Carriers, Manufacturers Called Out for Failing to Update Android Phones

Android smartphones from Samsung, HTC and Motorola dominated a "Dirty Dozen" list of insecure phones because carriers were not pushing out OS updates in a timely manner.

Security firm Bit9 on Nov. 21 released its "Dirty Dozen" list of insecure smartphones. The list focused on Android smartphones because approximately 56 percent of Android phones in the marketplace are running out-of-date and insecure versions of the mobile operating system, Harry Sverdlove, CTO of Bit9, told eWEEK.

Smartphone manufacturers Samsung, HTC, Motorola and LG are slow to upgrade these phones to the latest and most secure version of Android, Bit9 said in its report. The manufacturers are focused on pushing out the latest new models every few months, but users are generally locked into two-year contracts, Sverdlove said. Wireless carriers and manufacturers don't bother to support users on older handsets because it's in their financial interest to have users keep buying new handsets, he said.

Wireless service carriers and smartphone manufacturers have thus far failed to effectively handle the software update process, causing unbelievable fragmentation in the Android ecosystem, Sverdlove said.

On the Dirty Dozen list are the Samsung Galaxy Mini, HTC Desire, Sony Ericsson Xperia X10, Sanyo Zio, HTC Wildfire, Samsung Epic 4G, LG Optimus S, Samsung Galaxy S, Motorola Droid X, LG Optimus One, Motorola Droid 2 and HTC Evo 4G. Bit9 looked at phones having the highest market share, running out-of-date Android and having the slowest update cycles.

The most secure were the Samsung Nexus X, HTC Droid Incredible, Samsung Galaxy S2, HTC Sensation and the T-Mobile G2. Even though the Nexus is made by Samsung, Google controls the handset entirely, so Nexus owners receive updates almost instantly, Bit9 said. The T-Mobile G2 was originally launched with Froyo a year ago, but T-Mobile has pushed out several updates over the air to its users since then.

The Samsung Galaxy Mini was called out specifically because it was released in April with a version of Android that was already almost a year out-of-date. Instead of running Gingerbread (2.3.3 or 2.3.4), which was already available, Samsung launched the phone running the older Froyo (2.2), according to Bit9. Samsung took 316 days to patch the Galaxy Mini after Google released an Android update, and Motorola took 141 days to update the Droid X.

The goal of the list was not to gang up on Android, since "all operating systems have vulnerabilities," Sverdlove said, noting that iOS has more reported issues than Android in the National Vulnerability Database. But the true test of security is how quickly and effectively the OS gets fixed, and that's where manufacturers and carriers are failing when it comes to Android, according to Sverdlove.

The iPhone 4 and older models were given an "honorable mention" at No. 13 because, up until iOS 5 and the iPhone 4S, users had to physically connect their devices to a computer and launch a manual update. Practically no one ever docked their phones on the computer, and very few people ever bothered to download and install the various security updates issued by Apple, Sverdlove said. The iOS 5 update, which gives users access to iCloud, was often the first time longtime iPhone owners had ever tried the update process. The over-the-air update process introduced in iOS 5 will make it much easier for iPhone and iPad owners to stay up-to-date from this point on, Sverdlove said.

Bit9 placed the blame for these insecure phones squarely on phone manufacturers and wireless carriers, not Google or the end users, for not releasing timely updates and adding new features to their versions, which often delays the updates even further. Carriers that released updates via their support forums were also criticized because users shouldn't have to jump through hoops to update their devices, according to Bit9. Users should just have to hit "OK" to approve updates and receive them over the air, Sverdlove said.

The Android ecosystem is analogous to "buying a computer from Dell and expecting Dell to work with the Internet service provider to coordinate Windows updates," Sverdlove said.