For those watching the Android ecosystem, it is plain to see that mobile OS suffers heavily from a casual security policy. However, the number of devices that are actually vulnerable to known security flaws can be hard to pinpoint. A University of Cambridge Study has found that 87.7% of active Android devices are vulnerable to at least 1 of 11 serious known exploits.
Starting from 2011, the University conducted a survey using Device Analyzer of over 20,400 Android devices and scanned them for version and build information. By comparing the versioning and when vulnerabilities were discovered, it turns out that only a small portion of the ecosystem were secure or maybe secure (specialised fix).
Much of the blame for this situation appears to rest with the OEMs. By considering the number of devices without vulnerabilities (Free), running the latest version (Update), and the average number of vulnerabilities on unpatched devices (Mean), the researchers came up with a FUM score out of 10. Given the lackluster effort OEMs put into their updates, it’s not surprising that all scored below 5. Even the famed Nexus phones fared little better at a measly 5.3 with the closest OEM, LG coming in at 4.
With OEMs generally only patching flagship devices and not even for that long, it looks like the Android ecosystem need an overhaul to address security. With Google only offering 3 years of patches from launch, even the Nexuses can stand to do much better. As the devices last longer and longer, the Android ecosystem should consider security updates for at least 3 years since the devices was last sold officially. Until Android changes to allow security patches to be made easier, it’s unlikely OEMs will put in the effort to ensure long-term security.