Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
United States Android Google Security

71 Percent of Android Phones On Major US Carriers Have Out of Date Security Patches (betanews.com) 103

Ian Barker, writing for BetaNews: Slow patching of security flaws is leaving many US mobile users at risk of falling victim to data breaches according to the findings of a new report. The study from mobile defense specialist Skycure analyzed patch updates among the five leading wireless carriers in the US and finds that 71 percent of mobile devices still run on security patches more than two months old. This is despite Google releasing Android patches every month, indeed six percent of devices are running patches that are six or more months old. Without the most updated patches, these devices are susceptible to attacks, including rapidly rising network attacks and new malware, also detailed in the report.
This discussion has been archived. No new comments can be posted.

71 Percent of Android Phones On Major US Carriers Have Out of Date Security Patches

Comments Filter:
  • Only 71%??? (Score:2, Insightful)

    by Anonymous Coward

    I find it hard to believe that 29% of android devices have ALL the available security patches installed and are running a current version.

  • What, am I supposed to buy a new phone every year to keep up?

    • by jon3k ( 691256 )
      If your phone only gets patches for a year, maybe you picked the wrong platform?
    • If I were cynical, I would say that's exactly why the phone manufacturers hardly ever release updates.

      Am I cynical?

  • My 3 year old android phone is fully up to date, software wise anyway.... I don't care if the other 71% want to go unprotected....

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I've never had bad guys or bad software infect my phone but I'm pretty sure that each "update" from google grabs more and more of my personal data and sells it to the highest bidder. Exactly who/what are these updates protecting us from?

    • Re:I'm in the 29% (Score:5, Insightful)

      by whoever57 ( 658626 ) on Thursday March 23, 2017 @03:23PM (#54098047) Journal

      By "up to date", do you mean that you have the latest firmware installed, or that the firmware that is installed has all the security fixes to Android that Google has issued?

      IOW, are you sure your phone hasn't been orphaned?

      • My work phone is still running 4.4.1. it has NEVER been offered an update ever. Samsung took the money and ran with this one. Personal phone being Nexus, updated monthly.
        • A while ago, both my son and I had the same model of Samsung phone. When the phones were about 4 years old, my phone got an OTA update, but my son's phone did not.

          The difference? I had downloaded and installed an update that was only available via Kies. It was never pushed as an OTA update.

        • This is one of the main issues that I see with the fragmentation related to android in general. Everyone has their own flavor, their own support schedule (or lack thereof), their own batch of supported patches, etc. Nobody seems to really want you to be able to just "hit a button" and update your kit.

          Like it or not, it's one of the better aspects of iPhones, so long as it's still supported/supportable apple will try to get you hooked up with an update. Now, that being said, not all updates fix more pr
  • I highly doubt that 29% of Androids are up to date.
    • by XxtraLarGe ( 551297 ) on Thursday March 23, 2017 @02:13PM (#54097469) Journal

      I highly doubt that 29% of Androids are up to date.

      This is just major carriers. Imagine how many unpatched Androids are out there on Boost, Cricket, Tracfone, etc. My wife has an Android on Tracfone and never had a security update notification.

    • by swillden ( 191260 ) <shawn-ds@willden.org> on Thursday March 23, 2017 @02:37PM (#54097657) Journal

      I highly doubt that 29% of Androids are up to date.

      Keep in mind that the security patch level field was added in Android Marshmallow (IIRC), and I expect that's what they're using to determine patch date. If so, KitKat and Lollipop devices aren't counted, and this really says that 29% of Android devices that are new enough to have Marshmallow or Nougat are up to date. That's not surprising, though it's obviously still far too low.

      Unless, of course, the report assumes that anything running Lollipop or older is not recently patched, which seems like a reasonable assumption.

      • Unless, of course, the report assumes that anything running Lollipop or older is not recently patched, which seems like a reasonable assumption.

        According to Google [android.com], 65.9% of users are on Lollipop or older. That means 29% of up-to-date Androids would have to come from 34.1% of users, or that 85% of Marshmallow and Nougat users are fully patched. I'm skeptical.

        Also, nearly half of Android users are using an OS at least 2.5 years old. :-/ Compare with 79% of iOS users on a 6 month old OS [apple.com], and 95% of iOS users on an OS less than 1.5 years old.

        • My experience with "iPhone people" is that they are very mildly concerned with their phone being able to run the latest OS and _very_ concerned with their phone being able to run the latest incarnation of Messages. Keeping iMessage up to date literally drags the rest of the OS along for the ride.
        • That means 29% of up-to-date Androids would have to come from 34.1% of users, or that 85% of Marshmallow and Nougat users are fully patched. I'm skeptical.

          You're assuming that the statistics don't simply exclude phones without the field.

  • A strange game. The only winning move is not to play. How about a nice game of chess?

  • by imidan ( 559239 ) on Thursday March 23, 2017 @01:57PM (#54097327)

    I have a Galaxy S4 on AT&T. I just checked, and it's at Lollipop 5.01 and says its "Android security patch level" is 2015-11-01. Nevertheless, when I push the software update button, AT&T assures me that my current software is up to date. Apparently, 5.01 is the latest version available for an S4, but what about security patches? Are they just done making them? Was AT&T planning on telling me that?

    I guess I'm a bad consumer, using a four year old phone.

    • by Anonymous Coward

      If you were on T-Mobile you would still be running S4 on v.4.x. (personal experience).

  • by Anonymous Coward

    It's running android version 2.2.1! I feel as though I wont be the only one

  • by CrashNBrn ( 1143981 ) on Thursday March 23, 2017 @02:08PM (#54097419)
    That the end-user can't get basic android updates directly is Android's major flaw. OEM's should of been required to support the AOSP and any changes should of been done via extensions to the AOSP. Thus any device could easily stay updated for at least their current major version of Android.
    • The problem is what you're asking for is mutually exclusive.
      • If it's open source, the carriers (the "users" of the open source code) can (and do) do whatever the hell they want - that is the whole point of open source. Extensions won't work because the carriers will simply modify the AOSP release to remove the extensions which allow Google to update Android without their consent.
      • If you want Google to be able to force carriers to update Android with the latest security patches, then it by definition is no
  • by Anonymous Coward

    Or rather, every incentive NOT to push security updates to phones. Just as they had every incentive to allow the act called Slamming, where you would get charged for a service you never agreed to, and the phone company got their cut of the transaction. In this case, their answer to securing your phone is that you should buy a new phone, up to date, with all the bells and whistles, a flagship model even! And they get their profit off adding on services to take full advantage of that new shiny plus profit fro

  • by Anonymous Coward

    This is why I love Blackberry. While its Android phones have their quirks, Blackberry is ACTUALLY delivering routine security updates, almost as fast as Google itself does.

    I still mourn the death of BB OS10 which was a great phone operating system. They lost the "app store" wars, but it was a great OS.

    I chose to continue with Blackberry when I made the switch to Android for exactly this reason.

    • Interesting, if TCL (Blackberry) and HMD (Nokia) continue with that promise, that would put them among a select few Android OEM's. As even the best OEM's have a spotty track record at best with updates across their various hardware offerings.
  • by organgtool ( 966989 ) on Thursday March 23, 2017 @02:23PM (#54097545)
    We're running old software because the manufacturers don't care about us after they've gotten our money. My experience with the Motorola G4 is a prime example of this. The phone came out in May 2016 with Android 6. Android 7 was released in August 2016, just three months after my phone was released, and I still don't have any update available for my phone despite the fact that Android 7 has been out for seven months! The worst part is that the OS on the G4 is practically stock Android, so it should take relatively little effort to customize the image and push it out. It seems the only way to guarantee access to new versions of Android is to buy a Google phone but the Pixel has one of the worst performance to price ratios of any Android phone. At this point, I have no idea what my next phone will be, but I have a lot of ideas about what it won't be.
    • by Blymie ( 231220 )

      Blackberry cares... at least as a business model.

      My PRIV has had *monthly* updates. That's the best I've heard of.

      My phone is basically ASOP, with some added security and Blackberry calender, etc.

      Overall.. not bad. Lots will badmouth BB, but they've come far now that they're pure android.

    • by Anonymous Coward on Thursday March 23, 2017 @02:47PM (#54097741)

      Microsoft, Apple and Linux distros, that is, the majority of the the OS vendors, manage to provide a mechanism to keep your system up to date independently of the hardware vendors and other "third parties". This support even extends to multiple architectures in some cases: x86 is the most common, but ARM is also becoming common (on Linux, you have even more: POWER, MIPS, etc).

      Can you imagine having to wait for, say, Dell to OK to every package for your next "apt-get update"? Or for Toshiba to give Microsoft the OK for them to make an OS update available to you?

      No, you can't. But this is the situation we have with Google. And people accept this for some reason. They even excuse it in Google's behalf, because they are so great (despite not being able to do what a bunch of "freeloading" "amateurs" can do on a shoe-string budget).

      There is no reason why operating system and user space upgrades need to be tied to the manufacturer. None.

      This situation is Google's fault and no one else's.

      • Re: (Score:3, Informative)

        There is no reason why operating system and user space upgrades need to be tied to the manufacturer. None.

        This situation is Google's fault and no one else's.

        You have no idea how Android, the Linux kernel, or open source software works. I guess that's why you're hiding behind AC.

        Each manufacturer is akin to a different distro of Linux. You in fact do have to wait for Fedora or Ubuntu to update their packages before you can apt-get them. You don't get them immediately. Nobody can force them to hurry up. Not Google, not you. They control the keys to apt-get.

        This is because Fedora/Ubuntu/etc can modify the kernel source and the source of any package that goes into

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Then it shouldn't be allowed to be called Android. It should be Moto Mobile Linux or Samsung Lazerbeam Linux some shit. If google allows them to call their distro Android, it's googles fault.

        • by sad_ ( 7868 )

          That is not the same at all, Google make Android they can set their demands.
          I can use Fedora or Ubuntu and will have to wait when the distro makes an update available, BUT i will get it when it has been made available NOT depending if it runs on a pc from HP, DELL, ASUS, ACER, ...

      • by swb ( 14022 )

        Can you imagine having to wait for, say, Dell to OK to every package for your next "apt-get update"?

        Except Dell will do just this if the update has anything to do with hardware, and in most server environments a lot of it does. I've done the dosey doe with Dell on their server platforms with drivers, debating whether my problems are due to the vendor-supplied drivers sucking or whether the Dell-provided drivers six months behind the OEM vendor are at fault.

        I think the problem carriers worry about is unapproved software that effects their networks. My guess is this is pretty remote in reality. but shikat

        • I think the problem carriers worry about is unapproved software that effects their networks.

          WE HAVE A WINNER!!

    • It's unfortunate that HMD Global hasn't announced any plans for the North American market, as the Nokia 6 at only 229 euros would really put the pressure on Lenovo (Motorola) and LG, among a few other manufacturers that release compatible phones in the $250 - $400 mid-range.
    • I've got a Motorola Droid Turbo (came out October, 2014).
      Android 6 released in October, 2015.
      Update available: January 5, 2016.

      Thanks, Verizon. Never again.

  • by Anonymous Coward

    I used to own an Android phone and when i had it my carrier did provide updates. The problem was, there weren't just security updates, I had to upgrade to new versions of Android. There was no 4.4.1, it was jump from 4.4 to 5.0 or nothing. Since each version of Android moves things around, some new versions break old apps and there were battery/performance regressions when I tested 5.0 on another phone, I just decided to keep my main phone running the older version of Android. Getting hacked was less of a c

  • by Artem S. Tashkinov ( 764309 ) on Thursday March 23, 2017 @02:50PM (#54097763) Homepage

    Android has a lot more problems [altervista.org] than you think and Google does nothing to solve it.

    We need a standard ARM platform, just like we've had the x86 platform since roughly 1981. And Google has all the resources to create and enforce it. And since they don't I wonder if they are malicious or negligent or it's just part of their business plan which is called "planned obsolesce". Too bad, in Google's case this obsolesce involves even original Google devices like Nexus 5 (stopped receiving any updates since October 2016) and it will soon be joined by Nexus 6.

    That's just horrible.

  • by Anonymous Coward

    Android devices are the worse, as much as I like them... Carriers lock them down, refuse to work/pay for the upgrades with the manufacturer (Sony/T-Mobile Z3+ was the prime example).

  • by rnturn ( 11092 ) on Thursday March 23, 2017 @03:51PM (#54098247)
    It's the vendors. Now we might be outliers, but everybody in my family installs patches whenever they come in. Maybe not immediately but at least later that day, i.e., when we're home and can be sure the phone is fully charged and maybe using WiFi if it looks like there's a lot of patches. When we were using Verizon, our phones were always getting version N when all the news and buzz was all about the newly released version N+1. When we switched carriers, Verizon still had our phones running the previous version of Android.
  • by p51d007 ( 656414 ) on Thursday March 23, 2017 @04:42PM (#54098627)
    It doesn't fit the business model of carriers & manufactures in the android world. Why update it, when you can just sell gullible people a new one? Most people (I'm in the USA) still think you have to purchase one from a carrier, so when they walk in after hearing their phone is "out of date" given most consumers are well...not very intelligent...will be pushed into a new phone that has the updates already installed. Then, a year from now they will do it all over again.
  • If I could remove all the crap apps they make me have (yes you too Google, not just V*******), I'd have an up to date phone.

  • Mine is one of them (Score:4, Informative)

    by JustAnotherOldGuy ( 4145623 ) on Thursday March 23, 2017 @07:30PM (#54099601) Journal

    Mine is one of them, but it sure as shit isn't my fault.

    If my carrier would provide updates I'd install them. If I could get patches I'd install them.

    Don't blame me for not buying a new phone every 3 months.

  • The real problem is a conflict of interest. If all manufacturers provided updates to their phones for 5 years, you could be sure that far fewer phones would be sold each year. So instead they cut off updates to encourage/force consumers to buy new phones more frequently - creating a larger market than it otherwise would be. What we need is a separation of hardware and software so that the hardware can be used until it dies without sacrificing the software security updates.
  • I would expect it to be higher than 71%. However, considering how every millenial and gen-z (the biggest consumer of phones) find they can't live unless they have the next (trivial) incremental update to a phone then from a carrier perspective there is no urgency. Especially since the next phone should have the latest android release that includes the latest security patches -- the one they would use prior to filling it with their bloatware. Also, lets not forget that these largest consumers don't care m
  • Sure the app situation sucks - if you want them. But the Tiled UI is far superior to the mess that is Android and it is actively updated. If you just want a secure phone with a great camera and text/mail/web and some basic apps, Windows Mobile is the way to go.

    Developing for it is pretty easy to.

  • Since Google and the carriers record everything I do and are willing to sell it to anyone with a big enough pocketbook, it's hard to say I'm "protected" by having an up to date phone. My only real hope is to never patch and hope to root it some day so that I can actually protect it myself.

/earth: file system full.

Working...