Blog
Tech

Why are so many Android devices insecure?

Would you use a computer that received its last security update in 2014? Most of us would probably refer to to the need for regular Windows Updates and an antivirus solution in the face of this question and feel moderately secure (and rightfully so). But what about Android devices? Android is runs on over one billion cellphones, tablets and other devices and is fairly secure, if those devices are running a somewhat current version which is not always the case.

Small robot, big effect

I recently picked up a seldom used tablet and checked which Android version it was running. It was Android 4.4 which, by today's standards, can be considered antiquated. The device was made by Acer, didn't come cheap and had been left without updates for the past 3 years. I reckon it's safe to say that there will be no future updates for this device even though I'm an optimist. This is not an isolated case, 500 million devices have already dropped out of the update loop. How is it possible that devices are forgotten by their makers only 2 years after release? Why is there no centralized update mechanism as is present in Windows?

To better understand this issue, we need to take a closer look at what Android is and how this system is being distributed. Android is being developed by the Open Handset Alliance, a consortium of 84 firms including (you guessed it) Google, the lead developer, and, here's where it gets interesting for manufacturers, completely free. By using Android, handset makers can avoid major license fees although they do have to pay a small fee (rumored to be around 75 cents per device) to include certain Google services (like the Playstore). This is acceptable even for entry-level devices, consequently, manufacturers take the vanilla version of Android and adapt it to their hardware requirements, e.g. smartphones. This is called porting. In many cases, they will also pre-install their own or partner software and load their devices up with ads. Some even try to brand their products further by forking the operating system and modifying both visuals and features to win customers over.

Regular updates should be a given

Google themselves usually release security updates on a monthly basis and are making every effort to improve the overall security of their system. The number of malware-infected apps in the Playstore is steadily declining and new security mechanisms are introduced with every major update. Aside from their own software developers, Google also awards over 1 million dollars each year to users that discovered and reported security flaws back to them, but does this really help customers? Most companies worry only about their sales figures and would love for users to "upgrade" to their latest devices as soon as they become available. Even the 2011 agreement that manufacturers would provide their devices with updates for at least 18 months (a ridiculously short time span) had little to no effect. Some of the bigger players follow this "recommendation" but makers of smaller and cheaper models seldom do, mainly for financial reasons. This is all the more absurd and worrisome as especially older models not only contain dozens of security holes but these are also well known to malware authors.

Things look different in practice: Let's say there's a new Android update that contains critical security patches. Manufacturers will be notified - and from there on, the fate of your device is in their hands. Companies that rely on a vanilla version of Android without major modifications will likely roll out the update soon, provided the company is willing. But if the system is heavily modified, it'll take additional testing and cost money - money not all companies are willing to spend (on their customers). Even if a company reacts, it'll usually take weeks, even months, for "better" companies to provide updates for devices that will most likely still be online in the meantime. Branded cellphones (usually modified to work with a particular network) are a special case as updates need to pass through their respective mobile carriers first. Carriers love to "forget" prepaid cellphones or at least delay the affected updates for months. The makers of Android have no means of enforcing timely updates through contracts or penalties, they depend entirely on the good will of device manufacturers.

Easy prey without security updates Easy prey without security updates

However, companies have little incentive to act fast since many customers pay little attention to the security of their devices and fail to assert pressure. It's the price and feature lists that sell products. As long as everything (seemingly) works, consumers are happy. What is unthinkable in the world of Windows appears to be perfectly fine in the world of Android. It's likely consumers would instantly get their pitchforks ready, if Microsoft stopped delivering updates and yet there have been Android phones that never saw an update but still received high ratings. Luckily, not all companies neglect their products in this way. Motorola, HTC and Sony tend to act quickly, Samsung always takes a little longer to react. Xiaomi takes a different approach and installs their own MIUI system on top of Android that is constantly being developed and hardened. So even though your device doesn't receive the latest version of Android (the best case scenario), if it's from Xiaomi, you will still be on the safe side.

It's clear the developers behind Android don't like debating these issue in public. Who'd want to admit that, though your system is steadily improved, these improvements will never make it to many customers? Only spectacular security leaks, like the Stagefright issue that affected Android's Media-Framework and left the system wide-open to malware attacks, make it onto the news. That's why, at this very moment, more than half a billion online devices have easily exploitable and well-known security holes. This situation will likely only change once customers develop an awareness for these issues and start pressuring device and software makers into acting accordingly. We need to convince Google to use their tremendous market power in the customer's interest, for once, and device manufacturers to keep their products safely usable for longer time spans. Rumor has it that Google's keeping a list of black sheep. As consumers, it would be interesting to know who's on it.

9 comments
  • R

    The issue of android custom roms raises the question of government involvement or Google for that matter. After using a new phone for a while you'll notice some drawbacks in user friendliness. I regularly, if possible, acquire a custom rom still in raw stages to change this. I noticed that, despite bugs and lack of finesse, some of these developers are actually DE-bloating everything that is causing you to dislike the phone. In their effort to make the OS better they root the device, simplify background tasks, extend battery life and functionality. After doing so I try to stop updating apps that work just fine. It's particularly stressing to mandatory update apps on old hardware that cannot run properly. Hacks have to be deployed to circumvent this and then you are in the clear. Your device is secure, faster and has no limitations. I recommend trying Cyanogen Mod roms on older hardware.

  • M

    Oh me, oh my, the wondrous world we live in eh?

    I have (had?) a Zopo smartphone... which worked great. Had AVG as my antivirus etc. but got so pissed off with it because it was soooo slow, so clunky, so UgLy!

    My son, who works in a technology service company suggested I switch to Avast. So downloaded the app after uninstalling AVG and installed. And yes, it was through the playstore. Now it is full of crapware which even my son cannot remove. Stated to me he's quite impressed that they have managed to get this malware apparently into the hardware so it cannot be removed. Even setting it back to factory default doesn't get rid of it. So, can't afford another smartphone as I have a medical condition and cannot work. Oh Government assistance, called a benefit where I am, and trying to make my way up to a situation known as "struggle street." So using real cheapo hand me down from a different son. A Lenovo which drove me insane and now his Experia which has been so damaged that some apps (Sudoku particulary) will suddenly not accept finger presses in certain parts/areas of the screen.

    Classic case of Bugger, Bugger, Damn, Damn, Shit, Shit, Shit!!!!

  • J

    The whole system of the internet is flawed, as is TV and other systems pushing products onto a screen and continually just being a pain in the neck.

    Hackers when caught should be imprisoned for life for continually stealing and rampant destruction of other people's property. The actions are not one incident where a prison term is a few months, millions of months for stealing should be just that.

    As for internet advertising, all browsers and everything else with intrusive ads should stop.

    With billions of people in the world using those services, as with other services, a few dollars annual fee would give us intrusive, annoying, ad-free lives.

    A few cents or dollars for ad-free applications is wonderful, already in place in Google Playstore.

    Pay TV was ad free in the past, note the word 'pay'......

    now the system contains ads .... go figure, a flawed system, cannot be disputed.

  • D

    The only personal items on my phone are my contacts list and calendar. No credit card or banking info. No passwords to ANYTHING. No Google Pay or Samsung Pay or any of that idiocy.

    But then, I don't live on my phone and have my nose buried in it every waking moment like many people now do. The concept that "I'm going to just DIE if I can't check my social media feed every 90 seconds!!!!!" doesn't apply to me because, well, I'm sane.

    People have made the choice of exchanging security for 'convenience', as they ALWAYS do. Difficult to feel empathy for them when their lives are emptied out by malware.

  • a

    It's tough to push advertising if a phone is secure. It's tough to make money at this without advertising.

  • g

    Windows Phones are NOT ALL necessarily secure. I read wherever what the latest Windows update was supposed to be because I was having trouble with my phone. I found out my phone update was many numbers behind that! So I figured it was not updating correctly. I called AT&T who told me the update my phone says it has *IS* the latest one THEY have "ALLOWED" to go through to the phone!! Well, there are probably some SECURITY updates in the update(s) that they did NOT allow!! (usually the Windows way). So while my phone keeps telling me it *IS* up to date when I ask it to update, it really is NOT! If not up to date. How is that secure?!?!? And of course they're poo-poo'ing our being able to have a VIRUS PROTECTION I'm in such as one has on a PC by not having one in the Windows store!!

    That was exactly my point. :) Some carriers skip or hold back on updates.

  • D

    As a producer of an excellent software security and "tuning" product for the Windows O/S platform would Ashampoo consider developing the same product to apply across the Android O/S platform?

    Just suggesting!

    Thank’s for your praise! We already have a tuning app such as the one you’re suggesting in our portfolio! :) Please take a look, it’s free even. https://www.ashampoo.com/uk/eur/pin/0093/Apps/droid-optimizer

  • I

    Motorola is as bad as any manufacturer. They have not upgraded Android for the Xoom for two years now. Effectively, the Xoom is considered an orphan as it no longer makes money.

    Lenovo are extremely tardy in Android updates for their no-longer current machines. Microsoft are really no better. I have a Surface 2 which can only run Windows 8.1 for ARM processors. Apple won't provide iOS updates for pre-iPhone 5 models. Same with iPads, etc.

    These items are now considered commodities with a 2 year life span, 3 years at best. Therefore, the manufacturers expect you to "resonate" to their product cycles and upgrade every 3-4 years; after which you have a brick.

    It is generally accelerated obsolescence cycles which drive these situations.

    If you can, install appropriate antivirus apps and observe continuous security diligence. The antivirus companies keep software updates rolling out longer, and react far faster than the manufacturers.

    Very soon our motor vehicle are going to be similarly afflicted. Shear economics dictate that a manufacturer cannot afford to keep pouring money and resources into older products. Will we hear the lament "For the want of a BIOS update my smart car won't run anymore!"

    Motorola did quite well in the 2016 tests, at least compared to the other manufacturers that scored far worse... There may be a trend to publish fewer and fewer updates ever since the company was taken over by Lenovo.

  • v

    Good analysis. What is even more frightnening though, is the recent discovery (predated with not-so-recent ones) of malware that has been preloaded on certain new phones and tablets. In some cases the culprit has been the manufacturer - it does not matter whether it was manufacturer of the phone/tablet or some phone/tablet component. In other cases there were companies in the chain of supply. What is really frightening is the fact that nothing happened - no one was punished, no one was banned from further selling infected devices. It looks like no one cares anymore, while malware was planted on those device with the purpose, not just incidentally. There should be a public and well publicized international blacklist for those devices/manufacturers in order to regain confidence of customers.

About Ashampoo
Users
22+ million
Downloads
500.000+ per month
World-wide
In over 160 countries
Experience
Over 25 years
Ashampoo icon