71 Percent of Android Phones On Major US Carriers Have Out of Date Security Patches

Ian Barker, writing for BetaNews: Slow patching of security flaws is leaving many US mobile users at risk of falling victim to data breaches according to the findings of a new report. The study from mobile defense specialist Skycure analyzed patch updates among the five leading wireless carriers in the US and finds that 71 percent of mobile devices still run on security patches more than two months old. This is despite Google releasing Android patches every month, indeed six percent of devices are running patches that are six or more months old. Without the most updated patches, these devices are susceptible to attacks, including rapidly rising network attacks and new malware, also detailed in the report.

Only 71%???

I find it hard to believe that 29% of android devices have ALL the available security patches installed and are running a current version.

Re:Only 71%???

[SeaFox]

Those are probably owned by iPhone users.

The 29% of Android devices with all security patches are iPhone users? Okay...

I get no updates from my carrier

[imidan]

I have a Galaxy S4 on AT&T. I just checked, and it's at Lollipop 5.01 and says its "Android security patch level" is 2015-11-01. Nevertheless, when I push the software update button, AT&T assures me that my current software is up to date. Apparently, 5.01 is the latest version available for an S4, but what about security patches? Are they just done making them? Was AT&T planning on telling me that?

I guess I'm a bad consumer, using a four year old phone.

Re: I get no updates from my carrier

Who the fuck should supply the updates then? Apple did it right, you either let us update the phones or fuck off. Too bad google and all the other android creators don't have a god damn spine.

Flaw of the Android Ecosystem

[CrashNBrn]

That the end-user can't get basic android updates directly is Android's major flaw. OEM's should of been required to support the AOSP and any changes should of been done via extensions to the AOSP. Thus any device could easily stay updated for at least their current major version of Android.

Re:Flaw of the Android Ecosystem

There is a lot of blame to go around.

For Google's part, they need to put more pressure on the carriers. Same with the handset manufacturers.

Apple has managed to exert enough pressure on the carriers to be allowed to issue updates directly without the carrier as middleman.

Obviously there are some political issues at play - carriers would rather have more control, but I think a company like Samsung or Google has enough leverage at this point. It seems they don't want to make waves.

Re:Flaw of the Android Ecosystem

[tepples]

If it were entirely a carrier issue, than unbranded GSM/UMTS/LTE phones would have been patched more often and longer, as would have Wi-Fi-only tablets.

Re:I am very skeptical.

[XxtraLarGe]

I highly doubt that 29% of Androids are up to date.

This is just major carriers. Imagine how many unpatched Androids are out there on Boost, Cricket, Tracfone, etc. My wife has an Android on Tracfone and never had a security update notification.

Because Manufacturers Suck

[organgtool]

We're running old software because the manufacturers don't care about us after they've gotten our money. My experience with the Motorola G4 is a prime example of this. The phone came out in May 2016 with Android 6. Android 7 was released in August 2016, just three months after my phone was released, and I still don't have any update available for my phone despite the fact that Android 7 has been out for seven months! The worst part is that the OS on the G4 is practically stock Android, so it should take relatively little effort to customize the image and push it out. It seems the only way to guarantee access to new versions of Android is to buy a Google phone but the Pixel has one of the worst performance to price ratios of any Android phone. At this point, I have no idea what my next phone will be, but I have a lot of ideas about what it won't be.

Re:Because Manufacturers Suck

Microsoft, Apple and Linux distros, that is, the majority of the the OS vendors, manage to provide a mechanism to keep your system up to date independently of the hardware vendors and other "third parties". This support even extends to multiple architectures in some cases: x86 is the most common, but ARM is also becoming common (on Linux, you have even more: POWER, MIPS, etc).

Can you imagine having to wait for, say, Dell to OK to every package for your next "apt-get update"? Or for Toshiba to give Microsoft the OK for them to make an OS update available to you?

No, you can't. But this is the situation we have with Google. And people accept this for some reason. They even excuse it in Google's behalf, because they are so great (despite not being able to do what a bunch of "freeloading" "amateurs" can do on a shoe-string budget).

There is no reason why operating system and user space upgrades need to be tied to the manufacturer. None.

This situation is Google's fault and no one else's.

Re:Because Manufacturers Suck

[James+Carnley]

There is no reason why operating system and user space upgrades need to be tied to the manufacturer. None.

This situation is Google's fault and no one else's.

You have no idea how Android, the Linux kernel, or open source software works. I guess that's why you're hiding behind AC.

Each manufacturer is akin to a different distro of Linux. You in fact do have to wait for Fedora or Ubuntu to update their packages before you can apt-get them. You don't get them immediately. Nobody can force them to hurry up. Not Google, not you. They control the keys to apt-get.

This is because Fedora/Ubuntu/etc can modify the kernel source and the source of any package that goes into their system. They also have to make sure they all work together. Nobody else can do it for them because they don't know what changes they've made or how a change will impact the system as a whole.

Samsung maintains their own distro of Android. They control the kernel source. They control the packages included. They make a LOT of changes to the system. Only Samsung can update the packages they use and only Samsung can push out an update. Nobody can do it for them even if they wanted to.

Re:Because Manufacturers Suck

Then it shouldn't be allowed to be called Android. It should be Moto Mobile Linux or Samsung Lazerbeam Linux some shit. If google allows them to call their distro Android, it's googles fault.

Re:I am very skeptical.

[swillden]

I highly doubt that 29% of Androids are up to date.

Keep in mind that the security patch level field was added in Android Marshmallow (IIRC), and I expect that's what they're using to determine patch date. If so, KitKat and Lollipop devices aren't counted, and this really says that 29% of Android devices that are new enough to have Marshmallow or Nougat are up to date. That's not surprising, though it's obviously still far too low.

Unless, of course, the report assumes that anything running Lollipop or older is not recently patched, which seems like a reasonable assumption.

Not the only problem unfortunately

[Artem+S.+Tashkinov]

Android has a lot more problems than you think and Google does nothing to solve it.

We need a standard ARM platform, just like we've had the x86 platform since roughly 1981. And Google has all the resources to create and enforce it. And since they don't I wonder if they are malicious or negligent or it's just part of their business plan which is called "planned obsolesce". Too bad, in Google's case this obsolesce involves even original Google devices like Nexus 5 (stopped receiving any updates since October 2016) and it will soon be joined by Nexus 6.

That's just horrible.

Re:I'm in the 29%

I've never had bad guys or bad software infect my phone but I'm pretty sure that each "update" from google grabs more and more of my personal data and sells it to the highest bidder. Exactly who/what are these updates protecting us from?

Re:I'm in the 29%

[whoever57]

By "up to date", do you mean that you have the latest firmware installed, or that the firmware that is installed has all the security fixes to Android that Google has issued?

IOW, are you sure your phone hasn't been orphaned?

Don't blame the users

[rnturn]

It's the vendors. Now we might be outliers, but everybody in my family installs patches whenever they come in. Maybe not immediately but at least later that day, i.e., when we're home and can be sure the phone is fully charged and maybe using WiFi if it looks like there's a lot of patches. When we were using Verizon, our phones were always getting version N when all the news and buzz was all about the newly released version N+1. When we switched carriers, Verizon still had our phones running the previous version of Android.

I mostly blame carriers

[p51d007]

It doesn't fit the business model of carriers & manufactures in the android world. Why update it, when you can just sell gullible people a new one? Most people (I'm in the USA) still think you have to purchase one from a carrier, so when they walk in after hearing their phone is "out of date" given most consumers are well...not very intelligent...will be pushed into a new phone that has the updates already installed. Then, a year from now they will do it all over again.

Re: I'm in the 29%

[thundercattt]

My work phone is still running 4.4.1. it has NEVER been offered an update ever. Samsung took the money and ran with this one. Personal phone being Nexus, updated monthly.

Mine is one of them

[JustAnotherOldGuy]

Mine is one of them, but it sure as shit isn't my fault.

If my carrier would provide updates I'd install them. If I could get patches I'd install them.

Don't blame me for not buying a new phone every 3 months.

Conflict of Interest

[bsdhacker]

The real problem is a conflict of interest. If all manufacturers provided updates to their phones for 5 years, you could be sure that far fewer phones would be sold each year. So instead they cut off updates to encourage/force consumers to buy new phones more frequently - creating a larger market than it otherwise would be. What we need is a separation of hardware and software so that the hardware can be used until it dies without sacrificing the software security updates.