Report: Top Android Security Problems in 2017
Take a look at the WhiteHat Application Security Statistics Report to see what caused the most security problems in Android applications this year, to avoid them in 2018.
Join the DZone community and get the full member experience.Join For Free
Now, as access to the Internet is so broad and natural, one of the biggest issues that bothered Android users in 2017 was their personal security. While all mobile devices have inherent security risks, Android has more vulnerabilities because of its inherent open-source nature, the slow pace with which users update the OS, and a lack of proper app vetting.
The recent WhiteHat Application Security Statistics Report featured data from mobile app security intelligence engine NowSecure. It can access data from hundreds of thousands of assessments based on static or dynamic analyses of iOS and Android apps.
The report identified at least one security issue in slightly over a quarter of tested Android apps. The top problem found in 90% of these apps was something we all know: "allowBackup" flags set to true," a vulnerability that could potentially allow hackers to back up the device's app folder and access private data.
On the other hand, Google recently released their annual report on the security of Android-powered devices - and we're talking some 1.4 billion all over the world. The report was optimistic in tone. Android devices are generally better encrypted, Google Play store notes less malware, and more bugs are reported to Google in exchange for the so-called bug bounties.
So how did the Android security look in 2017? Here are top problems the industry was trying to solve this year.
1. Device Fragmentation
Android's most serious security problem in 2017 was its sheer variation. Consider this example: Samsung offers 13 device models that are sold by 200 different carriers who customize its operating system. That means we're dealing with around 1,500 variations of every version of Android.
Google's report revealed that the annual patching rate is now around 50%, which is much better than before, but still not good enough. Software upgrades for new features and security patches are critical to the life of any OS, and Google still seems to struggle with the low rate of software update adoption. Consider that less than 1% of Android phones run its latest version, Nougat. At the same time, almost 80% of iOS devices run Apple's latest version, iOS10. Nougat launched almost a month before iOS10.
Samsung's mobile security director Henry Lee recently told Wired that around 60% of their users received an update in 2016 and 15% are using old Android versions. The same percentage simply ignores updates. Google hasn't found a way yet to get dozens of manufacturers and hundreds of carriers to cooperate and regularly patch Android devices but is clearly working on it. The updates are smaller, more seamless and sometimes optional - A/B updates are a good example. The near future will tell how Google proceeds with solving this problem.
2. Android Instant Apps
Android Instant Apps are blurring the boundary between mobile apps and mobile web. But what about security? We all remember Microsoft's ActiveX Plugins, so it's better to be careful with that innovation and test it out like other app security risks.
The basic idea is that when a user with an Android device visits a website that can run an app, only the fragments required for execution will be installed. The idea is interesting, but it's in its initial phase, so this year will make it clear whether Instant Apps will be secure enough to spread on the market.
3. Cheap Android Devices
Experts predict that African countries will witness a rapid growth of Android devices. Cheap devices running on the system are bound to pop up all over the place, and they might cause security problems.
The problem with these smartphones is that their manufacturers don't design them to be upgradeable. So, it doesn't matter whether Google introduces a new version or a patch - these cheap phones won't change and will instead pose a serious security risk. This is the year when we will be finally facing that challenge.
So what did Google do in 2017 to ensure that Android devices' security will rise this year? It has launched the Play Protect project, which aims to eliminate most of the problems that occurred up to this point- at least within the applications available in the store. Thus, you can see that everything is heading in a better direction. While the system itself has many variants, and a whole mass of manufacturers are hard to control; at least in this area, there will be far fewer applications that aim to retrieve user data.
Published at DZone with permission of Iza Majocha, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.