Security Risks of Unpatched Android Software

A lot has been written about the security vulnerability resulting from outdated and unpatched Android software. The basic problem is that while Google regularly updates the Android software, phone manufacturers don't regularly push updates out to Android users.

New research tries to quantify the risk:

We are presenting a paper at SPSM next week that shows that, on average over the last four years, 87% of Android devices are vulnerable to attack by malicious apps. This is because manufacturers have not provided regular security updates. Some manufacturers are much better than others however, and our study shows that devices built by LG and Motorola, as well as those devices shipped under the Google Nexus brand are much better than most. Users, corporate buyers and regulators can find further details on manufacturer performance at AndroidVulnerabilities.org.

Posted on October 21, 2015 at 6:22 AM • 31 Comments

Comments

Moshe YOctober 21, 2015 7:49 AM

Android security updates on my T-Mobile Android Galaxy S4 have a terrible user interface. My phone presents a logo of a shield in the top bar of the home screen; it tells me security updates are needed; and if I click on it, I get the usual corporate blather about an update.

Unfortunately the update notifications do *not* tell me what app is attempting to install the update. That is, I see the logo but I have absolutely no idea of which app presented the logo; for all I know, if I grant this update I will install a trojan on my phone. I can't even relate the logo to any app on the phone.

So there are two parts to this at least: one is the lack of patches, and the other is that the security updates, at least on T-Mobile, present no method to authenticate the update.

P.S. One of the default security apps on the T-Mobile phone just couldn't shut up: it would periodically boast in the notification bar about how much work it had done that week. I realize that the app developers want to boast about their product, but it was an astonishing and unnecessary intrusion.

SasparillaOctober 21, 2015 7:56 AM

@Conan, yes CyanogenMod for updates, but it seems like every different phone model has features that don't work correctly or at all on CyanogenMod, beside's the fact that its not something a normal user would even know about, let alone root(?) install.

JMHO, but Vendor based Android phones (and Windows Phones which share the same broken update process - OS Mfr to Phone Mfr to Mobile Provider to user) update model was not designed for the mobile security threat environment we exist in today. Nexus, direct from Google, is the way to go for normal users on Android if Android and security updates are important (even then they'd need to be guided by tech proficient friends to get them).

Google (& Microsoft) need to fix their mobile OS security update process so that it works like Apple's iOS or Microsoft's Desktop OS update process and is independent of phone and mobile vendor's. Google also needs to promise updates for longer than 2 years as Apple is much longer and the phones performance isn't ready to throw away after 2 years now.

Wilton MasielOctober 21, 2015 8:29 AM

That graph displaying vulnerable vs. patched phones has made my nuts shrink.

Personally, I've ditched the cellphone and only use landlines. If you really need to use a cellphone, my advice would be to get yourselves a cheap 2nd hand brick phone from 10 years ago. Old nokias are great, you can step on them or slam them against a wall and they'll still work. Minimal attack surface: no camera, no MMS, no internet connectivity. The batteries last for over a week and the "boot" time is about 2 seconds.

DanielOctober 21, 2015 10:16 AM

You get what you pay for...

I learned this lesson a number of years ago and it's the main reason I stopped using Android. Fundamentally, phone manufacturers are in the business of selling a phone and cell phone providers are in the business of selling a communications service. Since pushing security impacts the bottom line, neither side wants to be responsible for the burden. The manufacture doesn't want to deal with it because it has sold its phone and pushing security no longer impacts the buying decision. The cell phone providers don't want to deal with it because it has nothing to do directly with the service they provide.

The only reason Apple does is because it fits well with their modus of being control freaks of having a closed ecosytem.

Brian SOctober 21, 2015 10:24 AM

Apple also has no one else to blame, and have a pretty flat ecosystem.
They are the only manufacturer, and they only put out a very limited number of hardware revisions in a given year.

Compare that to Android that has not only the same kind of OS and hardware issues within a given device model that Apple has... but then have numerous hardware manufacturers (many who have their own custom stuff on top), and then all of that going through a number of carriers... who may require their own custom stuff on top of that.

By the time it gets to the consumer, who do you blame?
Google for not updating?
Samsung/HTC/Sony/LG etc for not providing the update?
Sprint/AT&T/T-Mobile etc for not pushing it?

Who?October 21, 2015 10:31 AM

@ Bruce:

The basic problem is that while Google regularly updates the Android software, phone manufacturers don't regularly push updates out to Android users.

This is false, Bruce. Google is a company that despises security. The most recent example is that support for one of his flagship products, the Nexus 7 manufactured on 2012 (known as "nakasi"), was withdrawn this summer. Two weeks later the worse vulnerability on Android history ("stagefright") was discovered and they did not even care to release a fix for this two-weeks-out-of-support device.

Even Microsoft (a company I hearthly dislike) released a fix for a zero-day discovered one month after Windows XP support ended.

Microsoft, Google, Apple... these ones are companies whose names should not be used in the same phrase as the word "security".

Google is not better than any other lazy Android manufacturers.

wumpusOctober 21, 2015 11:41 AM

@Wilton Masiel

Eliminating features means they can't be subverted, but I have to wonder what threats you are really trying to eliminate that a dumb phone avoids. You still have the issue that you are either broadcasting in plaintext or using a known broken cryptosystem.

I suppose it all comes down to how you use it. I'm still wondering what you are afraid of leaking that can't/won't be leaked by a desktop: email is the biggie, deleting the spending tracker is probably next, but anything that connects to the internet is going to be tracker regardless of insecure phone or "secure" desktop.

While I don't have the (nearly required) "connect to Facebook" option set on Runkeeper, I'm not terribly worried that word will leak out about my pathetic jogging. The benefits of a smart GPS device that can track time and distance outweigh the dangers of former-7th-grade-bullies tracking me down and snapping me with wet towels*. On the other hand, I simply don't access my email over the phone. I suppose I should worry that using Runkeeper (and similar) apps on my phone means the thing is virtually always tracking me (I think I've turned that off to save batteries, but can't be bothered to check), but my locations have been too boring to bother keeping private.

Is there a good way to connect a (preferably pre-paid) voice-only connection to a smartphone? This, plus wifi-off (or at least connected only through a really good firewall with phone-specific rules) would seem the best of both worlds. It seems that most carriers (and resellers) simply want to jack the price through the roof once they know you aren't carrying an old brickphone.

* Old Dave Barry joke.

WaelOctober 21, 2015 12:24 PM

The reluctance to push updates is partly a factor of the uncertainty of whether the updates shrink or expand the surface of attack.

rgaffOctober 21, 2015 12:53 PM

@ wumpus

"My life is too boring to keep private" is a fallacy. Think of it this way: if your phone tracks everywhere you go, even if you think it's pretty hum-drum and boring, what if a crime just happens to be committed somewhere along your route and you don't even know about it. You really want some police detective trying to see what he can dig up to pin it on you?

We all have a far less attack surface (from cops trying to pin crimes on us) if we just keep our data private. ALL OF IT. And only release the minimum we need to when we actually see a real benefit from its release that outweighs the drawbacks. Free society depends on us having this ability. Not that we're forced to use it, people are still free to broadcast every minute thought they have all day every day in a free society too, but taking away the freedom to be private is destroying free society.

rgaffOctober 21, 2015 1:13 PM

Put another way, free society should ALLOW people to register their whereabouts with the local police department every second of every day if they choose, but it should NOT REQUIRE IT... that would not be freedom any longer, that's coercion. Also it should not make it excruciatingly difficult to opt out either, in fact, the default should be free to live life without constant police scrutiny and supervision of every minutia in life.

Why?October 21, 2015 1:17 PM

Why do consumers of electronic goods insist on buying stuff from companies that are nonchalant about basic security patches that will protect their millions of users?

It is analogous to the way in which the human cattle are being led timidly into the Windoze 10 slaughter yard - without a care in the world.

Huxley was right, except the soma is the glazed look on the faces of the empty shells as they fixate upon miniature screens like a poker machine addict getting their daily hit. (I'll momentarily ignore the fact that half of Western society also hits benzos and other pharmas daily like crack)

It's a brilliant marking strategy - just feed the techno-narcissistic traits of the masses with pretty (and over-priced) baubles and they will always cry for more or the latest slimline sweatshop product.

End result: Corporates win with recycled crap products being bought every 18-24 months and the Stasi celebrate the stupidity of mankind in wearing their electronic monitors (with pride no less), 24 hours a day, without the passing of government legislation mandating ID tags.

People really have come to love their oppressors and their manufactured playthings...

rgaffOctober 21, 2015 1:43 PM

Also I'd like to say that the idea that a computer program (under police control) "watching" me is not the police themselves watching me, is utter bullshit!! Computer programs are tools, not separate beings. Tools are held in the hands of people. Whoever wrote and/or is using the program IS DOING THE WATCHING, plain and simple.

So if the NSA is searching everyone's data for suspicious activity with a computer program, and sharing the results with the local police... that REALLY IS the NSA and local police themselves monitoring everything about your specific pathetic life that is represented in that data. No matter how hum-drum and boring your life may be, that has NO BEARING on this fact, they're actively monitoring it. This is not free society. This is dictatorship. Free society requires life to be able to be led without such nanny intrusions.

So, you want free society or dictatorship? What will you do about it? Nothing I suppose, because you have enough bread and circuses? (https://en.wikipedia.org/wiki/Bread_and_circuses)

ianfOctober 21, 2015 2:04 PM


@ rgaff, no society that I know of disallows people to register with the police their advance whereabouts when so needed… in fact, knowing hysterical antics of a certain person, I once did so on my own volition when going abroad with my daughter, stating but the destination and length of vacation. The local police put it in their daily ledger just in case of us later being "reported as missing," and that was that. Didn't even have to show the ID, so that could constitute a prank-threat vector!


@ Why? – do consumers of electronic goods insist on buying stuff from companies that are nonchalant about basic security patches that will protect them?

Yeah? So what other options do they have if they need it to do stuff, not to add to their daily worries? None.

wumpusOctober 21, 2015 2:20 PM

@rgaff

What is "private data"? Android and Windows (especially 10, but pretty much any Windows) are voracious in grabbing data, but I am no longer convinced that there is any means of keeping data private. Between things like badUSB and Lenovo spyware built into the bios (I suspect it is windows only, but give it time) I'm pretty sure the only way to keep data private is by air gaps (and assume that it can still leak keys). While I am aware of the dangers of trading privacy and security for convenience (reading this blog makes it difficult), you somehow seem to have noticed that it is nearly impossible to make the trade the other way around.

Long, long, before 9/11 and the Patriot act, I noticed that hard drive prices/byte were decaying exponentially and that meant that there really wasn't any reason to delete old data. I also realized that meant any data on me held by others. After that, I paid cash for all books assuming that if there was one way I could myself private it was keeping my reading list private. By the time data mining and the Patriot Act came along, I could be proud and certain that any thing I tried to keep secret in my book collection was easily detectable by a quick summary of my search history. You can imagine how less smart I felt after that.

rgaffOctober 21, 2015 3:04 PM

@ ianf

Indeed. There are always cases where police "intrusion" into one's life is a benefit that outweighs drawbacks... just we should for the most part be in control of that decision in a free society, and limit it to an absolute minimum by default, not have total dominance over every minutia dictated to us.

@ rumpus

Regarding the searching... just yesterday a friend saw my "startpage" and was like "what the heck is that" and I was like "yeah, well, it's the one that (supposedly) doesn't report all my searches to government agents so they can try to pin crimes on me based on them..." People do "get" short concise explanations like that, they just need to hear them more often. This I believe is the greatest way we can all help fix society, is gently participate in the education of all those around us. Takes time, but we're in it for the long haul.

rgaffOctober 21, 2015 3:37 PM

@ wumpus I'm starting to really loath this spell checker... (changing your name to rumpus without asking me)

ReciprocateOctober 21, 2015 4:56 PM

Not asking for flame wars just informed opinions :)


Who makes a well made, "newish" dumb phone these days? Ideally it would have one button "instant erase" for all personal data.


If you can't think of a model - please speculate why manufacturers may believe there is no market for such a critter.

MatthewOctober 21, 2015 8:44 PM

Here's a fun one: my new Honda Pilot 2016 has a head unit that runs Android 4.2. That's right - not only is android handling the entertainment stuff and the stereo, it also handles the reverse camera, the door locks, the ABS...

Why indeedOctober 21, 2015 9:52 PM

@ ianf re: "Yeah? So what other options do they have if they need it to do stuff, not to add to their daily worries? None."

It is common to rationalize mobile/cellphone use incorrectly as 'essential'.

That is, it has become a societal norm that you be tagged on a 24/7 cycle by your 'smart' (dumb, insecure) phone that is cared for like a baby by most retards.

People must learn to separate necessity from modern convenience. The vast majority of people do not require either:

- social networking;
- professional networks (Linked In etc);
- a mobile/cell phone outside of work (plenty of secure asynchronous comms are available as alternatives) on computers;
- nor Windoze Spyware Pro running on their shitty desktops.

So while they may not have a choice in a secure hand-held device for work purposes, they can certainly choose to limit dimensions of their lives where data is being unnecessarily ex-filtrated by fascists.

Without going full Stallman, the creeps will go largely blind if people make a conscious decision to give a shit about the spying complex and change their behaviors.

So, its time to stop pretending we don't have a choice: you can feed the Borg and be assimilated fully by wearing your i-gimmick as a necklace round the clock, or you can learn to separate from the Matrix wherever and whenever possible.

The first step in addressing techno-narcissism is admitting you have a problem...

rOctober 21, 2015 9:53 PM

sure, CyanogenMod is a reasonable alternative to stock... but please don't forget about the splinter group OmniROM or the EFF's continued vetting of android Replicant.

rOctober 21, 2015 10:14 PM

@Wael:

"The reluctance to push updates is partly a factor of the uncertainty of whether the updates shrink or expand the surface of attack."

Really?
I wouldn't believe that for a second... maybe you could try to argue cost/benefit analysis like in the case of say General Motors etc... but i really do fail to see "failure to push security updates results in 90% of android phones being vulnerable" as including "expand the surface of attack".

???

Assuming the Device tree is frozen and the security patches are backported to a non-current release, er --- OKAY --- MAYBE --- if you're considering an entire ROM/OS version upgrade... but i highly doubt they [moto,lg,samsung,htc] weigh increasing the attack surface as an option against at all because if they did then they would vet their branded failware trash on the phone itself. [samsung is a good example there]

More than likely the lack of [flashy-full featured attack surface engorging] 'upgrades' is a means to an ends to keep you in the physical upgrade process like how phone and vehicle companies keep you 'on lease'. it's subtle, subversive, maligned and best practice for companies with little to no liability.

EULAgy[tm/c].

not releasing security updates? it's most likely just not cost-effective, why divert developers from up-and-coming devices to fix problems that exist in a soon-to-be dwindling market share device? also: said companies could receive gag-orders to not release patches i'd think.

WaelOctober 21, 2015 11:05 PM

@r,

I see where you're coming from. It depends what "updates" or "patch" means. If the update is limited to patching security vulnerabilities, then maybe you're correct. If "updates" includes new features, then my statement is true. I also said "partly dependent", which implies there are other reasons (resource availability that maybe working on the next product, etc...) Some updates also need additional integration. When I said "reluctant" I meant not releasing without a regression test / proper QA round. Then there is the MNO too!

WaelOctober 21, 2015 11:48 PM

@r,

Missed the rest of your comments...

More than likely the lack of [flashy-full featured attack surface engorging] 'upgrades' is a means to an ends to keep you in the physical upgrade process like how phone and vehicle companies keep you 'on lease

I thought about that a while back. It would seem like a conspiracy between HW manufacturers and OS providers. HW gets faster and more capable, the next release of OS puts the new HW to the limits. Customer upgrades HW, and cycle continues. I thought there is an element of truth to that, but I don't believe that's the case. It's just natural evolution.

why divert developers from up-and-coming devices to fix problems that exist in a soon-to-be dwindling market share device

To avoid brand damage and loss of loyalty.

said companies could receive gag-orders to not release patches i'd think.

"gag-orders" mean "keep silent". If you meant manufacturers are ordered to not release patches by a TLA, which is implied, then I'd say that's unlikely for several reasons. It would also be more manageable to stop the "patch" at the source, wouldn't you say?

There is also another caveat: not all manufacturers have the same process or "vision". That's my bad, I should have stated this in my initial comment.

rOctober 22, 2015 4:50 AM

@Wael,

>> To avoid brand damage and loss of loyalty.
Yeah, I still don't believe EOL is anything but -- maybe in the extreme case of some 600$ phones. I think the whole loyalty to a fone manu thing is seated around a feeling of the quality of their offerings in hardware, if the bugs aren't a big deal before the next release the 'loyalty' camp will just follow the immediate upgrade path - THIS SPECIFICALLY - may come to a head as offerings mature and maximum performances reached.

Unfortunately, i couldn't find a link proper - but i seem to recall exclusive holes in the LG Prada device too? I could desperately in need of some ECC installed in my head though...

>> It would also be more manageable to stop the "patch" at the source,
Point taken. :)

Jarrod FratesOctober 22, 2015 10:57 AM

@Why indeed:

"nor Windoze Spyware Pro running on their shitty desktops"

You've just lost the vast majority of potential readers of your opinion who need to be able to figure out their path. When you call it "Windoze", you look like a teenager (and maybe you are) and the rest of your words lose at least part of their value. This is unfortunate as the rest of your post is valuable (if a little paranoid, though not quite to the Stallman level you were explicitly trying to avoid).

Your primary mistake, though, is apparently setting a binary of need vs. convenience. Do I need a cell phone? Not to live, no. But perhaps I need it for on-call work. One might respond that only a pager is necessary, but perhaps alerts are only sent via e-mail, where a pager falls short. I could just stay home and remain remotely connected, but that means I can't leave the house for more than a few minutes while I'm on-call, which might be for a week or more. My employer may not be sympathetic to my "needs" and lay down an ultimatum: carry a phone or lose my job.

While the tracking is a downside, the convenience that you seem to place as a binary opposite has the advantage of freeing us to go about our lives without worrying about missing an emergency call. We may place too much importance on catching certain calls/texts/emails, but that's a personal inability to ignore the device in favor of the now. We can call for help when there's a mechanical failure or accident away from normal view, we can get emergency calls from friends or family when someone is injured or missing, and we can get emergency alerts for weather conditions in the area such as tornadoes or major thunderstorm cells.

Humans strictly need three things: water, food, and protection from the elements. Anything else is a nice-to-have. However, society dictates additional needs, and cell phones and smart phones can help fulfill some of those. The degree to which one allows that to happen is dependent on what the individual, and as such is certainly not a binary issue.

k14October 22, 2015 7:52 PM

How do you find out where to ask how to uninstall apps that you don't use, that came with your Android phone? Mine is short on memory, which is awkward when installing updates.

rOctober 22, 2015 11:04 PM

@k14, you have to root your fone to de-bloat it. sometimes the shortest [and safest] and safest path in such a case is to just install cyanogen/omnirom/replicant. if you plan to go with a community release from say XDA remember that homebrew roms may or may not be clean solutions, as with the 'commercial' ones.

to answer your question about preloaded bloatware, i think i used to use /system/app remover by j4velin ?

yep, as for other similar softwares either verified or unverified - i haven't used them - j4velin's actually offers "safe/unsafe to [re]move" notes prior to removal.

p.s. i make no claim to the safety of j4velin's /system/app remover myself, i have not decompiled or reviewed the source code in the least. :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.