates are finally all ready for release, there is a further delay caused by mobile phone carriers, many of which are not quick to roll out the updates. Verizon and AT&T have been known to delay, in some cases, up to 6 months.

If a phone is changed every two years or so, it is possible that it may only have been updated once during its lifetime. A problem not suffered by Apple users, and to a lesser extent owners of Nexus phones.

How to Ensure Your Smartphone is Secure

The take home message from this recent survey, is that if you want the most secure Android Smartphone, choose Google Nexus (says Google). If you want the most secure BYOD policy, ban all devices other than Nexus and Apple. Not the most practical or workable solution it has to be said. If you plan to supply devices to your healthcare professionals, Apple are the most secure devices, followed by Nexus, then LG, then Motorola. You may want to reconsider supplying HTC phones if you value the privacy of your patients.

Fortunately, while this study may paint a bleak picture, it is unlikely that hackers will be able to take control of a device without at least some user input. The key to making BYOD devices and Smartphones more secure, is to be security conscious and not to take risks. For healthcare providers operating BYOD schemes, it is essential that any individual bringing their own device to work is made fully aware of the organizations security policies and receives security awareness training. It may not be possible to make all devices 100% secure and eradicate all risk, but it is possible to reduce that risk to an acceptable level.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.