The challenges of Android security updates

Who I am
Aina Martin
@ainamartin
Author and references
Comment (6)

Android security is a key issue for Google, the mobile OS being - by far - the most popular in the world. If the Mountain View company publishes security updates every month, all smartphones are not equal in the face of this maintenance operation.



Actively developed by Google since 2007, Android is now the most widely used mobile operating system in the world. Each year, the Web giant deploys one, sometimes two new versions of the system which bring more or less significant innovations. To ensure the proper functioning and security of the platform and its different versions, Google has set up a system of monthly updates accessible free of charge online. These updates, which include fixes for security vulnerabilities, system optimizations, and even new features, are particularly important. Alas, it is clear that not everyone is in the same boat. If the latest versions of the system and updates are automatically pushed onto the Web giant's recent terminals (Nexus and Pixel), it's a different story for those sold by manufacturers and mobile phone operators who remain free to use them. apply or not.


Google's monthly newsletter

If Google has decided to offer monthly updates for Android, it is because, like all OSes, they are essential to maintain a good level of security. One need only examine one of the latest Android update bulletins from October 2017 to see that they include no less than 32 security patches classified by their level of dangerousness: Critical (5), High (12), Moderate (12), and Low (3). The report clarifies that the latest most serious vulnerability discovered on the system could be exploited by an attacker to execute malicious code with the aim of stealing data, spying on the user, etc. 


Note that the patches made available cover all versions of Android from KitKat 4.4 to the latest Oreo 8.0. For its part, Google is responsible for pushing new patches directly on its home terminals (Nexus and Pixel) for a period of at least two years for the former, and three years for the latter from the date of purchase. By way of comparison, Apple updates its iPhones and iPads for five years.

How do manufacturers handle updates?

Smartphone manufacturers and partners (operators, component manufacturers, etc.) of Android are systematically alerted to the availability of new patches for the OS, but they remain free to apply them or not. To facilitate their deployment by manufacturers, Google recently modified its update program, separating the security updates common to all Android smartphones, and those intended for components. 

It is clear that manufacturers and operators are still reluctant to quickly deploy updates, which they must optimize for each device for which they still manage support in each country where they are marketed. Since the vast majority of manufacturers and operators customize the GUI of the OS and add their own features and services, they must perform a battery of tests and validations before they can deploy an update, even a minor one.


This involves significant development work and of course a significant cost. Some observers believe that manufacturers and operators do not update their mobile terminals as they should, to encourage consumers to buy new ones. As a general rule, manufacturers such as Samsung, LG, Huawei, or HTC provide software support for their Android devices for a period of between one and a half and two years. In fact, however, this remains at their discretion, because nothing contractually commits them to perform updates or migration to the latest version of the OS. Priority is given to the most popular and high-end models. By benefiting from updates without delay, the still eligible devices sold by Google are the most secure Android terminals on the market. A weighty criterion at a time when threats targeting Android have never been so virulent…


The good and the bad students

Let's be clear, manufacturers don't like to talk about Android updates. The reason is simple: apart from a few exceptions, updates such as the latest versions of the system are often reserved for the most recent models, and more particularly the high-end models. Concretely, each manufacturer decides alone whether or not to apply the updates. According to a study by Apteligent in North America, Motorola, LG and HTC were the three manufacturers that deployed Android updates the fastest in 2016. To put pressure on manufacturers, Google now regularly publishes on his blog a list of the most secure Android devices on the market, that is, those that have received the latest updates as quickly as possible.


In a table published on June 1, 2017, Google listed the 42 most secure smartphone models, including several Nexus and Pixel models. According to the Mountain View giant, more than 100 devices received the latest OS patches within 90 days. The table shows the 42 good students updated in less than two months. Several recent and rather high-end models from Samsung are on the list (Galaxy S8+, Galaxy S8, Galaxy S7, Galaxy S7 Edge, Galaxy S7 active, Galaxy S6 active). There are also several terminals from LG (G6, V20, 2V Stylo, DGAP 7.0 LTE), three from Sony (Xperia XA1, Xperia X), or even two from Motorola (Moto Z, Z Moto Droid). One of the big surprises in this ranking comes from the Chinese manufacturer Vivo, which places 3 models (Vivo 1609, 1601 and Y55). Impossible not to notice the pure and simple absence of major players such as Huawei, ZTE, Xiaomi, Lenovo, or even HTC.


What are the risks incurred without updates?

Android smartphones and tablets that are not updated undeniably pose security risks. As we have seen, in October alone, Google fixed more than thirty vulnerabilities, some of which are considered potentially very dangerous. When patches are available, it is imperative to install them as soon as possible. With the significant media coverage of recent cyberattacks such as large-scale data theft (CCleaner, Elifax, Yahoo!...) or the dreaded ransomware (WannaCrypt, Petya...), more and more consumers are becoming aware of the importance of ensuring their computer security, in particular by regularly updating their devices. However, there is still too high a rate of users who are absolutely not concerned about it and who do not apply the available bets.

Without these patches, Android devices are in fact exposed to a wide range of threats (phishing, ransomware, fraudulent applications, etc.). Users of Android devices over three years old – 50% of the Android fleet according to Google – also do not benefit from the changes relating to the protection of privacy. Since the Android 6 Marshmallow version launched on October 5, 2015, Google has indeed modified its application permission management system. A significant improvement in privacy protection since instead of having to accept all the permissions requested by the applications during their installation, users of version 6 and later can now choose which access rights they grant to each of them. Users of old devices should therefore be extra vigilant and possibly ensure their security using third-party tools such as Lookout Mobile Security, for example.

How to check OS version and security updates?

The sustained pace of launching new versions of the platform is such that a majority of new smartphones on sale on the market do not benefit from the latest version of the OS. Each manufacturer being free to push or not the new versions of the OS on its terminals, consumers have no other choice than to find out if their device is eligible for the next system update. Note that the deployment of a new version may require a wait generally between two months and a year. To find out the version of Android used on a terminal, go to the smartphone settings then click on “About the phone” then “Software information”: the version of the OS is indicated on the first line of the page that opens. In the same “About phone” menu, simply select “Update center” then “Software update” to find out if monthly updates or if a new version of the platform is available.

Conclusion

With 1,27 billion Android smartphones sold in 2016 alone, Google's OS captures no less than 85,2% of the market (source IDC). As in the world of computers with Windows, this success arouses the greed of hackers who always favor the most popular targets, but also the most vulnerable. According to security publisher Avast, cyberthreats to Android smartphones and tablets jumped 40% in 2017 compared to the previous year. Not reassuring, especially since these attacks, which mainly target users' personal data, are increasingly relentless. From ransomware in full expansion, to phishing sites, through fraudulent and counterfeit applications (fake app), malicious advertisements (adware) or even remote control takeovers (rooters), the threats that weigh on Android are multiple . Google tries by all means to stop the phenomenon by publishing monthly updates for its Android partners, but also by developing new tools to fight against the scourge of malicious applications. Following the annual Goolge I/O conference last May, the firm launched a new service dedicated to security called Play Protect.

Accessible on terminals eligible for updates via the “Applications” menu, the service enables automatic or manual verification of installed applications and informs the user when it detects a fault. Google Play Protect is also available on Google Play via the side menu. As on a terminal, it is possible to activate an automatic scan of applications directly via the online store. We bet that these measures will gradually improve security on Android, even if a lot remains to be done for the half of the users in the world who no longer have access to updates. Android users should therefore remain particularly vigilant. In addition to making regular updates available (system, apps, services, etc.), a few basic rules can already help to protect against a good number of risks: personalize the PIN code, set up a locking code, never download applications outside Google Play, encrypt device data via system settings, use complex passwords (or a dedicated manager), regularly back up data or avoid connecting to Wi-Fi spots not secure... 

Audio Video The challenges of Android security updates
add a comment of The challenges of Android security updates
Comment sent successfully! We will review it in the next few hours.