About six weeks ago Duo Security released its X-Ray app, which was developed with funding from DARPA, that scans an Android device for known security vulnerabilities. These vulnerabilities, which include privilege escalation bugs and flaws which allow the internal security of Android to be bypassed, leave your device open to attack by malicious apps that gain root access and perform restricted actions.
Now after six weeks of gathering data, Duo Security is ready to publish its preliminary findings. The full disclosure of these early results will be made today at Rapid7′s United Summit conference in San Francisco, however Jon Oberheide of Duo Security did publish one startling statistic. Of the 20,000 scans performed worldwide, over half of Android devices have unpatched vulnerabilities.
Of course the big question is, who is responsible for fixing these issues? And here lies the weakness in the fragmented Android ecosystem. For sure, Google write the code and it needs to fix the bugs. Actually it already has, a long time ago. I performed an X-Ray scan on three devices, two running Android 4.0 Ice Cream Sandwich and one running Cyanogenmod 7 (based on Android 2.3.7). The two Android 4.0 devices reported no vulnerabilities, meaning that Google has fixed the bugs, but my Android 2.3.7 phone is vulnerable to ZerhRush (a vulnerability in Android’s libsysutils that allows an attacker to overwhelm the system with command arguments and gain root access).
But there are no more updates available for the 2.3.7 Android phone. I got it from my local mobile phone operator (Orange) and it originally had Android 1.6 on it! Orange then released an update to Android 2.1 and that was it. I put Cyanogenmod 7 on the device but that is as far as it goes. In the Apple ecosystem it is the engineers at Cupertino who fix and supply updates to iOS for everyone, all over the world, all at the same time. But in the Android ecosystem, Google made a change to the code and then that has to filter through to the carriers and/or the manufacturers, who then publish updates for the phones. Often older phones (anything older than 18 months) are just left to rot.
Don’t get me wrong, Apple also abandon their customers. Remember the rush to go out and buy an iPad? Well, original iPad owners can’t upgrade to iOS 6, only those with an iPad 2 or “new iPad.” It is a similar story with the original iPhone and the iPhone 3G with regards to previous versions of iOS. The really odd thing is that iOS 6 will be available for the iPhone 3GS! Confused much? So are we.
Back to X-Ray, Jon Oberheide has promised a followup blog post next week detailing the full results, statistical methodology, and what the team are planning for X-Ray in the future.
Do these numbers worry you? Do you think the carriers and manufacturers are abandoning customers with older phones and leaving them open to attacks by hackers? Leave a comment below.