Security firm Bit9 has pulled together what it calls its "Dirty Dozen" list, putting the Google Android operating system in the spotlight, with claims that an estimated 56% of Android phones in the marketplace today are running out-of-date and insecure versions of the Android.
IN THE NEWS: Debate erupts over Android malware dangers
SMARTPHONE SECURITY: Smartphones, virtualization seen as greatest security challenge: Ponemon survey
According to the Bit9 study published today, smartphone manufacturers Samsung, HTC, Motorola and LG often launch new phones with outdated software right out of the box, and they are slow to upgrade these phones to the latest and most secure versions of Android. This heightens the risk of malware vulnerabilities or other types of attack, says Harry Svedlove, Bit9's chief technology officer, who notes detail about the "Dirty Dozen" research and its methodology is posted on the company's website for review.
"The value in this is raising awareness about something no one is talking about," Svedlove says, and that's the way that wireless service carriers and smartphone manufacturers fail to efficiently handle the process of software updates. "The challenge we had in the Android ecosystem is it's unbelievably fragmented," Svedlove says, adding, "From a security perspective, this eco-system is broken."
"All operating systems have vulnerabilities," Svedlove points out, but it's how quickly and effectively software gets fixed that matters. Bit9's analysis of the most vulnerable smartphones is based on criteria that includes looking at smartphones with the highest market share that were running out-of-date and insecure software and had the slowest update cycles.
The study pertains to smartphones released by manufacturers this year and last. Bit9 excluded RIM BlackBerry from its study mainly because iOS and Android now appear to comprise almost 80% of new smartphone purchases, plus Bit9 says BlackBerry is the only operating system to offer an Enterprise Server for companies to centrally manage as well as control updates and applications running on users' BlackBerry devices. Windows Mobile was also excluded because its market share is still small, about 5%.
The Bit9 "Dirty Dozen" not-so-smart smartphone list includes:
1. Samsung Galaxy Mini
2. 2 HTC Desire
3. Sony Ericsson Xperia X10
4. Sanyo Zio
5. HTC Wildfire
6. Samsung Epic 4G
7. LG Optimus S
8. Samsung Galaxy S
9. Motorola Droid X
10. LG Optimus One
11. Motorola Droid 2
12. HTC Evo 4G
The Samsung Galaxy Mini, for example, was released in April of this year based on a version of Android that was about 11 months out of date the day it shipped, according to Bit9. "It was Android Version 2.2 and it could have been 2.3.3 or 2.3.4," says Svedlove. Every smartphone in the Bit9 "Dirty Dozen" list is an Android.
"Honorary mention" on this list is given to the Apple iPhone 4 and older iPhone models because until the iPhone 4S, Apple -- both the software designer and hardware manufacturer -- also had a woefully inefficient software update model, Svedlove says.
Bit9's fervor on this topic arises from its belief that smartphones are basically the next generation of portable computers, but according to the security firm, "the distribution model adopted by phone manufacturers and their carriers has created a chaotic and insecure environment where it can take several months for important updates to be distributed, if at all. At the heart of the issue, providing software updates for Android phones is currently the responsibility of the individual hardware vendors along with their different carriers." [also see: "Mobile device makers react differently to attack info, researcher says"]
Bit9 does praise the Android operating system for being an open platform that has enabled innovation and creativity in mobile computing. And Svedlove also acknowledges that increasingly, Android manufacturers such as Samsung, HTC and Motorola have made software updates available on their websites to end users that want to go looking for them over the Internet. But he says this remains an extremely clunky procedure with its instructions for docking, utilities and downloading, giving it a complexity that only geekiest of geeks could figure out. "It's horrendous," he says.
It's the over-the-air updates from the wireless carriers that by and large are the mainstay for Android updates in conjunction with the phone manufacturers. Bit9 thinks security professionals and consumers need to put pressure on smartphone manufacturers to be "more responsible in prioritizing security updates." The security firm also says it would be better overall "if manufacturers could relinquish control of the operating system updates."
Bit9 points out that having to rely on the phone manufacturer and wireless service provider for software updates is "akin to buying a PC from Dell and relying on Dell to coordinate with your home Internet provider, instead of Microsoft, to update your Windows software." This would result in "complete fragmentation of the market," and according to Bit9, that's "exactly what has occurred within the Android smartphone market. In many cases, the only recourse a consumer has, if they want the latest and most secure software, is to purchase a new phone."
Svedlove adds it's his impression that consumers buying smartphones are not as conscious of the version of the OS they are acquiring as they are when purchasing the traditional PC or Mac.
In comparison to the chaotic universe of Android smartphones, in which manufacturing cycles are flying in every direction at 12 to 18 month intervals, Svedlove notes, the old Microsoft Windows PC environment seems like an orderly world that's predictable, with software updates controlled over the Internet. To the issues raised by the "Dirty Dozen," says Svedlove, "There's no easy answer," adding he hopes it will be "call to change the industry." He said the smartphone world has to strive for predictability, ease and transparency in security. Bit9 also advocates that corporations adopting smartphones in business use establish a way to have a "secure app store model" that would only allow specific devices and trustworthy applications into their environment.