Posted by: David Harley | October 14, 2015

Android security updates: availability versus application

When it comes to evaluating Android security, we tend to assume that there’s a clear disparity between the availability of patches and the effectiveness with which individual vendors deliver those patches to devices that have already been purchased. And research by Daniel R. Thomas, Alastair R. Beresford and Andrew Rice – Security Metrics for the Android Ecosystem – seems to bear out that assumption.

Using a corpus of 20 400 devices we show that there is significant variability in the timely delivery of security updates across different device manufacturers and network operators.

The researchers assert that out of 11 critical vulnerabilities in the public domain over the past five years, 87.7% of Android devices were, on average, exposed, and that (also on average) devices are patched 1.26 times per year.

However, they admit that they cannot distinguish between devices which are running a known-vulnerable version of Android and devices that might have received a backported fix.

I’ve seen it projected that the anti-malware market will grow to 5.7 billion dollars by 2020. Just saying… (And no, that doesn’t mean that anti-malware is a replacement for patching and updates.)

David Harley


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: