Here’s a fun, undeniable fact: depending on who you ask, Android is, or is about to become, the most popular operating system on Earth. Google’s partially open source and royalty-free mobile operating system now runs the lives of people everywhere, including places where old school PC computing and wired broadband never gained much traction.

So, we find that the time is right for a proper look at the state of Android Security. Thanks to existing and upcoming legislation in major markets, such as the EU GDPR, anyone who ignores network hygiene does it at their own peril.

In this 5-part series, we want to bring some much-deserved attention to the state of security on the Android platform:

  1. Security updates
  2. Device encryption
  3. Data leakage
  4. Malware
  5. Network threats

 

Now, let’s have a look at today’s issue.

Graph comparing Windows and Android market share in 2016 and 2017

Figure 1: Android is now, or will soon become the most popular operating system in the world.

 

Software updates are critical for connected devices

 

Maintaining operating system security relies on getting known bugs fixed. This process of software support is well-established and works well in old school IT with desktops, laptops and servers. It’s important to enable users to get updates as soon as possible when problems are discovered.

In addition to updates when everything is new and shiny, computers are expected to sit in their corners to function as servers, interconnected typewriters or ATMs for years without major changes.

Sans timely updates, PCs and servers could be vulnerable to intrusion attempts via countless attack vectors: arbitrary code execution in web browsers, remote code injection on servers and much more. Likewise, updates that stop arriving in the midst of the expected lifecycle of the device, makes the system an invisible problem.

This need for timely, long term support exists on all types of computers. This is why Windows releases receive security updates for around a decade. Linux operating systems for professional use are generally supported for 10 years (RHEL/Centos), or five years in the case of Ubuntu and Debian.

Software support lifecycles of Google Nexus and Apple iOS devices compared in a graphic from Android Police.

Figure 2: Google Nexus device software support lifecycles compared to iOS devices as of 2015, infographic by Android Police.

 

Android smartphones and tablets, super networked and exposed as they are, have no lesser need of updates. Yet, this ecosystem of updates has yet to mature on Android. In fact, this has been a looming problem for years. To their credit, Google and device manufacturers have started to recognize the problems and are already making good progress.

 

As cool as the popularity of Android is, it’s also a fact that hundreds of millions of Android devices with known, unpatched vulnerabilities are roaming the world at large.

Patch rates for the CVE-2015-3864 Stagefright bug as of January 2016

Figure 3: Patch rates as of March 2016 for the extremely critical, remote code execution vulnerability in Android’s Stagefright library. (CVE-2015-3864), uncovered in July 2015. Source: Zimperium.

 

Vulnerable devices are a headache for the entire internet

 

The potential for exploiting these vulnerabilities is varied, but on the whole, substantial, when each device has of themseveral. From drive-by exploiting through websites and ad networks, to more or less targeted attacks through message attachments and the like, the last few years of Android vulnerabilities offers rich potential for nastiness.

The incentives behind Android malware are different to those of early Internet of Things botnets used for DDoS, such as Mirai, which wreaked major havoc in late 2016. But for individual companies and persons, the effect of infected Android devices can facilitate data theft, and may help intruders conduct lateral movement inside an organization’s network.

When remotely exploitable Android vulnerabilities and the toolkits to misuse them become commoditized enough, even espionage on a state, industrial or personal level becomes ripe, low hanging fruit. After all, mobile devices have all kinds of sensors, including GPS, microphones and cameras. The full business, social and political implications of large populations carrying vulnerable devices is yet to be discovered.

Good intentions with rough edges

To not come off as too damning in the paragraphs below, it’s important to note that major Android manufacturers have improved their support of new flagship devices. The market is indeed trending in the right direction.

However, despite advancements, manufacturer policies on product lifecycles remain unclearly communicated. Some technology buyers are waking up to the reality of having little knowledge of the support status of their phones, some so much so that manufacturers may face litigation, such as a lawsuit involving Samsung and a Dutch consumer rights group (reported as still ongoing in late 2016).

In reality, support for Android devices typically maxes out at around 2-3 years. In contrast, Apple supports iOS devices for around five years, always with the latest operating system.

Frame from 23:35 in the 2016 Android Security review video. Major Android brands have started taking care of at least their flagship phones.

Figure 4: Frame from 23:35 in the 2016 Android Security review video. Major Android brands have started taking care of at least their flagship phones.

 

The Android ecosystem does a fair job

 

Google indeed maintains the code base of Android releases for around four years,  but manufacturers of every device needs to build, test, package and distribute each update, separately on a per-model product basis. Additionally, carriers in some markets do cosmetic customization of phone firmware, and form yet another bottleneck for getting updates to the public.

Explanation of the process through which Android devices get updated

Figure 5: Security firm Trend Micro’s explanation of the Android software ecosystem from the perspective of updates.

Inertia with adopting longer software support lifecycles could be related to disparate product teams making different branches of the Android code for each device. Even Google seems to refrain from maintaining its Nexus and Pixel phones for more than three years.

In practice, limited support lifecycles and slow update processes leave many Android devices with poor update rates, even for very serious security flaws like the 2015 vulnerabilities in the Stagefright components of the Android system.

Over 40% of Android devices were still vulnerable six month after the disclosure of this vulnerability. The graph below shows more detailed adoption rates of Stagefright fixes in a number of countries. Variations in all likelihood stem from differences in carrier policies and the age, make and model of phones in active use.

Since the Stagefright incident was a high profile news event, it’s possible that carriers in several countries distributed updates and put in special efforts where manufacturers didn’t, due to the incentive of keeping carrier networks clean. In countries like our native Finland, carriers practice little customization of user phones, which perhaps leaves the numbers lower.

 

Background: Why Android updates are tricky when Windows Update just works

 

Windows/Intel-based PCs and smartphones differ in several ways, particularly in how hardware and software are bundled.

Indeed, PCs largely follow a long tradition of compatibility, being able to run general purpose operating systems. Particularly, most computers can handle generic retail copies of the Windows installer and run with some basic functionality. Graphics, Bluetooth, Wi-Fi and many other things may require special drivers to work properly.

But properly configured Windows computers can download system updates, and some hardware drivers using Microsoft Update, an essential service in a 20-year process of painstakingly keeping up security for the Windows operating systems.

Android phones work differently. Differences from the PC environments start with devices relying on the ARM architecture, with small System on a Chip (SoC) hardware. The specifications of these systems vary heavily between models, even among the same manufacturers. These tightly integrated systems lack the decades of compatibility for generic base functionality taken for granted by PC users.

This all ends up with the fact that Google, as creators of Android, don’t provide updates to third party Android phones directly. Vendors must poke around with Android’s vast code base and make it work with each phone. Subsequently, these vendors must take care of updates, too.

The upsides of all this customization make smartphones terrific: they’re seemingly magical devices with amazing radio capabilities, many well-tuned sensors and heavily optimized power management, bringing PC-like performance to small battery powered devices.

 

 

Mitigation strategies

 

The good news is that many Android users are far better off than the sometimes gnarly details of this report may imply. Phone replacements alone put better supported, modern Android phones in the hands of users every single day.

Android users now have the luxury of being able to choose phones with consistent, sound software support, if they buy high end phones. Choosing wisely works: on page 32 in the Android Security 2016 Year In Review, Google reports that over 70% of active flagship phones in Europe have a patch level not older than three months in late 2016.

Containers to the resque

In high-security environments, IT administrators must live with the fact that Android devices still don’t receive more than three years of patch support. Having a relatively fast refresh cycle for phones may be necessary. Hand-me-down -phones are not an option.

However, Android Enterprise and Mobile Device Management can mitigate problems, even in cases where the update practices of the manufacturer are less than satisfactory.

For example, Phones with Android Enterprise would have retained isolation of the Work container, following exploitation of the Stagefright MMS vulnerabilities (CVE-2015-3864).

The ’second coming of Stagefright’, an exploit involving malformed media files and the ‘mediaserver’ component (CVE-2015-6636), would also have failed to access containerized data and certain blacklisting options in MDM systems. However, as with the the first Stagefright bug, the user’s own data would be compromised.

Google Safe Browsing warning on Android smartphone.

Figure 6: Google maintains several security services for Android apps. Safe Browsing is one of these features.

MDM can limit attack surfaces

App white- and blacklisting, disabling camera support and configuring kiosk modes can be helpful to limit other types of risks. Control over what software is running should be prioritized in use cases where Android devices perform roles such as Point of Sale. Chrome can also be forced as the default browser, bringing the benefits of browser updates through Google Play Services.

MDM cannot at this point force installs of OS updates. However, as Android 7.1 devices, like the Google Pixel, are adopting automatic system updates, this problem becomes obsolete. This system ensures that the phone boots to the latest available OS version on each reboot. This process is also much quicker than traditional updates, which leave device stuck at a loading screen for a good while.

For now, an MDM system can help maintain an overview of the software versions running on device fleets.

 

As we conclude this article, we can provide the reader with some comforting knowledge. Namely, the upcoming parts of our Android security series concern topics where users and admins can do more to help themselves.

Android security update procedures are getting better, so are several other sophisticated, relatively new features that will make for more positive reading in the following weeks.

Title image by Eduardo Woo

Valtteri Kekki

Valtteri Kekki

CTO at Miradore Ltd
Valtteri Kekki is the CTO of Miradore. He has been with the company since 2011 and is also an experienced software developer. Valtteri holds an M.Sc. in computer science from Lappeenranta University of Technology.
Valtteri Kekki