- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
CSO - Patches and updates are a regular part of digital life. But apparently not regular enough, even among those who ought to know better -- public safety departments.
The Department of Homeland Security (DHS) and the FBI issued a warning memo a couple of months ago to police and fire departments plus emergency medical service providers and security personnel that Android devices with out-of-date operating systems pose a serious security risk to their organizations.
While the memo was not classified, a press spokesman at the DHS said it was FOUO (For Official Use Only), and he therefore would not answer any questions about it, including how many public safety departments could be affected, what the response to the warning had been and whether any breaches or other compromises have been reported to the U.S. Computer Emergency Readiness Team (US-CERT) as instructed by the memo.
But the memo cited unspecified "industry reporting" that, "44 percent of Android users are still using versions 2.3.3 through 2.3.7 -- known as Gingerbread -- which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions."
Google's own figures on its site for Android developers estimate that percentage at about a third less -- 30.7 percent. But it also showed 21.7 percent using versions 4.0.3-4.0.4, called Ice Cream Sandwich, which is also out of date. Less than half -- 45.1 percent -- are using the latest OS, called Jelly Bean, and of that group, 36.6 percent are using 4.1, and only 8.5 percent are using 4.2, which is the latest OS.
With Android dominating the mobile OS market -- Juniper Networks puts its share at 67.7 percent -- that makes Android easily the most attractive target for malicious attacks, and puts hundreds of millions of users at risk -- apparently including many in the public safety industry.
The DHS/FBI memo cited SMS Trojans, Rootkits and fake Google Play Domains as among the top security threats to out-of-date Android devices. It recommended regular updates, running an "Android security suite" and downloading apps only from the official Google Play Store.
But, updating an Android device is not always as easy or convenient as simply taking a few minutes to download a patch or the latest OS. While they are free, the hardware frequently cannot use them.
"There is a wide variety of Android OEM versions rolled out to a huge number of different handsets, and not all carriers and handset OEMs will allow you to upgrade to the latest version," said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.
"So, the Android versions that can run are restricted per device. Even now it is possible to buy Gingerbread devices that cannot be upgraded to Jelly Bean."
That point was emphasized by Android's chief competitor, Apple CEO Tim Cook (a distant second at 19 percent of the mobile OS market), who in a recent interview with Bloomberg BusinessWeek said incompatibilities among Android versions make each like an entirely different species.