71 Percent of Android Phones On Major US Carriers Have Out of Date Security Patches

Ian Barker, writing for BetaNews: Slow patching of security flaws is leaving many US mobile users at risk of falling victim to data breaches according to the findings of a new report. The study from mobile defense specialist Skycure analyzed patch updates among the five leading wireless carriers in the US and finds that 71 percent of mobile devices still run on security patches more than two months old. This is despite Google releasing Android patches every month, indeed six percent of devices are running patches that are six or more months old. Without the most updated patches, these devices are susceptible to attacks, including rapidly rising network attacks and new malware, also detailed in the report.

Only 71%???

I find it hard to believe that 29% of android devices have ALL the available security patches installed and are running a current version.

Re:Only 71%???

[SeaFox]

Those are probably owned by iPhone users.

The 29% of Android devices with all security patches are iPhone users? Okay...

Re:Only 71%???

[__aaclcg7560]

The 29% of Android devices with all security patches are iPhone users? Okay...

How else would you explain this discrepancy?

Some of my patches are years old

[fustakrakich]

What, am I supposed to buy a new phone every year to keep up?

Re:Some of my patches are years old

[jon3k]

If your phone only gets patches for a year, maybe you picked the wrong platform?

Re:Some of my patches are years old

[mcswell]

If I were cynical, I would say that's exactly why the phone manufacturers hardly ever release updates.

Am I cynical?

I'm in the 29%

[bobbied]

My 3 year old android phone is fully up to date, software wise anyway.... I don't care if the other 71% want to go unprotected....

Re:I'm in the 29%

I've never had bad guys or bad software infect my phone but I'm pretty sure that each "update" from google grabs more and more of my personal data and sells it to the highest bidder. Exactly who/what are these updates protecting us from?

Re:I'm in the 29%

[whoever57]

By "up to date", do you mean that you have the latest firmware installed, or that the firmware that is installed has all the security fixes to Android that Google has issued?

IOW, are you sure your phone hasn't been orphaned?

Re: I'm in the 29%

[thundercattt]

My work phone is still running 4.4.1. it has NEVER been offered an update ever. Samsung took the money and ran with this one. Personal phone being Nexus, updated monthly.

Re: I'm in the 29%

[whoever57]

A while ago, both my son and I had the same model of Samsung phone. When the phones were about 4 years old, my phone got an OTA update, but my son's phone did not.

The difference? I had downloaded and installed an update that was only available via Kies. It was never pushed as an OTA update.

Re: I'm in the 29%

[InvalidsYnc]

This is one of the main issues that I see with the fragmentation related to android in general. Everyone has their own flavor, their own support schedule (or lack thereof), their own batch of supported patches, etc. Nobody seems to really want you to be able to just "hit a button" and update your kit.

Like it or not, it's one of the better aspects of iPhones, so long as it's still supported/supportable apple will try to get you hooked up with an update. Now, that being said, not all updates fix more problems than they cause, apple has had some bad ones, but at least they have a pretty level playing field as to being able to get the update.

I always wait a while to pull down updates from them, been burned before, but not too badly.

I am very skeptical.

[Just+Some+Guy]

I highly doubt that 29% of Androids are up to date.

Re:I am very skeptical.

[XxtraLarGe]

I highly doubt that 29% of Androids are up to date.

This is just major carriers. Imagine how many unpatched Androids are out there on Boost, Cricket, Tracfone, etc. My wife has an Android on Tracfone and never had a security update notification.

Re:I am very skeptical.

[swillden]

I highly doubt that 29% of Androids are up to date.

Keep in mind that the security patch level field was added in Android Marshmallow (IIRC), and I expect that's what they're using to determine patch date. If so, KitKat and Lollipop devices aren't counted, and this really says that 29% of Android devices that are new enough to have Marshmallow or Nougat are up to date. That's not surprising, though it's obviously still far too low.

Unless, of course, the report assumes that anything running Lollipop or older is not recently patched, which seems like a reasonable assumption.

Re:I am very skeptical.

[Just+Some+Guy]

Unless, of course, the report assumes that anything running Lollipop or older is not recently patched, which seems like a reasonable assumption.

According to Google, 65.9% of users are on Lollipop or older. That means 29% of up-to-date Androids would have to come from 34.1% of users, or that 85% of Marshmallow and Nougat users are fully patched. I'm skeptical.

Also, nearly half of Android users are using an OS at least 2.5 years old. :-/ Compare with 79% of iOS users on a 6 month old OS, and 95% of iOS users on an OS less than 1.5 years old.

Re:I am very skeptical.

[choovanski]

My experience with "iPhone people" is that they are very mildly concerned with their phone being able to run the latest OS and _very_ concerned with their phone being able to run the latest incarnation of Messages. Keeping iMessage up to date literally drags the rest of the OS along for the ride.

Re:I am very skeptical.

[swillden]

Some OEMs backported the patch level field.

Re:I am very skeptical.

[swillden]

That means 29% of up-to-date Androids would have to come from 34.1% of users, or that 85% of Marshmallow and Nougat users are fully patched. I'm skeptical.

You're assuming that the statistics don't simply exclude phones without the field.

Re: I am very skeptical.

[swillden]

Just the fact that you use those silly google names to indicate android version shows how far up the posterior of google you are. So sad. Just refer to android versions by number so we can understand.

You're crazy, basically no one knows the numbers. Look at all the discussions in the press, ask around to people (among people who even know that there are different versions of Android). Everyone who knows anything about Android releases knows the dessert names. The numbers are enthusiast-only trivia.

Android security, iPhone security, whatever...

[DontBeAMoran]

A strange game. The only winning move is not to play. How about a nice game of chess?

I get no updates from my carrier

[imidan]

I have a Galaxy S4 on AT&T. I just checked, and it's at Lollipop 5.01 and says its "Android security patch level" is 2015-11-01. Nevertheless, when I push the software update button, AT&T assures me that my current software is up to date. Apparently, 5.01 is the latest version available for an S4, but what about security patches? Are they just done making them? Was AT&T planning on telling me that?

I guess I'm a bad consumer, using a four year old phone.

Re:I get no updates from my carrier

[bobbied]

S4's have removable batteries... Personally, I carry multiple batteries for my Android Note 4, not because I have to, but it's nice to have a fresh battery in the time it takes to boot the phone.

Re:I get no updates from my carrier

If you were on T-Mobile you would still be running S4 on v.4.x. (personal experience).

Re:I get no updates from my carrier

[imidan]

I'm still using my original battery for this one. It will last about 2.5 days of low usage, or 1 day of heavy usage. This is my paradox for buying a new phone... I like having a battery I can swap, but in practice I haven't actually swapped it (at least on this one). Also, you have to figure out where you can buy a battery that isn't a counterfeit that craps out almost immediately. My girlfriend's battery got old and we swapped that one, and then her whole phone failed six months later, so that was pointless.

Despite my security patch level, I plan to stick with this phone for the foreseeable future. Next time, I think I'd like to get a phone that isn't carrier locked so I can avoid the bloatware and possibly get more timely updates.

Re:I get no updates from my carrier

[Grishnakh]

Did your brother-in-law run the phone down to 0% a lot?

Li-ion batteries can only fully discharge and recharge a limited number of times, and their lifetimes are hugely affected by how much you run them down before charging. So they might only advertise 1000 charge cycles, but that's for a full (or mostly full) discharge. But if you recharge every time it hits 50%, you could get an order of magnitude more cycles out of it.

Bottom line: don't run your phone's battery down.

Also, it's good to get a phone with a removable battery. I can get new batteries for my S5 for $10.

Re: I get no updates from my carrier

Who the fuck should supply the updates then? Apple did it right, you either let us update the phones or fuck off. Too bad google and all the other android creators don't have a god damn spine.

Re:I get no updates from my carrier

[InvalidsYnc]

I think what they are getting at is that when they buy a piece of hardware, and it has a button to update, that some entity somewhere has got their shit together and is going to send them an update instead of hanging them out to dry.

Regardless of who is responsible for making that functionality work, in the end it DOES go back to the carrier who is selling the POS, because the OS is tweaked to their specifications to be on their network, often times including how it is patched/updated.

Re:I get no updates from my carrier

[chihowa]

It would be just like that if the electric company edited the microwave manual so that the Microwave Repair Hotline rang up the electric company. The telecommunication companies inserted themselves in the middle of the update process, so they need to either issue/approve updates or remove themselves from that role.

Re: I get no updates from my carrier

[mcswell]

The phone companies obviously have no reason to do this, since if you're truly concerned about having a newer version, your only recourse is to buy a new phone. And Company X may hope that you buy it from Company X again.

In the PC world, it's Microsoft who releases the updates, and those updates by and large work on everyone's PC regardless of who made its components. (Yes, there are occasional driver issues, although in my decades of owning a PC, I personally don't think I've ever had a Microsoft update brick my PC because of driver issues.) So it seems to me that in the Android world, it ought to be Google who issues the updates. That may not be possible now, since from what I've heard individual phone companies have modified the software, but it could be done in the future by forbidding the phone companies from modifying the core Android o/s (if indeed that's what's happened).

BTW, my phone runs Windows.

Re:I get no updates from my carrier

[mcswell]

Which of course is the opposite of what people used to be told to do with NiCd batteries. I wonder how many people are still in that mindset (it was a revelation to me when I first heard this about Li batteries).

Ha! My current cell phone is 7yrs old

It's running android version 2.2.1! I feel as though I wont be the only one

Flaw of the Android Ecosystem

[CrashNBrn]

That the end-user can't get basic android updates directly is Android's major flaw. OEM's should of been required to support the AOSP and any changes should of been done via extensions to the AOSP. Thus any device could easily stay updated for at least their current major version of Android.

Re:Flaw of the Android Ecosystem

There is a lot of blame to go around.

For Google's part, they need to put more pressure on the carriers. Same with the handset manufacturers.

Apple has managed to exert enough pressure on the carriers to be allowed to issue updates directly without the carrier as middleman.

Obviously there are some political issues at play - carriers would rather have more control, but I think a company like Samsung or Google has enough leverage at this point. It seems they don't want to make waves.

Re:Flaw of the Android Ecosystem

[CrashNBrn]

Hardly. Even if an OEM allows you to unlock the bootloader on a non-carrier-specific phone, and you apply a non-OEM blessed ROM - you will be lucky if the phone still boots without issue. Let alone having WIFI, Cell Radios or the Camera still work normally.

Which would not be the case if the AOSP part of the Android OS was separate from OEM hack-job customizations, as you could then apply most any Android security update which would primarily only need to revise existing AOSP files within major Android revisions.

Re:Flaw of the Android Ecosystem

[Anubis+IV]

I suppose you would blame the road you were on for your car falling apart around you?

Lousy carriers are as common as lousy roads, which is why products should take them into account and deal with the problems they cause. If they fail to do so, then sure, the bad road/carrier shares some of the blame, but the product's design owns the lion's share of the blame.

P.S. This is NOT a backhanded way of saying iOS has it right. This is about tradeoffs. Google suffers in this area of their design to gain in other areas. Apple benefits in this area of their design at the cost of other areas. Neither approach is necessarily right, each approach will cater to different users, and each approach falls apart and excels in different ways.

Re:Flaw of the Android Ecosystem

[tepples]

If it were entirely a carrier issue, than unbranded GSM/UMTS/LTE phones would have been patched more often and longer, as would have Wi-Fi-only tablets.

Re:Flaw of the Android Ecosystem

[Solandri]

The problem is what you're asking for is mutually exclusive.

• If it's open source, the carriers (the "users" of the open source code) can (and do) do whatever the hell they want - that is the whole point of open source. Extensions won't work because the carriers will simply modify the AOSP release to remove the extensions which allow Google to update Android without their consent.
• If you want Google to be able to force carriers to update Android with the latest security patches, then it by definition is no longer "open" source.

What probably needs to happen is for the carriers to be sued for problems caused by them not passing on Google-released security updates in a timely manner.

Re: Flaw of the Android Ecosystem

[Anubis+IV]

If you can't see that Apple has a superior update model [...]

You must've stopped reading my post, because I said they were ahead in this area. The reason I said neither was necessarily right was because they both comes with tradeoffs. There's no doubt that Apple's updates are far better, but what about their prices? Variety of hardware? Features that cater to niches? By maintaining such tight control, they sacrifice benefits in those other areas.

And, just so you know, if I've drunk any Kool-Aid, it's Apple's. I own zero Android devices. I own dozens of Apple devices, simply because they have been better for me and my uses. That doesn't make them right. Just better in the areas I care about.

Re:Flaw of the Android Ecosystem

[sad_]

Only because the ARM platform sucks and most of them are not officially supported in the kernel.
Google could simply say to them: If you want to have your ARM SOC used in an android phone? Well work with the linux kernel devs for get it in there.

No Incentive

Or rather, every incentive NOT to push security updates to phones. Just as they had every incentive to allow the act called Slamming, where you would get charged for a service you never agreed to, and the phone company got their cut of the transaction. In this case, their answer to securing your phone is that you should buy a new phone, up to date, with all the bells and whistles, a flagship model even! And they get their profit off adding on services to take full advantage of that new shiny plus profit from the sale of it! And if its out of date in 6 months because of security patches you aren't getting, well, they can let you pay a super extra special fee to upgrade your phone again early!

And your congressmen won't do shit about it, because this is data and privacy information and that pesky stuff doesn't need any kind of silly protecting!

Blackberry

This is why I love Blackberry. While its Android phones have their quirks, Blackberry is ACTUALLY delivering routine security updates, almost as fast as Google itself does.

I still mourn the death of BB OS10 which was a great phone operating system. They lost the "app store" wars, but it was a great OS.

I chose to continue with Blackberry when I made the switch to Android for exactly this reason.

Re:Blackberry

[CrashNBrn]

Interesting, if TCL (Blackberry) and HMD (Nokia) continue with that promise, that would put them among a select few Android OEM's. As even the best OEM's have a spotty track record at best with updates across their various hardware offerings.

Because Manufacturers Suck

[organgtool]

We're running old software because the manufacturers don't care about us after they've gotten our money. My experience with the Motorola G4 is a prime example of this. The phone came out in May 2016 with Android 6. Android 7 was released in August 2016, just three months after my phone was released, and I still don't have any update available for my phone despite the fact that Android 7 has been out for seven months! The worst part is that the OS on the G4 is practically stock Android, so it should take relatively little effort to customize the image and push it out. It seems the only way to guarantee access to new versions of Android is to buy a Google phone but the Pixel has one of the worst performance to price ratios of any Android phone. At this point, I have no idea what my next phone will be, but I have a lot of ideas about what it won't be.

Re:Because Manufacturers Suck

[Blymie]

Blackberry cares... at least as a business model.

My PRIV has had *monthly* updates. That's the best I've heard of.

My phone is basically ASOP, with some added security and Blackberry calender, etc.

Overall.. not bad. Lots will badmouth BB, but they've come far now that they're pure android.

Re:Because Manufacturers Suck

Microsoft, Apple and Linux distros, that is, the majority of the the OS vendors, manage to provide a mechanism to keep your system up to date independently of the hardware vendors and other "third parties". This support even extends to multiple architectures in some cases: x86 is the most common, but ARM is also becoming common (on Linux, you have even more: POWER, MIPS, etc).

Can you imagine having to wait for, say, Dell to OK to every package for your next "apt-get update"? Or for Toshiba to give Microsoft the OK for them to make an OS update available to you?

No, you can't. But this is the situation we have with Google. And people accept this for some reason. They even excuse it in Google's behalf, because they are so great (despite not being able to do what a bunch of "freeloading" "amateurs" can do on a shoe-string budget).

There is no reason why operating system and user space upgrades need to be tied to the manufacturer. None.

This situation is Google's fault and no one else's.

Re:Because Manufacturers Suck

[James+Carnley]

There is no reason why operating system and user space upgrades need to be tied to the manufacturer. None.

This situation is Google's fault and no one else's.

You have no idea how Android, the Linux kernel, or open source software works. I guess that's why you're hiding behind AC.

Each manufacturer is akin to a different distro of Linux. You in fact do have to wait for Fedora or Ubuntu to update their packages before you can apt-get them. You don't get them immediately. Nobody can force them to hurry up. Not Google, not you. They control the keys to apt-get.

This is because Fedora/Ubuntu/etc can modify the kernel source and the source of any package that goes into their system. They also have to make sure they all work together. Nobody else can do it for them because they don't know what changes they've made or how a change will impact the system as a whole.

Samsung maintains their own distro of Android. They control the kernel source. They control the packages included. They make a LOT of changes to the system. Only Samsung can update the packages they use and only Samsung can push out an update. Nobody can do it for them even if they wanted to.

Re:Because Manufacturers Suck

[swb]

Can you imagine having to wait for, say, Dell to OK to every package for your next "apt-get update"?

Except Dell will do just this if the update has anything to do with hardware, and in most server environments a lot of it does. I've done the dosey doe with Dell on their server platforms with drivers, debating whether my problems are due to the vendor-supplied drivers sucking or whether the Dell-provided drivers six months behind the OEM vendor are at fault.

I think the problem carriers worry about is unapproved software that effects their networks. My guess is this is pretty remote in reality. but shikata ga nai.

Re:Because Manufacturers Suck

[CrashNBrn]

It's unfortunate that HMD Global hasn't announced any plans for the North American market, as the Nokia 6 at only 229 euros would really put the pressure on Lenovo (Motorola) and LG, among a few other manufacturers that release compatible phones in the $250 - $400 mid-range.

Re:Because Manufacturers Suck

Then it shouldn't be allowed to be called Android. It should be Moto Mobile Linux or Samsung Lazerbeam Linux some shit. If google allows them to call their distro Android, it's googles fault.

Re:Because Manufacturers Suck

[FrankHaynes]

I think the problem carriers worry about is unapproved software that effects their networks.

WE HAVE A WINNER!!

Re:Because Manufacturers Suck

[No+Longer+an+AC]

I've got a Motorola Droid Turbo (came out October, 2014).
Android 6 released in October, 2015.
Update available: January 5, 2016.

Thanks, Verizon. Never again.

Re:Because Manufacturers Suck

[No+Longer+an+AC]

Correction. Update available Jauary 5th, 2017.

Dammit!

Re:Because Manufacturers Suck

[sad_]

That is not the same at all, Google make Android they can set their demands.
I can use Fedora or Ubuntu and will have to wait when the distro makes an update available, BUT i will get it when it has been made available NOT depending if it runs on a pc from HP, DELL, ASUS, ACER, ...

Too much hassle

I used to own an Android phone and when i had it my carrier did provide updates. The problem was, there weren't just security updates, I had to upgrade to new versions of Android. There was no 4.4.1, it was jump from 4.4 to 5.0 or nothing. Since each version of Android moves things around, some new versions break old apps and there were battery/performance regressions when I tested 5.0 on another phone, I just decided to keep my main phone running the older version of Android. Getting hacked was less of a concern than dealing with a new version of Android. Rather than I upgrade I eventually switched operating systems.

So it's of little surprise most people are running out of date systems. Android phones often don't get updates and, when they do, it's worse than dealing with an unsecured device.

Not the only problem unfortunately

[Artem+S.+Tashkinov]

Android has a lot more problems than you think and Google does nothing to solve it.

We need a standard ARM platform, just like we've had the x86 platform since roughly 1981. And Google has all the resources to create and enforce it. And since they don't I wonder if they are malicious or negligent or it's just part of their business plan which is called "planned obsolesce". Too bad, in Google's case this obsolesce involves even original Google devices like Nexus 5 (stopped receiving any updates since October 2016) and it will soon be joined by Nexus 6.

That's just horrible.

Android apps will soon be supported on Chrome OS

[SlashGodet]

(says Google.) Now, just how do you integrate insecure privacy nightmares into a sanitary OS? Oh wait, you don't...

Android is the real problem.

Android devices are the worse, as much as I like them... Carriers lock them down, refuse to work/pay for the upgrades with the manufacturer (Sony/T-Mobile Z3+ was the prime example).

Don't blame the users

[rnturn]

It's the vendors. Now we might be outliers, but everybody in my family installs patches whenever they come in. Maybe not immediately but at least later that day, i.e., when we're home and can be sure the phone is fully charged and maybe using WiFi if it looks like there's a lot of patches. When we were using Verizon, our phones were always getting version N when all the news and buzz was all about the newly released version N+1. When we switched carriers, Verizon still had our phones running the previous version of Android.

I mostly blame carriers

[p51d007]

It doesn't fit the business model of carriers & manufactures in the android world. Why update it, when you can just sell gullible people a new one? Most people (I'm in the USA) still think you have to purchase one from a carrier, so when they walk in after hearing their phone is "out of date" given most consumers are well...not very intelligent...will be pushed into a new phone that has the updates already installed. Then, a year from now they will do it all over again.

Too many crap apps

[Jimbo+God+of+Unix]

If I could remove all the crap apps they make me have (yes you too Google, not just V*******), I'd have an up to date phone.

Re: No Shit

[MachineShedFred]

Why is it the carrier's responsibility to patch someone else's handset? The device manufacturers should be making the patches and distributing them via the fucking internet. Let the carrier's be a dumb pipe - it's what they are best at. And if the device manufacturers don't patch their shit, don't buy their shit and go with someone who does.

I've never understood why people think that AT&T or Verizon should be writing and distributing patches for the thousands of shitty phones they sell - Best Buy doesn't make patches for all the shitty laptops and tablets they sell, and neither do the ISPs that connect them to the internet - it comes from the OEM or the OS publisher. In fact, the only retail relationship I can think of where the retailer is responsible for updates to something manufactured by someone else is with cars. And that works sooooo well that we should absolutely replicate that model with phones and tablets....

Mine is one of them

[JustAnotherOldGuy]

Mine is one of them, but it sure as shit isn't my fault.

If my carrier would provide updates I'd install them. If I could get patches I'd install them.

Don't blame me for not buying a new phone every 3 months.

Conflict of Interest

[bsdhacker]

The real problem is a conflict of interest. If all manufacturers provided updates to their phones for 5 years, you could be sure that far fewer phones would be sold each year. So instead they cut off updates to encourage/force consumers to buy new phones more frequently - creating a larger market than it otherwise would be. What we need is a separation of hardware and software so that the hardware can be used until it dies without sacrificing the software security updates.

Kids Panic for the Next New Phone Each Year

[corezz]

I would expect it to be higher than 71%. However, considering how every millenial and gen-z (the biggest consumer of phones) find they can't live unless they have the next (trivial) incremental update to a phone then from a carrier perspective there is no urgency. Especially since the next phone should have the latest android release that includes the latest security patches -- the one they would use prior to filling it with their bloatware. Also, lets not forget that these largest consumers don't care much about their stolen privacy since they share it regularly on FB and other social media. There was a story where a bot could identify people with 80%+ accuracy solely by their publicly available social media posts.

Obligatory: Windows Movile

[blackpaw]

Sure the app situation sucks - if you want them. But the Tiled UI is far superior to the mess that is Android and it is actively updated. If you just want a secure phone with a great camera and text/mail/web and some basic apps, Windows Mobile is the way to go.

Developing for it is pretty easy to.

Re: No Shit

[InvalidsYnc]

And there's the rub. The carrier doesn't want someone else to patch their phones, they want, they NEED control of the devices on their network, but like others have said, they don't really give two hoots after the sale. They will do as little as is needed to keep you a customer. What you don't know doesn't hurt them.

Maybe if I could still root my phone...

[gmiller123456]

Since Google and the carriers record everything I do and are willing to sell it to anyone with a big enough pocketbook, it's hard to say I'm "protected" by having an up to date phone. My only real hope is to never patch and hope to root it some day so that I can actually protect it myself.