MUMBAI, INDIA: Google Nexus has emerged as the most secure Android-based device, according a new research from the University of Cambridge.
The research has revealed that almost nine out of ten Android devices aren't protected against major security vulnerabilities. The researchers alleged that many device manufacturers do not provide regular security updates to their line of Android handsets, but were quick to point out that some manufacturers were more effective in providing security updates than others.
The researchers compared manufacturers by using FUM-a score out of ten based on the proportion of devices free from critical vulnerabilities, the proportion of devices updated to the most recent version, and the number of vulnerabilities the manufacturer has not yet fixed to conduct the survey.
Google's line of Nexus branded devices scored 5.2 out of 10, LG scored 4, Motorola 3.1, Samsung 2.7, while Sony and HTC both scored 2.5 out of 10, respectively, as per the study.
"Google has done a good job at mitigating many of the risks," said Dr Alastair Beresford, a researcher. "We recommend users only install apps from Google's Play Store since it performs additional safety checks on apps. Unfortunately Google can only do so much, and recent Android security problems have shown that this is not enough to protect users. Phones require updates from manufacturers, and the majority of devices aren't getting them."
The researchers at the University of Cambridge analysed data from over 20,000 Android devices. On average, an Android device receives 1.26 updates per year.
The researchers found that 87 percent of Android smart phones and tablets are vulnerable to at least one of the 11 major bugs revealed in the last five years, such as the recently uncovered Stagefright.
Where’s the glitch?
According to the research note, when Google prepares an Android software update, it distributes it to manufacturers such as such LG and Samsung.
These manufacturers then have to apply the changes to their version of Android, and test for device compatibility. More often than not, each Android phone will run a slightly different version of the operating system. A Samsung Note 5 sold via Telstra will have different software than one sold via Vodafone or Optus.
After these updates have been completed, they are then sent to the respective telco for testing. After the telco has finished testing it, they will then deploy the update to their customers. The testing process itself can take a number of weeks.
Because of this, some Android devices never receive software updates, said ethical hacker and director of security firm Whitehack Adrian Wood.
But the Apple strategy is better:
"The way Android handles security updates is very different to Apple," Wood told CyberShack when discussing Statefright earlier in the year. "If an equivalent bug to Stagefright was found on iOS, Apple could just push an update to every iPhone and protect them within 48 hours of it being discovered. Android handles updates slightly differently. The Android source code goes out to manufacturers and they make tweaks and play around with the code a bit and launch it out on a phone. So when a bug is found, Google can patch the Android source code and push it out to Samsung, but then Samsung has to make it work on their phones."