Some worrying trends were revealed in a new study by the Duo Labs team that analyzed the state of security on Android devices.
The results from its large sample set, which included users' personal devices used to access employers' systems and data, found that:
- One in 10 Android devices have enabled pre-boot passcode device encryption;
- One in three Android devices don't use passcodes on their lock screens;
- One in 20 Android devices are jailbroken;
- 20 percent of Android devices are running outdated v5.1.1;
- 32 percent of active Android devices are running version 4.0 and below.
Additionally, the study revealed significant differences in platform support in the top 10 versions running Android versus the top 10 versions of iOS. For example, the more popular Android devices currently in use, such as Galaxy S III, are no longer supported by older versions of Android due to hardware limitations. However, Apple continues to support system updates for iPhone 4S, released over four years ago.
The issue stems from the fact that there is such a large number of hardware manufacturers and models in the Android ecosystem, perhaps as many as 10,000 unique Android devices.
"The numerous hardware OEMs and carrier partnerships influence whether or not a given hardware platform is supported, and the length of time for an update to reach the handsets that support it," the Duo Labs report stated.
Outdated Android versions can be susceptible to several known vulnerabilities and therefore put the entire enterprise at risk, the report added, particularly if users are logging into company networks and apps with vulnerable devices.
This is significant as failure to install updates renders hundreds of millions of phones vulnerable to Stagefright, an exploit deep within the Android OS that could allow for an attack via video sent over MMS (text message), the report said.
The company stressed the importance of educating users on the fact that Android updates don't deploy automatically nor on a timely basis, as they do for iOS users. It's necessary then to make certain users run updates.