University of Cambridge study: 87% of Android devices are insecure, LG is most secure OEM


We didn’t need a deep study and hard numbers to know that many Android devices are exposed to vulnerabilities. The multiple Stagefright threats were enough to get us to see that much.

But here it is, anyway: the University of Cambridge has released a study that shows 87% of Android devices are found to be insecure up against at least 1 of 13 critical vulnerabilities. Their model, method and data can be perused in the study’s whitepaper here, but the gist of it is that they monitored data from over 20,000 Android phones and cross-checked their Android version and build numbers with 13 vulnerabilities dating back to 2010. They then used the data to categorize each phone — secure, insecure or maybe secure (that last one meaning that it’s possible the phone could have gotten a special fix that wasn’t part of a full system update).

cambridge android vulnerabilities

Cambridge believes that the responsibility for such a poor state of things falls with manufacturers. Their main point is that the OEMs could be doing more to make sure the user knows there are updates available for their devices, even going as far as “pestering” them or eventually forcing them to take the updates.

OEMs alone can’t be at fault. Carriers have a big say in update distribution too, particularly in the United States where each carrier employs a testing procedure that can add weeks or even months to update timelines. Consider AT&T, who is only just now starting to deliver Android 5.1 Lollipop to their Galaxy S6 customers despite Samsung making the update available for unlocked models since early summer. Of course, we’re not sure how much of the blame sits with who exactly, but it’s not 100% either way.


Despite this, Cambridge’s hope is to encourage OEMs to improve their standing in a “FUM” metric they’ve come up with. A FUM score is comprised of three different components:

  • f the proportion of devices free from known critical vulnerabilities.
  • u the proportion of devices updated to the most recent version.
  • m the number of vulnerabilities the manufacturer has not yet fixed on any device.

The scale for said metric is 1 to 10, with 10 being most secure and 1 being least. As you’d expect, Google’s Nexus devices are at the top, though with a FUM score of 5.2 it’s technically slightly above average. Comparing OEMs, LG sits at the top with a FUM score of 4.0. Motorola is at 3.1, Samsung comes in at 2.7, Sony at 2.5 and HTC at 2.5.

When considering those numbers, you should take into account that this study included devices which may be outside the new 18-24 months commitment period that OEMs have implemented for delivering updates and critical security patches. The Nexus score, for instance, might even still be influenced by any Galaxy Nexus or Nexus 4 devices — which Google has not committed to supporting — still roaming out and about.

HTC One M8 system update DSC06841

All of that is to say it’s possible the overall situation will improve for newer devices, and Cambridge will be working to keep FUM scores updated across the board as Google and the OEMs’ new security initiative settles in. You can find the latest scores at their website right here if you’re interested in keeping tabs on all of it.

This problem isn’t going to be solved overnight, folks, but studies like these and the initiative Google took to turn things around should have a snowballing effect as more devices are launched and the importance of smartphone security becomes magnified more than ever. Let’s hope OEMs can stay committed, and fingers crossed that carriers release (or, at the very least, loosen) the death grip they have on the firmware distribution process so users can live with the peace of mind that their smartphone won’t be left in the dark a few short months after buying it.

[via ArsTechnica]

Quentyn Kennemer
The "Google Phone" sounded too awesome to pass up, so I bought a G1. The rest is history. And yes, I know my name isn't Wilson.

You can launch the camera on the Nexus 6P and Nexus 5X by double twisting your wrist

Previous article

Developers can now easily create ad campaigns for their apps right from Google Play

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *

More in Misc