LG Top OEM for Issuing Security Patches to Its Android Devices

The paper, by Daniel R. Thomas, Alastair R. Beresford, and Andrew Rice, reveals a major disconnect between the Android OS providers and the device manufacturers.

Indeed, the published paper suggests that it is in fact LG that is the most secure minded OEM on the Android platform.

We find that on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities and, across the ecosystem as a whole, assign a FUM security score of 2.87 out of 10.

The team argues that this puts user privacy at risk and will ultimately lead to phones becoming riddled with malware and viruses.

“Our hope is that by quantifying the problem we can help people when choosing a device and that this in turn will provide an incentive for other manufacturers and operators to deliver updates”, Beresford wrote. Many manufacturers never release these updates, preventing people from getting the protection they should be entitled to. Researchers used the Device Analyzer app to gather data from over 20,000 gadgets in their study. The average Android smartphone receives 1.26 security updates each year, something which contradicts the per month update OEMs promised couple of months ago when the Stagefright vulnerability came into spotlight – of course, with the more frequent rollout promised, this may change soon.

The core problem at the heart of Android is the lack of updates to consumer’s handsets after purchase. However, the efforts of Samsung and LG only go so far and most other manufacturers have yet to follow suit. Mackenzie last week tweeted that pushing out monthly security updates to all the HTC smartphones is “unrealistic”. The manufacturer has to customize it to work with their own software and then send it for approval with the networks who offer the phone.

Not all Android phones are equal however, with the study finding that Google Nexus devices are the most secure Android devices as they run stock Android installs that don’t rely on manufacturers or telcos to issue patches. Comparing OEMs, LG sits at the top with a FUM score of 4.0. “The total risk to users from the higher scoring popular manufacturers is higher than the risk from the lower scoring unpopular manufacturers”, the study reads.

“The difficulty is that the market for Android security today is like the market for lemons”, the researchers explained. The FUM score looks at the proportion of devices free from known critical vulnerabilities, the proportion of devices updated to the most recent version, and the number of vulnerabilities that have not been fixed on any device.