Android Buyers Find Smartphone Update Chaos - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Buyers Find Smartphone Update Chaos

After Google releases a new version of Android, the time it takes carriers to update your phone varies wildly right now. One security expert says consumers must vote with their wallets.

Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
How can consumers who want to buy a new smartphone, or businesses that want to issue smartphone recommendations to employees, assess which devices offer the best security?

That was the question posed by Harry Sverdlove, CTO of Bit9, in his recent quest to ascertain which of the world's 20 most popular smartphones were the least secure.

One of his most interesting findings is just how much time it takes for phones to be updated, after Google releases a new version of Android. Some manufacturers, however, are better than others. "Of the top three Android manufacturers--Samsung, HTC, Motorola--Samsung is the worst offender by far, then HTC, then Motorola," said Sverdlove in an interview. "So Motorola, for what it's worth, was the best at maintaining their updates."

What counts as the worst at updating? Samsung took 316 days to patch its Galaxy Mini, after Google released an Android update. The fastest Motorola update, meanwhile, was for Droid X--and still required 141 days to appear.

[Google shared some interesting statistics about its Android platform during the recent Google Music press conference. See Android Hits 200 Million Activations.]

Coming by that data wasn't easy. Bit9 has long released an annual study rounding up the top Windows vulnerabilities, to help IT administrators know what to patch first. Sverdlove said he wanted to do the same for smartphones, especially in light of the "bring your own device" trend in the workplace. But writing the Windows report, which relied on publicly compiled vulnerability information, was a cakewalk compared to researching Android variants, he said, because anyone can take the open-source operating system and literally do anything that they want to it.

"As a security professional, it's the most chaotic thing I've ever seen. For creativity, innovation, growth, speed of change, it's a great, open space," he said. "But as a security professional trying to understand as a consumer, how secure is my phone, and as a company, how secure is my company if my users are bringing phones to work? It's a nightmare."

Ranking the security of the top 20 smartphones was further complicated by the dearth of easily accessible information about updates. "We went to the manufacturers' websites, the carriers' websites, we looked at release notes, and they'll claim to have an update available, but typically it's a highly intensive process," said Sverdlove. By intensive, he means "going through this process that the average human being isn't going to do," including locating the update, downloading and unzipping it, and then manually rooting the smartphone to be able to install the update.

Another complication was that although some carriers list update release dates, they fail to note "unrelease" dates. "There were at least three different cases where the manufacturer rolled out an update and then pulled it within two weeks, because it was completely unstable for their overlays," he said, referring to the skins or enhancements that carriers often make to the basic Android operating system. In two cases, a replacement update appeared about a month later. But the LG Optimus S still hasn't been updated, since LG rolled back the latest update in September.

With consumers bringing their own phones to work, there's not a lot that IT professionals can do to attack the smartphone security problem at the source. "The manufacturers are incented to come out with new phones," he said. "On average, we found that phones are getting 'end-of-lifed' within a year of being released," meaning phones then see no further updates. "But in most cases, you're signing two-year contracts."

Accordingly, "something about the Android ecosystem needs to change," he said. "Either the manufacturers need to prioritize security...or they need to relinquish control of the software and the security updates to the software vendors." He cites two good models for the latter approach: Apple iOS, and the Google Nexus smartphone. "Google makes it through Samsung, but it essentially behaves like Apple's model. When the update comes out, everyone with a Google Nexus has it within a day," he said.

Until one of those two Android ecosystem-level fixes happens, Sverdlove recommends that consumers vote on smartphone security with their wallets. "Right now, we vote by liking a keyboard or not, two cameras, the screen quality," he said. "We don't think, 'Is this phone going to be regularly updated and secure?' But if we started purchasing devices that are more secure and frequently updated, that's the loudest voice you can have."

InformationWeek is conducting a survey on the current state of encryption within the enterprise: What assets are, and are not, being encrypted to reduce the risk of exposure? Where sensitive data is going unencrypted, what's holding you back? Upon completion, you will be eligible to enter a drawing to receive an Apple 32-GB iPod Touch. Take the survey now. Survey ends Dec. 2.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/27/2011 | 3:11:41 PM
re: Android Buyers Find Smartphone Update Chaos
There was a survey by Mocana recently that said people were becoming more skeptical of the safety of their data on their phones. How much did security factor into your decision to buy whatever phone you are using (iPhone, HTC, etc)?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
11/23/2011 | 10:23:32 PM
re: Android Buyers Find Smartphone Update Chaos
720 malware apps and malicious exploits (Q2 2011 MacAfee Threat Report) some of which have been downloaded from Google's Marketplace and installed by 4 million users are not a simple "so what" issue for most normal people.

Trojans that send premium SMS text messages or turn your phone into a botnet zombie, chew up your monthly quota or steal your banking login details are not going to be fixed by Good's secure email product.

The iPhone 3G was still getting feature and security updates from Apple *3 years* after release - I'm still using my 2.5 year old iPhone 3GS. Of course people appreciate a phone that is supported for at least the full 2 years of their contracts. Not everyone can afford to break their contract for a new phone, particularly the large number of consumers who get a cheap Android phone specifically because of price.
User Rank: Apprentice
11/23/2011 | 9:01:29 PM
re: Android Buyers Find Smartphone Update Chaos
I think consumers already have started voting with their wallets. Take HTC, notorious for its lack of updates has revised down their future revenue estimates due to competition.
Al in LA
Al in LA,
User Rank: Apprentice
11/23/2011 | 5:41:43 PM
re: Android Buyers Find Smartphone Update Chaos
Some of us are already voting with our wallet but not in typical sense.

I paid the full $550 price for my unlocked Nexus One. You have that otption on most phones. Most consumers opt to join a much more restrictive carrier sand box for less up front.

I get updates on the phone and apps as soon as Google releases them, don't have any "custom" AT&T or other apps and have not been paying $5/month each for Voice recognition, Navigation (the full featured Google version, not the lame carrier versions required under most contracts), and mobile hotspot. That's $15 (or more) a month I haven't been giving to a carrier for over two years, more than the difference in orignal purchase price of the carrier contract versus unlocked cost.

Most consumers don't "do the math" on contract costs so opt for the "cheap" contract phone. Or they are addicted to the yearly upgrade mania which makes the above cost tradeoff moot but serves the carrier marketing plan. To put it another way, you do get what you pay for.

I will never purchase a sandboxed phone, iPhone or otherwise, and advise all in my sphere to do likewise.

p.s. Look to the European market for some sanity in the mobile phone space. Much more consumer friendly regulations. Where is our FCC advocacy of anyone beyond the carriers? An no, their reluctance on the AT&T/TMobile merger doesn't qualify.
User Rank: Apprentice
11/23/2011 | 5:21:41 PM
re: Android Buyers Find Smartphone Update Chaos
I have a great deal of difficulty understanding the crass stupidity of these phone manufacturers and our government with respect to an apocalypse coming.

With state sponsors of terrorism like N Korea, Iran, China, Russia and more its incomprehensible that we don't have a national policy with respect to these "open source" products that provide an easy conduit for hugely malicious apps that can bring our system of commerce and communication to its knees. How can the carriers let un-vetted devices on their networks? These are simply technology bombs carried on the river of Wide Area Destruction (WAD) not WAN!

This is a race to the bottom.... the Wall Street debacle all over again..... only 1,000 times more devastating.

I have long said.... The greatest danger to the internet is from mobile devices. And the greatest danger from mobile devices are those that are retired from service and "recycled" to nations and organizations we know nothing about; organizations that can refit the devices with malware then bring them back into service on other networks around the world where they have access via the WWW to our system of government and commerce.

In all these years since 9/11, have you ever seen such a mess as that so well embodied in this article? This is the demise of our capitalist system... that anything is justified in the pursuit of profit!
User Rank: Apprentice
11/23/2011 | 5:02:23 PM
re: Android Buyers Find Smartphone Update Chaos
I would also add that after the phone manufacturers get done with the update, they pass it along to the carriers. The carriers then test it and add/update their bloatware before sending it out to the users.
I think we will see the phone manufacturers slow down on the releases of new phones, allowing them to focus on updates more frequently.
User Rank: Apprentice
11/23/2011 | 4:39:16 PM
re: Android Buyers Find Smartphone Update Chaos
So what? This article is just trying to stir up controversy and confuse the uninformed...

Yes there are multiple versions of the OS... Getting an update is nice, but ever since the release of 2.1 it is not critical.
People like to have the latest and greatest but this is not what poses a risk to security.

Apps like GOOD (GFE) take care of the secure messaging aspect which is what most people really want anyway... the rest is their business.
The maleware concerns while legit are being way overblown to create a "mobile security" market ($$$$). the security issues are no different than email phishing scams... only install trusted apps and you'll be fine.
you're all concerned that it takes a few months to get the latest Mobile OS, but how many YEARS do most IT organizations take to upgrade Windows OS... I'm still on XP and office 2003 what a joke.

The end of life argument is a red herring... with the phone market moving so fast is it realistic to expect that every phone should get the latest for years on end?
My wife has an HTC Hero... shipped with 1.5 then got an OTA update to 2.1 ... 2 years later it still works like a charm.
I'm more advanced and tinkered with rooting and custom roms getting 2.2 on my Samsung Moment.... and sure there were times that I hit a snag and had to work stuff out but thats my issue... not my IT department's. And i don't expect to get 4.0 on my old phone (even a custom rom)

so back off.

btw... people do vote with their wallets on the nexus phones... it's just some people care about other things more.
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll