How safe is that Android phone in your pocket? Not very.
A whopping average of 87.7 percent of Android devices are exposed to known critical vulnerabilities, according to a new study from the University of Cambridge.
Cambridge researchers studied devices through a Device Analyzer app, which looked at 20,400 Android devices over a four-year period, testing them for known major vulnerabilities, some of which were years old.
Most phones failed the test.
This is how bad @Android security really is? http://t.co/R32CeLVshK Google can/should do more to "encourage" the $vendors to update longer
— Victor Julien (@inliniac) October 9, 2015
The researchers placed the lion’s share of the blame on phone manufacturers that are slow to deliver crucial updates.
“Unfortunately few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices unpatched for long periods,” the paper reads. “We showed that the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.”
The reason for this is simple. While devices manufacturers know when devices are insecure, consumers generally do not.
“Consequently there is little incentive for manufacturers to provide updates,” the researchers concluded.
The best performer was LG by a considerable distance. Their Nexus phones did particularly well on the tests. The Galaxy Nexus, developed by Google and Samsung, did the best of all models.
Smaller manufacturers, like Walton and Symphony, did especially poorly. Of the big players, Asus, HTC, and Sony were at the bottom of the heap.
“The security community has been worried about the lack of security updates for Android devices for some time,” Dr. Andrew Rice said. “Our hope is that by quantifying the problem we can help people when choosing a phone and that this in turn will provide an incentive for manufacturers and operators to deliver updates.”
You can install the Device Analyzer app from Google Play in order to continue the research. And you can find more information at AndroidVulnerabilities.org.
H/T Ars Technica | Illustration by Max Fleishman