Android Updates: Hurry Up and Wait  

Google, device makers and carriers take too long to update Android vulnerabilities.

In fact, while it takes Apple just days to update iOS when it finds a vulnerability, Threatpost points out that it can take Google weeks or even months to do the same for Android. Apple needed only ten days to fix Trident vulnerabilities in iOS, but it took Google over seven months to fix all of the QuadRooter vulnerabilities in Android.

While Apple is faster to fix iOS, and although iPhone and iPad devices are wildly popular, Apple doesn’t rule the mobile world. Android has over 87% ownership of the global smartphone OS market, and of the top 5 smartphone vendors, 39% make Android devices – dwarfing Apple’s 11.7%.

These devices aren’t just for play anymore either.

Our smartphones are the primary screens we use – on average 162 minutes per day — to keep on top of our work and personal lives. With a huge market lead, and because these devices are trusted to handle sensitive personal and business information, it’s no wonder why Google is under pressure from the FTC and FCC to explain why it can’t push out security updates sooner and faster.

Can you trust iOS and Android to keep corporate data safe? Find out!
Register: HummingBad, QuadRooter, Trident: What’s the next mobile threat?

Android is especially more vulnerable than iOS because its ecosystem supports tens of thousands of different device makers and models. Finding (and exploiting) Android vulnerabilities is quite easy. It’s developing, testing, and deploying critical security patches to end user devices that’re mind-bogglingly complicated.

On top of that, just because an update is available doesn’t mean the end user will download and install it. And in some cases, aging in-market Android devices may never be updated if they’ve reached end-of-support.  Left unprotected, data on these devices is exposed to cybercriminals who’ve made stealing information from Android devices into a highly profitable and self-sustaining business model.

The lack of security, the thirst for stealing sensitive information on our mobile devices, and our growing desire for instant and continuous access to data should give CISOs and security professionals pause. And as BYOD becomes an enterprise standard rather than an exception, the risk to businesses globally is extreme.

   What is Mobile Threat Prevention?   |   Request a Demo

For its part, Google says it’s working hard to make Android more secure. Android 7.0 (Nougat) will include changes that allow Google to push out updates to the individual, core Android apps faster and independently of carriers and manufacturers. And incremental updates to the core OS will download in the background, and install automatically when a user reboots a device.

Even with these improvements, gaps will remain that cybercriminals can exploit easily. Every update inescapably introduces new vulnerabilities, and you can be sure that there’s always someone out there eager to discover the next big mobile threat.

Jeff Zacuto is a San Franciscan, gadget geek, and mobile security evangelist at Check Point Software Technologies. His 15 years of experience with mobile technology, security and compliance gives him a unique perspective on the needs and expectations of IT and security professionals, end users and corporate executives. When he’s not working or caring for Dodger and Daisy (his two French Bulldogs), you can find him indulging in one of his favorite hobbies, exploring for and creating craft cocktails.