Android (and Mobile) Security

universityofcambridgeUniversity of Cambridge’s latest research into Security Metrics for the Android Ecosystem (pdf) has had the technical (and non-technical) media writing about Android security over the last few days.

Most of the research findings were already known. That is, the security of Android “depends on the timely delivery of updates to fix critical vulnerabilities” and “the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers”. However, one interesting fact is that, ignoring Nexus devices, LG is the best manufacturer when it comes to updates.

So what are the vulnerabilities? The most serious ones are privilege escalation that allow code to gain more capabilities than were originally granted by the OS. For more information on this, take a look at a recent presentation from HITB GSEC by Ryan Welton and Marco Grassi on the Current State of Android Privilege Escalation (pdf).

Frederic Jacobs has an interesting article on Medium where he says the problem has come about due to manufacturers having no financial incentives to provide updates.

However, we probably need to put this into perspective. As Markus Vervier said today, “100% of Android and 100% of iOS devices are insecure. We just did not find all the bugs yet (and we never will).”