Roughly 85 percent of Android devices have been exposed to one of 13 critical vulnerabilities that plague the operating system – and because of a chronic failure by carriers to issue patches, many linger without getting fixed for far too long, researchers said.
Especially in the wake of Stagefright, the disparity between how carriers apply Android patches has been well documented – some devices remain vulnerable for months, others years. Now researchers are assigning numbers to each company to identify just who’s better protecting users, in hopes that it serves as an incentive for them to deliver more prompt fixes.
Three researchers at the University of Cambridge came up with a scorecard for Android devices they’re calling a FUM score. The score is a number from zero to 10 that breaks down how often manufacturers and network operators are patching their devices.
The researchers, Daniel Thomas, Alastair Beresford, and Andrew Rice, presented their work Monday at a conference, the 2015 ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, in Denver, Colorado.
Across the ecosystem as a whole, the researchers claim Android manufacturers could stand to do a lot better. On average they scored 2.87 out of 10 according to a paper that accompanies their research, “Security Metrics for the Android Ecosystem.” (.PDF)
The three gathered information for their research from 21,713 devices through an app, “Device Analyzer” that’s been on Google Play since 2011.
According to Thomas, the app doesn’t scan for vulnerabilities but it does collects information about the device and the use of the device. By looking at the OS version and build number, the researchers can match OS versions against known vulnerabilities on the day the device was running that version.
“We can use the build number to work out when the particular build of Android was produced (by recording when we first observed that build number) and hence detect backports that might have fixed vulnerabilities,” Thomas told Threatpost.
While the researchers have aggregated 32 critical vulnerabilities to date, they only used 13 – bugs that affect all Android devices – to plot the graph below. According to Thomas, on average the researchers found that 85 percent of the devices it monitored were vulnerable to at least one critical vulnerability.
Google announced in August that it would begin sending Nexus owners over-the-air updates monthly to better protect users from emerging vulnerabilities and attacks. While the researchers’ study ended in July, Nexus devices still scored higher than the others, garnering a 5.17 FUM score. Other manufacturers who claim they’re working on pushing out more frequent security updates, like LG and Samsung scored a 3.97 and 2.75 respectively.
The researchers’ FUM score takes into account the proportion of devices that are free from critical vulnerabilities over time (f), the proportion of devices that run the latest updated version of Android shipped by the manufacturer (u), and the mean number of outstanding vulnerabilities affecting devices not fixed on devices shipped by a manufacturer (m). The researchers hope the metric, which they’ve been working on for four years, can eventually correlate to the security of Android devices on a more widespread level.
The researchers note that the sheer lack of updates Android devices receive on average, just 1.26 updates a year, was part of what drove them to look deeper at the environment. They hope however that by quantifying the problem they can eventually help customers when it comes to choosing a device and pressure manufacturers and operators to deliver updates more consistently.
“There is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not,” the researchers write.
Given the the recent Stagefright news, Thomas is hoping the group’s research was published at a time when manufacturers are growing more sensitive to security news. But while the researchers have spoken to officials from some device manufacturers – and plan to have further meetings – Thomas believes it’s too early to know exactly what the impact of their research will be.
“We are hopeful that this work will improve the Android ecosystem by providing and economic incentive to improve security but only time will tell.”