Bit9 highlighted the most vulnerable popular smartphones in use today. The devices on the list pose the most serious security and privacy risk to consumers and corporations.
In the report, Android phones own the list, accounting for every single spot, 1-12, in the “Dirty Dozen” list of most vulnerable mobile devices; with the Samsung Galaxy Mini taking the top spot, and the HTC Desire and the Sony Ericsson Xperia X10 rounding out the top three.
Fifty six percent of Android phones in the marketplace today are running out-of-date and insecure versions of the Android operating system software. The study found that smartphone manufacturers such as Samsung, HTC, Motorola and LG often launch new phones with outdated software out of the box, and they are slow to upgrade these phones to the latest and most secure versions of Android.
In some cases, the phones are not updated at all, as the manufacturers shift their focus to newer models, leaving existing customers stranded with insecure software.
“Smartphones are the new laptop and represent the fastest emerging threat vector,” said Harry Sverdlove, CTO of Bit9. “In our bring-your-own-device work culture, people are using their smartphones for both personal and business use, and attacks on these devices are on the rise. This dynamic is changing the way corporations think about protecting their confidential data and intellectual property. This is the new security frontier.”
The “Dirty Dozen” + 1 List includes:
1. Samsung Galaxy Mini
2. HTC Desire
3. Sony Ericsson Xperia X10
4. Sanyo Zio
5. HTC Wildfire
6. Samsung Epic 4G
7. LG Optimus S
8. Samsung Galaxy S
9. Motorola Droid X
10. LG Optimus One
11. Motorola Droid 2
12. HTC Evo 4G
Coming in at number 13, as an honorary mention, is the Apple iPhone 4 and older models. The criterion for the list was based on the smartphones with the highest market share that were running out-of-date and insecure software and had the slowest update cycles.
The trend of prioritizing form and functionality over security in the mobile space has serious ramifications for both consumers and corporations. Mobile phone users are only using their devices as traditional phones about three percent of the time – illustrating that these devices are essentially the next generation of portable computers. Today, smartphones contain personal and confidential business information, and both consumers and companies need to be confident that their data is secure.
The majority of smartphones worldwide are running the Android operating system. The open nature of the platform has enabled both innovation and creativity in the mobile space. However, the distribution model adopted by phone manufacturers and their carriers has created a chaotic and insecure environment where it can take several months for important updates to be distributed, if at all. At the heart of the issue, providing software updates for Android phones is currently the responsibility of the individual hardware vendors along with their different carriers.
This would be akin to buying a PC from Dell and relying on Dell to coordinate with your home Internet provider, instead of Microsoft, to update your Windows software. With so many PC makers and Internet providers, the result would be a complete fragmentation of the market, with different computers having different versions of Windows depending on where they purchased the PC and where they live. That is exactly what has occurred within the Android smartphone market.
In many cases, the only recourse a consumer has, if they want the latest and most secure software, is to purchase a new phone.
While there are no easy answers, the following actions would help the situation:
- Security professionals and consumers need to put pressure on the manufacturers to be more responsible in prioritizing security updates.
- Much like the PC industry, the manufacturers could relinquish control of the operating system software updates. This process has already been implemented with the Apple iPhone and Google Nexus phone.
- Corporations need to evolve to a “secure app store” model and allow only specific devices and trustworthy applications into their environment.
In the meantime, companies must be very aware of the challenges that exist with allowing workers to BYOD (bring-your-own-device). The ability to understand where vulnerabilities exist, and to have some control over mitigating those risks, is critical for corporations. As the current Android ecosystem makes this task daunting, if not impossible, companies need to consider strategies to either restrict certain devices or control them entirely in order to protect their intellectual property.