Android smartphones from Samsung, HTC and Motorola dominated a "Dirty Dozen" list of insecure phones because carriers were not pushing out OS updates in a timely manner.
firm Bit9 on Nov. 21 released its "Dirty Dozen" list of insecure
smartphones. The list focused on Android smartphones because approximately 56
percent of Android phones in the marketplace are running out-of-date and
insecure versions of the mobile operating system, Harry Sverdlove, CTO of Bit9,
manufacturers Samsung, HTC, Motorola and LG are slow to upgrade these phones to
the latest and most secure version of Android, Bit9 said in its report. The
manufacturers are focused on pushing out the latest new models every few
months, but users are generally locked into two-year contracts, Sverdlove said.
Wireless carriers and manufacturers don't bother to support users on older
handsets because it's in their financial interest to have users keep buying new
handsets, he said.
service carriers and smartphone manufacturers have thus far failed to
effectively handle the software update process, causing unbelievable
fragmentation in the Android ecosystem, Sverdlove said.
the Dirty Dozen list are the Samsung Galaxy Mini, HTC Desire, Sony Ericsson
Xperia X10, Sanyo Zio, HTC Wildfire, Samsung Epic 4G, LG Optimus S, Samsung
Galaxy S, Motorola Droid X, LG Optimus One, Motorola Droid 2 and HTC Evo 4G.
Bit9 looked at phones having the highest market share, running out-of-date
Android and having the slowest update cycles.
most secure were the Samsung Nexus X, HTC Droid Incredible, Samsung Galaxy S2,
HTC Sensation and the T-Mobile G2. Even though the Nexus is made by Samsung,
Google controls the handset entirely, so Nexus owners receive updates almost
instantly, Bit9 said. The T-Mobile G2 was originally launched with Froyo a year
ago, but T-Mobile has pushed out several updates over the air to its users
Samsung Galaxy Mini was called out specifically because it was released in
April with a version of Android that was already almost a year out-of-date.
Instead of running Gingerbread (2.3.3 or 2.3.4), which was already available,
Samsung launched the phone running the older Froyo (2.2), according to Bit9.
Samsung took 316 days to patch the Galaxy Mini after Google released an Android
update, and Motorola took 141 days to update the Droid X.
goal of the list was not to gang up on Android, since "all operating
systems have vulnerabilities," Sverdlove said, noting that iOS has more
reported issues than Android in the National Vulnerability Database. But the
true test of security is how quickly and effectively the OS gets fixed, and
that's where manufacturers and carriers are failing when it comes to Android,
according to Sverdlove.
iPhone 4 and older models were given an "honorable mention" at No. 13
because, up until iOS 5 and the iPhone 4S, users had to physically connect
their devices to a computer and launch a manual update. Practically no one ever
docked their phones on the computer, and very few people ever bothered to
download and install the various security updates issued by Apple, Sverdlove
said. The iOS 5 update, which gives users access to iCloud, was often the first
time longtime iPhone owners had ever tried the update process. The over-the-air
update process introduced in iOS 5 will make it much easier for iPhone and iPad
owners to stay up-to-date from this point on, Sverdlove said.
placed the blame for these insecure phones squarely on phone manufacturers and
wireless carriers, not Google or the end users, for not releasing timely
updates and adding new features to their versions, which often delays the
updates even further. Carriers that released updates via their support forums
were also criticized because users shouldn't have to jump through hoops to
update their devices, according to Bit9. Users should just have to hit
"OK" to approve updates and receive them over the air, Sverdlove said.
Android ecosystem is analogous to "buying a computer from Dell and
expecting Dell to work with the Internet service provider to coordinate Windows
updates," Sverdlove said.