Almost 90% of Android devices are exposed to critical vulnerabilities

The reputation Android devices have for being less secure than their iOS counterparts is well-known by now, but researchers from the University of Cambridge have some shocking numbers on just how many of these devices suffer from security shortcomings. 

Researchers studied 20,400 Android devices and determined that 87.7% of them were open to known critical vulnerabilities. But it has nothing to do with users being careless or downloading malicious apps, as you might expect.

Update schedule

Rather, Android’s slow, carrier-dependent upgrades were to blame for the vulnerability exposures.

Once a new, fixed version of the Android operating system (OS) is available, Android relies on the cell carriers to push it out to users.

That can lead to a serious slowdown. According to the study’s authors:

“We found that within 30 days of the first observation of a new version on a device, half of all devices of that model have the new version (or a higher version) installed, and within 324 days 95% of devices have the new version (or a higher version). This compares with the average rates of deployment for Android OS versions of 350 days for half and 1 100 days for 95%.”

In other words, when a new update is available, most users download it within a year. But it often takes a year just for the latest OS to become available.

The study’s authors observe silent, forced updates or frequent reminders could help cut down the time until systems are updated, however.

No magic bullet

Android’s current system is unlikely to change anytime soon. But there are ways to mitigate the risks.

For one thing, you may want to urge users to update their OS whenever prompted. It’s not foolproof, but it could help cut down the time to updates slightly.

Ultimately, though, you’ll want to be sure your BYOD program has requirements to upgrade when available and that you have a mobile device management program that keeps users’ personal and corporate information as segmented as possible.

It’s the sad reality that there’s only so much you can do to make sure their personal info is safe – so protecting the corporate information from vulnerable devices should be top priority.