One of the noted problems with Android’s fragmentation and the control its manufacturers and phone companies have over their devices is that it can be hard to get Android devices patched with any regularity. Security firm Sophos has an opinion piece looking at some of the statistics surrounding Android security updates.
In the wake of last year’s Stagefright security hole, Google and Samsung launched monthly security updates to Nexus devices—but not every device has been capable of receiving them. While Google has said it’s going to continue leaning on its partners to make these updates available, it also noted that only 70.8% of active Android devices are running versions of Android that can be patched.
Sophos points out that means 28.2% of the extant 1.4 billion active Android devices worldwide can’t currently be patched—which works out to 409 million devices.
It’s easy to understand why that would be the case. If Android-using companies look on customer use cases for devices the same way as Apple does, feeling that customers will by and large trade up to new ones after about three years, they won’t see any point in continuing to support devices that are more than a couple of years old. Patching such devices will take a lot of manpower in development, testing, and so forth, and why would you want to do that for devices relatively few people even use anymore?
About the only thing that can force companies to update really old devices would be for completely showstopping bugs—such as the patch Amazon recently cranked out so its oldest Kindles would still be able to connect to Amazon servers at all. And given that most people can still use older devices regardless of the security loopholes, they tend to get along just fine.
But how serious a problem is this, really? The Sophos article suggests people with such devices need to worry about “[picking] up something nasty off the ‘free’ Wi-Fi” but how common is that? By default, Android devices only run apps from the usually-trustworthy Google Play store, and you actually have to know what you’re doing to disable that lock. It’s not as common for Android users to engage in the kinds of risky behaviors that expose PC users to viruses—downloading programs of uncertain provenance from BitTorrent, for example. In that light, it’s not even clear whether most users even need to worry about antivirus software on their Android devices—though there are plenty of such applications available.
It’s certainly not a good thing to have security vulnerabilities, but as commenters below the article point out, this post feels like gratuitous Android bashing, perhaps by an iPhone partisan. Who knows how many of these devices are actually being used in risky behavior? And since viruses aren’t as likely to be passed on from one to another as in computers that have removable media, the big scary number seems less significant in that light as well.
One way or another, I suspect the security issue will eventually take care of itself as people gradually stop using unpatchable, insecure devices and upgrade to newer, more secure ones—especially if Google is able to require companies to accept and issue patches more reliably. In the meanwhile, here’s a good article on ways to tell if a hacker is owning your smartphone.
