Buying a smartphone during the holiday season? Be careful. Some
56 percent of the top 20 smartphones on the market are running
outdated and insecure versions of the Android operating system.
Furthermore, despite the prevalence of two-year contracts with
carriers, most manufacturers cease updating their phones after
they've been on the market for just one year.
Which smartphones are the worst security offenders? A new study
of the world's 20 most popular smartphones found that the least
secure models (in order) are the Samsung Galaxy Mini, HTC Desire,
Sony Ericsson Xperia X10, Sanyo Zio, and HTC Wildfire. Those phones
are followed, still in order of decreasing insecurity, by the
Samsung Epic 4G, LG Optimus S, Samsung Galaxy S, Motorola Droid X,
LG Optimus One, Motorola Droid 2, and HTC Evo 4G.
Of course, some Android smartphones are more secure than others.
In particular, of the top 20 smartphones studied, the most secure
were the Samsung Nexus S, HTC Droid Incredible, Samsung Galaxy S2,
HTC Sensation, and the T-Mobile G2.
To assemble that list, researchers at security vendor Bit9
looked at the top 20 smartphones by market share--as of Oct., 26,
2011--and then ranked them based on which ones were running the
most out-of-date and insecure software, and which had the slowest
update cycles. It subtracted further points for carriers that
released updates via their support forums--requiring users to jump
through hoops with a manual download, followed by unzipping the
file and having to root their phone--rather than pushing updates
automatically, over the air.
Updating the operating system quickly is key, since many
smartphone attacks come by way of malicious applications that
exploit known operating system vulnerabilities. That's how the
DroidDream malware seen earlier this year spread so rapidly.
Ultimately, Google used its "kill switch" to remove the malware
from about 300,000 phones, and released a new version of Android
that blocks the attack. But almost none of the top 20 smartphones
reviewed by Bit9 last month had yet been updated by carriers or
manufacturers to the newer, safer version of Android.
As that suggests, don't blame poor smartphone security on users
failing to install updates. In fact, the Bit9 report places the
blame fully on phone manufacturers--for failing to release timely
updates--as well as on telephone carriers who insist on "skinning"
their versions of Android, which may introduce entirely new
vulnerabilities, and which invariably delays updates. Indeed, 56
percent of the top 20 Android smartphones now run a version of the
operating system--Android 2.2 and earlier--that's at least 18
months out of date.
Furthermore, after Google released a new version of Android, it
took manufacturers and carriers another 198 days, on average, to
actually get it onto their handsets. "The problem with Android is
that the distribution of their updates, the responsibility falls on
the manufacturer, not on Google," said Harry Sverdlove, CTO of
Bit9. "The metaphor I used to use was it would be akin to buying a
personal computer from Dell, and having Dell be responsible for
updating Windows for you."
But he said the smartphone situation is even more opaque now,
because manufacturers vary their release schedule based on
different carriers, and may--Sverdlove has no hard evidence for
this, he's only heard rumors--even charge carriers for releasing
updates. Meanwhile, carriers typically ship smartphones with
versions of Android that are already six months out of date, and
then delay or even fail to release updates, based on cost or
geographical considerations. "So it would be akin to buying a PC
from Dell, and having Dell work with your Internet service
provider, and having the combination of those two controlling when
you get software updates," he said. "And it would be complete
chaos."
While the top 12 most vulnerable phones share a commonality--they
all run flavors of Android--Sverdlove stressed that the report
isn't meant to be read as a "who's more secure?" contest. "We're
not saying that Android is more vulnerable than iOS; all operating
systems have vulnerabilities," he said. "And iOS actually has more
than Android in terms of known vulnerabilities, which are logged in
the National Vulnerability Database."
Furthermore, Android now commands 52.3 percent of the worldwide
smartphone market, according to Gartner Group. All told, 60 million
Android smartphones shipped in the third quarter of this year, it
said, compared with 20 million Symbian handsets, and 17 million
iPhones. Accordingly, there are simply more Android phones at
large.
But Bit9 did award the iPhone 4 and earlier models an honorary
thirteenth place on its most-vulnerable list. Because the iPhone 4S
features over-the-air updates, it's not included. Based on highly
anecdotal evidence--a local news station's interview with an
employee at an Apple Genius Bar--cited by Sverdlove, about 50
percent of pre-iPhone 4S users may have never docked their device,
meaning that post-purchase, they would never have updated it. But
it's tough to judge how iPhone security stacks up against Android
security, especially since Apple didn't release iOS adoption rates
before version 4.
On the plus side, however, at least one-third of iOS users are
now on version 5, even though it was only released about a month
ago. On the downside, however, "if you happen to be one of the
owners of the original iPhone or iPhone 3, they've been 'end of
lifed'--they're orphaned and don't get updates," he said. With
obsolescence comes decreasing security, no matter the make or model
of smartphone.
Source:
InformationWeek USA