NOTE: This is a bit of a rant on my part, but I will get to the good stuff further down. Sorry, but I think the subject is important.
While the fact that Google is finally trying to counter Apple’s various ad campaigns such as their CES ad below
and their March Madness ad campaign”if privacy matters in your Life, it should matter to the phone your life is on” is a good thing, it does not really solve the problem.
Android P or Pie, version 9, was released in March of last year. Here is the most recent distribution of Android OSes on active phones.
Android Pie is represented by the light blue bars on the top in the last three bars and is a tiny percentage of the market.
As of January, 2% of phones are still running Android 4, almost 5% are running Android 5, 10% are running Android 6, 21% are running Android 7, 54% are running Android 8 and only 5% are running Android 9 – roughly.
Android 4.4, the last version of Android 4, was released in 2013; Android 5 in 2014, Android 6 in 2015, Android 7 in 2016 and Android 8 in 2017.
All versions of the Android OS before version 7 are no longer supported and will never have security holes fixed. That means around 20% of the Android phones out there are unsupported and when Android 10 is released this summer, that number will rise as Android 7 support gets discontinued.
While companies have been (sort of) good about getting rid of unsupported Windows OSes (like Windows XP), they have been much less active in stomping out unsupported phone OSes.
As employees move more and more to using their mobile devices as a true computing device, this is becoming a bigger security challenge for all companies – one that most companies have been ignoring. THE SINGLE BIGGEST UPCOMING THREAT TO COMPANY DATA IS OLD, UNPATCHED MOBILE DEVICES. This is especially true in regulated industries where very sensitive financial, health and national security data is accessed.
Apple has been very good about upgrading their phones to the current iOS version, supporting iPhones from the current iPhone 10 all the way back to the iPhone 5S and pretty much shoving the new releases down their user’s collective throats, whether users are happy about the results or not (older iPhones typically run slower with the newer releases). But, at least, those phones are as secure as Apple knows how to make them.
But for Android phones, there are WELL over 1,000 MANUFACTURERS of Android phones and likely WAY over 10,000 phone models in use.
Add to this Android’s fractured release distribution model. Users, other than Pixel users, do not get their software updates from Google like Apple users get theirs from Apple. Rather they have to wait for Google to release fixes, their phone vendors to tweak them and their phone carrier to actually push them down.
Many phone vendors don’t ever release patches and that does not seem to be much of decision making consideration on the part of users (and really shouldn’t have to be).
The Fortune 100 and the carriers could change this pretty quickly (like we are not going to sell your phone and we are not going to buy your phone unless you release monthly patches). but that has not happened yet.
Google is trying hard to improve this. Last year they made two changes. First, they layered the operating system so that they can make (security) changes below a certain layer without affecting Android apps that carriers get paid to install on your phone and second, they began to require phone manufacturers to release patches a few times a year for two years.
While this is an improvement, many people (most people?) keep phones for more than two years and don’t buy those phones on the date they were released, so while this is a start, it is not a solution.
Companies need to understand that this is a risk and decide what their company policies are going to be regarding allowing users to access company data using phones that are vulnerable and unpatched. For companies that are subject to regulations such as HIPAA or NIST SP 800-171, this is a violation of the regulation and could possibly get the company fined.
OK, enough ranting.
What is coming in Android Q (Version 10)?
The Android Q beta will drop this month and the best guess is that it will be released in August. Some of the new security features include:
- The Android OS will stop tracking contacts “affinity” (who is talking to whom on your phone – yes they have been doing that forever), so that will no longer be available to apps
- Phones will transmit a RANDOM MAC address (the address of the network card) to reduce sites’ ability to track based on MAC address.
- Only some apps will be able to obtain the device’s serial number and IMEI (electronic serial number).
- Users will get more control over location permissions. Now you will be able to say that an app can only access your location when it is the active application on your screen. This comes after it was released that some apps, running in the background, transmit your location data to the app maker over a thousand times a day.
- Only the active app can access data stored in the clipboard.
- Some network device state information will now be restricted.
- Apps will need to have access to a special FINE location API (for WiFi and Bluetooth). This is how grocery stores, for example, know that you are in the cereal aisle and can send you ads for cereal and not pantyhose.
- Each app will be given a sandbox regarding access to the disk on “external” storage (USB storage). Currently, if you give an app access to USB storage, they can access any data on the device. If apps are well behaved, this is not a problem, but ….
- There are new restrictions on apps starting in the background without telling you.
- There are several changes to the permissions model – apps will need to be given specific permissions in order to detect, for example, a user’s movement.
One thing Apple has figured out how to do, is to get users to spend a thousand dollars on a new phone every year or two (An iPhone XS Max with 512 gig of storage costs almost $1,500!!!). Not sure how they do this, but they have. Android users are much more sensible.
Until users understand that their devices (and more importantly their data) are at risk because they are not being patched, this is unlikely to change.
Information for this post came from Helpnet Security.