JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Software version number no guarantee of security

Date

Liam Tung

Zoom in on this story. Explore all there is to know.

Prediction ... 2.3 billion computers, tablets and smartphones using Android software in 2016.

Prediction ... 2.3 billion computers, tablets and smartphones using Android software in 2016.

The message is simple: don't trust Android version numbers in vulnerability assessments.

Enterprises that rely on Android version numbers to determine if bring-your-own mobile devices are patched and secure for enterprise use should think again, according to new research.

Usually, when a new version of Android or any software is released, it is expected that flaws detected in older versions are fixed. For example, devices running Android 4.04 should not contain flaws identified in 4.03.

But according to Jon Oberheide, chief technology officer at US-based enterprise security and authentication company Duo Security, that's not happening with Android, and old bugs are being carried forward, hiding behind what should be secured versions.

The company earlier this year released XRay.io, a free Android vulnerability scanner, which looks for software vulnerabilities in the core of Android in a similar way the Metasploit project works for desktops and servers. A probe of 26,000 Android devices across 140 countries revealed more than 60 per cent were vulnerable to just eight publicly available attack tools. In cross-referencing his data with Google data, Oberheide estimates about 50 per cent of devices were vulnerable to these same eight attack tools. 

The flaws were often unique to a particular version of Android, such as a remote wiping vulnerability discovered last month, which affected a range of devices and versions of Android.

A security-conscious enterprise could manage the risk by excluding known vulnerable versions from accessing corporate networks, but this method was unreliable, Oberheide said.

"We came across a lot of examples where there was a later version number present on the device. Say, it was 2.3.7, yet there were still un-patched vulnerabilities ... from 2.3.4 and so on."

Oberheide had not discovered why old flaws were being carried forward, but said a likely candidate was the Android patch distribution model. Software patches are implemented by Google, shared with device manufactures but only released to end-devices by network carriers. He said one explanation could be device makers were distributing new "patched" versions of the operating system without actually including the fixes Google had implemented.

The underlying problem is the sheer number of device models hindering incentives for the Android ecosystem to deliver patches. According to a recent study by OpenSignal, an Android-based network signal monitoring service, there are some 4000 Android devices on the market. Carriers often struggle to release updates due to the cost of testing them against each configurations. Testing is needed to ensure the patches don't break the devices and create a technical support nightmare for the carriers.

Android reached the market only in 2008, but is now the dominant smartphone platform, controlling two-thirds of that global market. It has taken the No. 2 spot in the fast-growing tablet computer market.

So should Android be simply banned from the enterprise? No, said Oberheide, but organisations should weed out vulnerable devices.

"If you are using Duo or some other two-factor authentication product that offers the ability to use mobile devices as an authenticator, we can display that risk to you, we can allow you to define group policy," says Oberheide.

"Maybe [you shouldn't] allow those users to use their mobile device to authenticate and [should] force them to use a hard token, call back or some other authentication offered."

Follow ITPro on Twitter

17 comments

  • Don't be Evil....but its ok for others to do so.

    Seriously can it be that hard to patch this software? Google is a powerhouse of a company and I would have thought this would be a priority for them to fix....I guess not.

    Suffice to say NEVER EVER do internet banking or anything requiring total security using your android phone.

    Commenter
    Interesting
    Location
    Melbourne
    Date and time
    October 26, 2012, 1:37PM
    • Actually, it's not so much Google's fault. If you have a Samsung phone sold through Telstra, then there are 3 layers of testing and release that each patch must go through.

      First, Google do internal testing of the patch and when they deem it breaks no Android software systems, they release the patch.

      Second, the phone manufacturer (in this case, Samsung) picks up the patch and does their own testing to make sure it doesn't break any hardware. They then release the patch.

      Third, the network carrier (in this case Telstra) verify that the patch doesn't break any network-related functionality (or indeed, enable extra functionality that they don't want users to have, such as data tethering when it first appeared), then push it to the handset.

      Clearly, the most under-resourced party in this whole exchange is the network carrier, as they're more interested in actually running the network than testing patches. They don't have much interest in end-point security, because a security breach on a handset is only tenuously linked to their brand image. Most people would just blame android, like you are. The handset manufacturer is in a better position to test and release patches, however often they'll hold back functionality to coerce users to upgrade the entire handset. Some manufacturers are renowned for it, some are more consumer-focused. Do your own research in this regard.

      If you want to be sure of getting your patches as soon as they're released by Google, buy a Google branded phone (eg. nexus). The last thing Google wants is their brand name tarnished by having poor security.

      Commenter
      Mike
      Location
      Sydney
      Date and time
      October 27, 2012, 4:01PM
    • @Mike - can you please help me to understand why they cannot design the OS to be less "hackable". I agree entirely with what you are saying yet it still seems to me that Google have a role in limiting the opportunities for hacking. Thanks

      Commenter
      Noted
      Location
      Melbourne
      Date and time
      October 29, 2012, 9:54AM
  • First!

    Commenter
    Leezy
    Date and time
    October 26, 2012, 1:41PM
    • Awkward...

      Commenter
      Fourth
      Date and time
      October 28, 2012, 9:56AM
  • Apple develop the IOS operating system for highly regulated Apple Products (eg: iPhone, iPad, iTouch)...etc.. therefore they have the means to ensure tight restrictions about the modifications a telecommunications can make to the operating system. Android does not have this luxury as it is designed to work on many products from different manufactures, therefore it is more prone to exploitation.

    Android has many security features, however these are often not utilised or they are open to exploits because telecommunications companies do not disable certain features at the core level of the operating system - especially when it comes to their own customisations of the operating system. Therefore the onus is on the telecommunication companies (providing these products). This is also by the the biggest reason why these exploits are well known - and it is because telecommunications companies are too lazy to do anything about it.

    Some phone companies including Google itself have NEXUS phones/tablets. Under the NEXUS arrangement, Google have a bit say in how the operating system is to be configured/used, and under the NEXUS model, it is far less open to security exploitation. If you like android, but are concerned about security exploitation, why not consider a NEXUS branded product instead. They may not be perfect, but it is definitely a step in the right direction.

    Commenter
    Phillip Parker
    Location
    Frankston
    Date and time
    October 26, 2012, 3:51PM
    • " If you like android, but are concerned about security exploitation, why not consider a NEXUS branded product instead. They may not be perfect, but it is definitely a step in the right direction."

      ^^
      This.

      Problem solved.

      Whereas, this "Suffice to say NEVER EVER do internet banking or anything requiring total security using your android phone."

      Absolute bollocks. (Really difficult to guess what devices you own 8-|). Uninformed doesn't even go close.

      Commenter
      Mr Bungle
      Date and time
      October 26, 2012, 9:02PM
  • Mmmm....how's 'free and open' workin' out for ya?

    Android is the new Windows.

    Bwaahahahahaha aha ha.

    Commenter
    Mr. Fan Bois
    Location
    My Walled Garden
    Date and time
    October 26, 2012, 5:43PM
    • I'm sorry to break this to you, but with Android being free and open source and having more eyes from third-parties to freely look at the source and report vulnerabilities make it a good thing, as the exposure Google to patch them up, and in the meantime allows users to be more aware of the issues. However, when you look at Apple's closed-world iOS system where only Apple can look and study the code for vulnerabilities would make it worse than Android, as you don't if Apple's isn't doing the same thing and you cannot find out, you just assume and trust that they are, but it begs the question are they patching they're code, or even looking for issues?

      Commenter
      techquy
      Date and time
      November 03, 2012, 12:26PM
  • The problem is that once the product cycle has completed after about 8-10 months and it reaches end-of-life, the OEM's have no interest in updating their devices and releasing ROMs. So it either leaves people unprotected or forces them to buy new products constantly. Which I think is a huge material problem. The only other way is to install a updated custom ROM..in the hope that someone has ported something or created a new one.
    Its rather a pity that Google can't deploy patches directly to customers phones.. but there are so many platform customisations done by the OEMs that its probably impossible to manage.

    Commenter
    Alex
    Location
    Melbourne
    Date and time
    October 27, 2012, 1:49AM

    More comments

    Comments are now closed