In compiling the list, Bit9 researchers looked at three things: the market share of the smartphone, what out-of-date and insecure software the model had running on it and how long it took for the phone to receive updates.
In gathering information for the study, the researchers were astonished by the state of the Android ecosystem. “What was surprising for us was really the extent of the chaos and the fragmentation that exists in the Android ecosystem itself, and the way that the Android smartphones are distributed and more importantly, the way that security updates are done,” Bit9 CTO Harry Sverdlove told PC World.
The researchers found that 56 percent of Android phones in the marketplace today are running out-of-date and insecure versions of the operating system. Buying a new phone doesn’t skirt that problem, either. In some cases, the researchers discovered, phones contained software as much as 300 days old out of the box.
“If there are vulnerabilities and you’re sitting on a phone that hasn’t been updated for six months, that’s an eternity for a hacker,” Sverdlove declares. “All that time, you’re that much more at risk of being infected, of having your personal information stolen, of becoming a victim to some sort of malicious activity.”
Vulnerabilities aren’t what make the “Dirty Dozen” so dirty, Sverdlove notes. “There are vulnerabilities in all software,” he says. “Apple and its iOS has as many vulnerabilities in terms of what’s been reported as does Android.”
“The challenge isn’t so much to create perfect software, but to know the vulnerabilities and, more importantly, to be able to update the software, to be able to respond to them quickly,” he adds.
An advantage that Apple has over Android is that it can push updates to its software to all its smartphones simultaneously, he says. With Android, on the other hand, the manufacturers and carriers are responsible for pushing out updates.
“There’s too many cooks in the kitchen,” he says. “It’s like buying a PC from Dell and expecting Dell and Comcast to be responsible for your Windows updates.”
Sverdlove argued that all the players in the Android universe have to start thinking of smartphones as computers and not handsets. “There has to be some changes made to the ecosystem itself,” he adds. “The manufacturers and carriers have to start relinquishing control of the operating system to the software vendors.”