Android Fragmentation and Security by Dylan Chatterjee
August 2016, Security is the primary focus of Black Hat and one of the many briefings that happened focused on the mobile threat landscape and explored how the operating system (OS) being looked at affects greatly the type of vulnerabilities that are to be expected. With the growing popularity of bring your own device (BYOD) for the workplace, android versus iOS is something worth comparing and contrasting. Android phones hold 53% of the US market as of Q3 2015, however Android has 83% market share globally.
A big difference between an iPhone and an Android is that iPhone is the line of phones with iOS being the operating system and Android is just an operating system that many different lines of phones use. HTC, Samsung, LG, and a plethora of others all offer their own lines of phones operating on Android but they have their own OEM apps and launchers to give the phones some custom bells and whistles. This has created a problem however because when Google creates a new version of Android, each individual manufacturer has to then add in their bells and whistles into the new version of Android, for every different phone they sell, which they aren’t willing to do so many of their lower end phones simply never receive updates and many of their phones that do, receive the updates 3+ months after the official release. This has created a huge level of fragmentation in the Android space, resulting in less than 20% of all Android phones being on some version of the latest release, Android 6.0 Marshmallow.
Android Version Distribution 2016 - courtesy of Cisco
At a glance this may not seem like too big of an issue but if your phone’s OS and kernel isn’t routinely being updated then nefarious third parties have more and more time to find unnoticed gaps in that version of Android’s security which leaves you vulnerable. For this reason, some feel that Apple is “winning” in terms of security because they can easily update all of their line of phones at once because of the relative standardization for the iOS devices. There are multiple hardware and software levels that a device could be compromised at and they all have different implications in terms of severity. If a vulnerability has been found in an OEM application or part of a specific phone’s features, obviously that limits the spread of the vulnerability to that specific type of phone. However, if a flaw is found in an outdated version of Android, there could be huge number of phones that are using that specific version of Android and could be a very widespread vulnerability. A similar scenario wouldn’t matter for an iPhone user because the vast majority of iOS devices receive immediate updates so vulnerabilities in old versions don’t matter.
One of the ways a company can eliminate the security concerns that Android’s fragmentation issue can cause is to give their employees a “work phone”. The prevalence of bring your own device (BYOD) in the workplace can exacerbate security risks that do not need to exist if the company gives out a specific android phone for the workplace or an iPhone. BYOD is becoming more and more popular for most major corporations but the security concerns it brings with it are also growing every day.