I blame the OEMs 100% for this
"And around a third (30 per cent) of devices were running an out-of-date OS."
I'd love to be running a more recent OS, but HTC can't be bothered to issue any updates so I'm screwed.
Take my advice - never buy HTC.
Users in both enterprises and at home are failing to take basic precautions against an increasing range of mobile threats, according to a new survey by security firm Skycure. The majority (52 per cent) of devices do not have any type of passcode enabled, including alphanumeric, biometric, and swipe codes. And around a third ( …
Yes, it would be nice to know how many of these "out of date" devices have been declared EOL by their manufacturers, thus making them not "unptached" but "unpatchable" and thus the only option is a costly replacement phone which many people aren't inclined to buy.
And yet MS get blamed for Windows security problems on Dells, HPs or any manufacturers pcs. But not Google, because apparently there's no way they could have built a windows update style service for Android.
Though apparently now "Google is taking the lead on revitalising the patching pipeline for the Android ecosystem". Stable door anyone?
The difference here is that Microsoft sell a completed version of Windows which is installed on a device. Google create a version of Android which is then modified by the OEM before being installed. Google have no control over these modifications therefore cannot release a 'fix' that will work on all devices.
Google have made attempts to address this and supply a lot of updates via the Google Play Services. It is, however, an issue that will continue to plague Android unless a better solution is found.
How about the iPhone solution? A Mac OS seems to be a bit more secure than PC, however these days kids are far smarter (it seems) than the developers these days. Personally I don't worry about my iPhone mainly because I don't do much business on it (or my computer for that matter) that is sensitive. I put in a partitial end number of my bank accounts, but never link to my actual bank, or example. I will take the extra work to remain secure. One another thought, though....
Personally, I have to wonder if all the "your not secure enough" rhetoric is real, or a front to make sure we all upgrade to the latest OS with new and improved spyware from our own governments and the alleged 'six families that hold the majority of wealth in the world' to keep the rest of us in our place.
Funny that what happens in the US seems to follow suit a mere months after to the entire rest of the Civilized (?) countries. Something to consider if you ask me ... as a writer I've learned how to research deep to see some interesting things; such as, before the stock market and housing crash rental property stocks was taking a steady 4 1/2 year dive. Quite the coincidence, which did not really explain why it took banks 4 - 5 years to put most of those repossessed homes up for sale to the public. The numbers taken back did not come near to those on the market until apartment rent had increased by close to 40%.
At the time, only Apple could pull off the iOS solution because the carriers faced actual defections from cutsomers lured by Apple's unique siren song. Google offered carriers Android as a way to lure those customers back, and it worked, but it entailed a necessary delegation of responsibilities that is coming back to bite Google. They're trying to wrest underlying control back with the latest versions of Android. Marshmallow has a lot more integrity checking, for example (dm-verity is now enforced along with SELinux, and Android Pay only works on "virgin" devices), and there has been progress on layers (which would allow carriers to provide their unique stuff while staying off the system stuff for the most part). This push for security will likely be near the top of the priority list for Android N (whatever it'll be called).
PS. If you're paranoid about governments overhearing your activities on your cell phone (which they could probably do even before there was such a thing as a smartphone), then you probably shouldn't own a cell phone at all, and give up that connectivity that everyone (including bosses) are demanding these days.
Really? You're sure those clever people at Google couldn't manage to keep core infrastructure updatable whilst allowing manufacturers to mess with the ui and add services? This isn't a case of Google providing an update mechanism and the OEMs opting out of it or breaking it. They didn't bother to provide a patching mechanism. It shows a wilful lack of care for their users.
"You're sure those clever people at Google couldn't manage to keep core infrastructure updatable whilst allowing manufacturers to mess with the ui and add services?"
You should talk to the folks at the xda boards. You'll find out that TouchWiz and Sense, among others, are a whole lot more than just window dressing. There are a whole lot of under-the-bonnet stuff that makes these things work, and a lot of things that are pushed at the insistence of the carriers under threat of dropping them for another brand. For example, take T-Mobile's WiFi Calling and the Galaxy S4. WiFi Calling happens to be one of the few things I really, really like about T-Mobile (especially when abroad since that means I can call home for free as long as I'm at a hotspot), but here's the rub. At T-Mobile's insistence, the guts of WiFi Calling are buried inside TouchWiz, to the point no Android hacker in 2 1/2 years has been able to disentangle the two (there's even a cash bounty out on this, so there's lots of motivation). So if you want WiFi Calling, you MUST use TouchWiz (which for us apparently means no Lollipop upgrade). And no, phones from other carriers nor Google Play Edition S4's cannot get WiFi Calling. Last I heard, HTC phones get the same treatment with their Sense UI.
So NO, manufacturer adjustments are WAY more than skin deep, and until Google lays the law down (and neither side decides to walk away in response), then that's the way it'll be. Believe me; I speak from experience.
...of the operating system"
And yet rooting/jailbreaking is the only way to upgrade a device to a more recent, secure version of the OS once the manufacturers have stopped providing updates, if they ever have.
Which means you lose either way. If you don't upgrade, they'll pwn you with the unpatched exploits. If you do root, they'll pwn you precisely because you rooted, regardless of whatever safeguards you try to put up.
Leave Android you find Apple has its own issues, and meanwhile feature phones are going the way of the dinosaur because are getting used to sleek, adjustable-function phones they can customize. No one (of any importance) just calls and texts anymore.
"And around a third (30 per cent) of devices were running an out-of-date OS."
That's certainly not true at all. The most recent version of Android is 6, which is used by approximately 0% of people. Ignoring that and looking at versions that most people actually have a chance of using, 5.x is used by around 20%, with 4.4.x by far the most common and 4.1 and 4.2 together still having more market share than 5. So no, 30% of people are not running an out of date OS, somewhere between 80-100% are.
Have to say I'm surprised at the number without any passcode though. I don't think I've ever seen a mobile device without either a swipe pattern or PIN.
"I don't think I've ever seen a mobile device without either a swipe pattern or PIN."
Ever? When Nokia ruled with the Symbian phones it was rare to see anyone protecting their phone with a PIN - if it even was possible (can't remember). Sure the SIM had a PIN code but that was needed only when rebooting the device.
I too am getting a bit disgruntled with android. Though the best experience I have is with LG so far. SWMBO has a direct from LG G3 and I have one that came from three. I am on the same version as her ( the latest LG provided) and got that only three weeks after her (I check monthly so there may be updates that I've not looked for). I figure a three week lag for three isn't terrible. Samsung were atrocious and didn't update any where near enough even unbranded. On the other hand my spare phone (an MS Nokia 630) updates all the time which I quite like - would swap to WP10 in a shot if only the app support was there. Please nobody suggest iPhone - been there done that...
As far as security the iPhone seems better, however since Steve Jobs died Apple has been slowly falling down into the pits of hell imho.
Siri is too busy to help much of the time, and when she does she's been hitting the bottle because she can't find the obvious, or understand plain English and she's suppose to get better and better over time to how the user enunciates their words. Instead she seems to be getting worse since the later update that I did as my phone (that had to be reset).
The iPhone was plugged into my Pro Mac desktop charging during the install and I unplugged after the update but before the reset. Still, I discovered that the update wiped out all ringtones ON MY DESKTOP! which I had converted to MP3 format from my Android phone so that I could use with the IPhone. In other words, if it didn't come from the iTune store out it went. FIFTY MP3 or Tone files.
Their tech support solution was 'buy then again' yet iTunes does not offer them. Their ho hum attitude apparently changed after 20 minutes of rather heated debate as to their right to take anything out of my computer without permission, and my hanging up on them just after a threat of a class action law suit. Funny, those ring tones slow reappeared in iTunes again although they swore there was nothing to be done. Is there such a thing as honest business dealings these days?
Do you really believe a single angry call into Apple threatening a class action suit is going to get them to have someone magically access your personal iTunes install and get your ring tones back?
Whatever happened (I have no idea what) cause them to temporarily disappear and they came back later. Maybe some sort of index got deleted and had to be rebuilt, I have no idea. If you really believe your call to some bored front line CSR would get them to take any action beyond "log angry call with random threats" you're crazy.
My device doesn't have a passcode enabled either. It also has a maximum of £15 credit on it at any one time and has no banking or shopping apps. I lead a very dull life and the remaining contents of my phone reflects that.
I'm quite happy with that level of risk.
Wow, you keep alot on it. I only have a fiver. And as for stealing personal info, good luck with that. I keep no one in my contacts or anything in the calendar. email is web based and I don't keep even my email address saved (I have a couple of email addresses anyway) and since I run AOSP, nothing Google based either.
I'm not paranoid, it's just I have a brain and can remember things. Old skool I suppose.
Bong. Updates are available for your Android System.
Run... restart... 30%... HANG! Abort! Restart...
Bong. The update failed, connect your device to a Real Computer and install the update that way.
[Much hassle later on the vendor's website downloading their Connectivity package, because registering the device as a USB Storage device and copying any update files into a folder called Updates would be, like, so infradig.]
RC: No updates are available for your device.
User: Huh? But... Whatever!
Bong. Updates are available for your Android system.
GOTO 20
For the last six months, I've just swiped the update into a 'Later' state. I still get the icon on the title bar, and it still fills about half the Notifications screen, but at least the device hasn't bricked.
.. Here's your friendly correction or two...
They haven't been called 'Telephones' for quite a while now. They are Mobile Devices. Telephones are those things that required cords - or at least a base station in your home and only worked within like 100 feet of it.
Phones, aka Mobile Devices, are primarily for delivering personal advertisements by way of games, internet browsing and social media apps. Making telephone calls is just a secondary feature.
They just might by triangulating your phone's location (a basic function of the network) and secretly tuning on your phone's mic (via a hardware smurf) while you're there to hear pertinent details. Like I said, if you think the plods were only able to tap you when the iPhone and Android came along, you're late to the game.
As a Verizon Victim I have a severely limited choice of devices, they invariably don't come with the latest version of OS (the Verizon site still offers Android phones with v2.x on them, Apple devices with ~3 prior releases, & Windows phones with WP7; if you look at BlackBerry's offerings it's even worse) claiming they are "OTA Ready". Except they *NEVER* update the devices, so the OS version you buy it with is probably the only one it will EVER get. No updates from Verizon will be forthcoming until the heat death of the universe.
Add to that manufacturers that shit out a new device every few months, claim it'll be supported for the life of the device, then abandon it barely a year later. See Motorola for examples of this, HTC, Samsung, and any of the primarily Chinese tertiary vendors. IF they release an update for the device then it has to go through the carrier in order for us to GET it. If that carrier is Verizon then the manufacturer's update will be "held for testing & validation" until Verizon feels like releasing it, which will be when Hell Freezes Over.
Even if I buy a Nexus from Google directly & get one compatible with Verizon's network, I can't be sure I'll be able to get any updates. I either have to cable it to my desktop & force it to update via the LAN or somehow figure out how to manually download the updates & apply them. Because Verizon will actively cockblock anything the manufacturer might try to send over Verizon's network, claiming "security".
So my options are to live with an insecure device or switch carriers. Unless I suddenly find a couple hundred I can flippantly flush down the bog IN ADDITION to all the other fees I'd incur in changing over (credit check, down payment, the phone itself, insurance, accessories, et alia) then it's Not An Option.
Which leaves an insecure device. <Sarcasm>Joy.</Sarcasm>
In the end both the device manufacturer has to be arsed to create the updates, release them to the carriers, & insist that the updates be applied promptly. Then the Carrier has to pull it's head out of it's ass & push out the updates in a prompt manner. Then and ONLY then can the Customers stand a chance in hell of running secure devices. As others have pointed out above, running the stock OS will get you screwed from the inherent unpatched security holes, but rooting it to run a more recent version will ALSO get you screwed BECAUSE of the rooting. How the hell are we supposed to win in a Damned if we Do, Damned if we don't situation?
Feature phones may not be as prevelant as they used to be, but the fact that I don't store any PII on it beyond my Contact List means that even if it DOES get violated somehow then there isn't a whole lot an attacker can steal. (Because it doesn't run applications, doesn't connect to the internet, doesn't play games, and simply makes/takes calls, sends messages, & has functions like a calculator, there isn't much TO attack in the first place.)
Do I want a SmartPhone? Hell yes. Do situations like this make me reconsider getting one? Damn skippy. If the manufacturer can't be bothered to update the device & my carrier couldn't give a fuck about my security, then there's zero chance that I'll be able to make an end run around the both to do it myself.
*Sigh*
If 8.4 was current when they did this survey, was anything older out of date? Or anything earlier than 8.0? Every new version of iOS and every new version of Android includes some security fixes, so obviously even if you are 100% up to date you are still vulnerable to some stuff they don't know about, or know about but haven't delivered a fix for yet. Being up to date only means you're vulnerable to less than if you were on an older version.
They seem to pretend that being "up to date" is a panacea and some arbitrary "out of date" line is bad. It is more of a sliding scale. Since there aren't any active large scale exploits happening with iOS, or with Android, at this time the risk is mostly theoretical. When such attacks begin (and I have no doubt they will come) then you can worry about x% of phones being vulnerable.
The key there is that iOS users will be able to take action to update their phone and eliminate the risk, while most Android users will be left without any recourse short of buying a new phone. I'm sure Android OEMs will enjoy the windfall that results from their own dereliction of duty, though part of that windfall may come Apple's way due to their better support for updates.
Actively refusing android 5 upgrade by having wifi off most of the time.
Only reason i have a passcode is i had to install a custom ssl cert for my personal owncloud server for address book sync because android does not support the CA i bought it from. Otherwise would have no passcode.
I've never lost my phone nor had it stolen(had cell phones since 1998). I'm very careful what apps i install. Based on history i believe my vulnerability is very very low even without a passcode on the phone.
Also i don't do anything like online banking on phone either. I do use company vpn on occasion with duo security two factor (though it uses phone for 2nd factor)
If the OS held me as the highest authority on what may or may not be done on my own device, as it damn well should.
*I* get to say what is installed, uninstalled, backed up, copied or modified. *I* can grant or deny an app whatever permissions I deem appropriate, and whatever knowledge of those permissions I choose. Do you have permissions to access SMS, or do I just have no messages, and messages you send have no effect? That's my decision.
No, you don't, because the software isn't yours. Therefore, you cannot be held in the highest regard anywhere in the mobile world. Neither for that matter do you own the firmware needed to make the phone run, which is all protected by patents and/or trade secrets. You want to use a cell phone, you need to agree to licenses and so on. Cost of doing business; Take It Or Leave It.
Why is this deemed a negative?
I must save hours a year by not having to type in a PIN every time I look at my device.
And patching's the same - each patch makes it a bit slower, so why bother? I'll take the performance route and just not install untrusted cack/visit dodgy sites etc.
This idea that if you don't keep patched and have a ridiculous passcode then the world will end is bobbins.
If it really matters, I havent insured the handset either.
So you don't care if someone mugs you and rips the phone out of your hands?
As for not patching because you don't visit dodgy places, does the phrase "drive-by attack" put you short? Those attacks are placed at mainstream sites and can use mainstream networks that can get past ad blockers.
Your world may just end if your stolen phone results in identity theft or a serious breach that results in you getting fired or worse having to pay through the nose in court or whatever, and note that there have been some pretty serious people that got their details nicked in this very way.