Google released its Android Security 2016 Year In Review report yesterday and it threw up some very interesting perspectives.
The most interesting one, and also the most controversial is that just 50% of all Android devices received a security update last year. While we can spend hours debating whether the news is good/bad, here is the industry perspective on it.
Chris Hodson, EMEA CISO at Zscaler
‘While some may argue that only half of all Android devices receiving a security update in the past year is nowhere near enough, it’s important to remember that Rome wasn’t built in a day. Cyber security is iterative and 50 per cent shows a dramatic increase compared to previous years. This is likely as a direct result of the prioritisation of security updates from phone carriers and the “over-the-air” update process of Android 7.0, which streamlined the boot-up process.
‘With BYOD well and truly entrenched in the modern organisation, the importance of securing devices which may connect to the corporate network, becomes critical. Unfortunately, you cannot patch user awareness. Security updates are just one part of the solution, as without education and awareness – gaps will remain and threats will persist.
‘This user education should extend beyond just the need for security updates but also to highlight the dangers of third party app stores and the installation of applications with overly permissive rights. The Google report, as well as our own Threatlabz research, shows that most malware comes from third party app stores.
‘Reports such as this one serve as a valuable benchmark for the industry and increase collaboration and discussion. While there is still some way to go, shifting from 10 per cent to 50 per cent in a 12-month period is a metric any CISO would be proud of.’
David Kennerley, Director of Threat Research at Webroot
‘The report might show that half of Google’s devices are patched as an improvement on previous years, but it really isn’t enough.
‘Android devices account for two thirds of devices globally, which means that a third of the world’s mobiles aren’t secure. This combined with the fact in our own research we’ve found Android apps pose a five-times-greater threat than others, then it really isn’t a pretty picture.
‘There’s no single solution to this issue, we continue to witness malicious apps appearing on the Google’s official Play Store, though this should always been seen as the safest method to download new apps rather than third party stores. Malicious apps target older versions of Android, so people with older devices or those who have not updated their software are most at risk of being affected.
‘The Android Stagefright vulnerability served as a huge wake-up call and in many ways forced Google into the real world with regards to a more responsive and transparent patching lifecycle. It’s great that a number of phone manufacturers are now partnering with Google in the releasing of timely updates thereby improving security.
‘But the fact is, Android is still lagging far behind iOS in terms of security, the app stores are not as stringent and hackers tend to focus efforts on Android as it’s known as the weaker link.