A recently published paper by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) has outlined the security concerns the two government agencies have about the use of Android by emergency service personnel including the police and the fire department.
In an unclassified report, marked as “for official use only” the Office of Intelligence and Analysis, Cyber Intelligence Analysis Division along with the National Protection and Programs Directorate, US Computer Emergency Readiness Team recognizes Android as the “world’s most widely used mobile operating system” and points out that it popularity makes it a primary target for malware attacks.
Of particular worry to the report authors, who coordinated their work with the FBI, is the fact that one third of Android phones still use Android 2.3.3 through 2.3.7. The report actually says 40%, but I will let that slide for the moment. Unfortunately all these versions have known security weaknesses, however they have been fixed in later versions of Android but still do remain in the older versions.
The report suggests that federal, state, and local authorities need to make sure that the OS on their mobile device is “patched and up-to-date.” It then goes on to outline the current security threats for Android users including SMS Trojans (that send premium rate SMS messages), root-kits and fake apps.
While all this is true and better upgrades from carriers and handset manufacturers is something we at Android Authority have long called for, the idea that government agencies are somehow using devices for which upgrades are available but haven’t been installed is frankly laughable. Telling the various Police, Fire and EMS departments to make sure that their devices are patched and up-to-date shows a complete lack of understanding about the availability of such patches and updates.
To further discredit the report the authors suggest that Android’s popularity among malware writers is due not only to its market share but also to its “open source architecture.” I will resist being too scathing but the open source nature of any software including Linux (which the NSA uses) has never been seen as detrimental to system security.
On the plus side the report does call for the use of security software including those which can scan for root-kits. It also points out that apps should only be installed from Google Play over reliable networks which are unlikely to have been spoofed by malware writers.
The sad thing is that such a paper could have called for government agencies to start using suppliers which have a good history of providing updates and patches. It could have named and shamed some suppliers who don’t provide long term support for their devices and it could have recommended the use of Google’s Nexus range of products or the Google Play Edition line-up, all of which receive prompt updates.