Security metrics for the Android ecosystem

Daniel R. Thomas; Alastair R. Beresford; Andrew Rice

doi:10.17863/CAM.27064

Security metrics for the Android ecosystem

Daniel R. Thomas, Alastair R. Beresford, Andrew Rice

Computer And Information Sciences

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution book

62 Citations (Scopus)

25 Downloads (Pure)

Abstract

The security of Android depends on the timely delivery of updates to fix critical vulnerabilities. In this paper we map the complex network of players in the Android ecosystem who must collaborate to provide updates, and determine that inaction by some manufacturers and network operators means many handsets are vulnerable to critical vulnerabilities. We define the FUM security metric to rank the performance of device manufacturers and network operators, based on their provision of updates and exposure to critical vulnerabilities. Using a corpus of 20400 devices we show that there is significant variability in the timely delivery of security updates across different device manufacturers and network operators. This provides a comparison point for purchasers and regulators to determine which device manufacturers and network operators provide security updates and which do not. We find that on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities and, across the ecosystem as a whole, assign a FUM security score of 2.87 out of 10. In our data, Nexus devices do considerably better than average with a score of 5.17; and LG is the best manufacturer with a score of 3.97.

Original language	English
Title of host publication	ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM)
Publisher	Association for Computing Machinery (ACM)
Pages	87-98
Number of pages	12
ISBN (Print)	9781450338196
DOIs	https://doi.org/10.17863/CAM.27064 https://doi.org/10.1145/2808117.2808118
Publication status	Published - 12 Oct 2015
Event	5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices 2015 - Denver, United States Duration: 12 Oct 2015 → 12 Oct 2015

Conference

Conference	5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices 2015
Abbreviated title	SPSM15
Country/Territory	United States
City	Denver
Period	12/10/15 → 12/10/15

Keywords

Android
updates
vulnerabilities
metrics
ecosystems
operating systems security

Access to Document

Thomas-etal-SPSM2015-Security-metrics-Android-ecosystemAccepted author manuscript, 667 KB

Daniel Thomas
- d.thomasstrath.acuk
- Computer And Information Sciences - Senior Lecturer
- StrathCyber
Person: Academic

Cite this

@inproceedings{3b82ae19da4045ba9286a6dada0e1b8c,

title = "Security metrics for the Android ecosystem",

abstract = "The security of Android depends on the timely delivery of updates to fix critical vulnerabilities. In this paper we map the complex network of players in the Android ecosystem who must collaborate to provide updates, and determine that inaction by some manufacturers and network operators means many handsets are vulnerable to critical vulnerabilities. We define the FUM security metric to rank the performance of device manufacturers and network operators, based on their provision of updates and exposure to critical vulnerabilities. Using a corpus of 20400 devices we show that there is significant variability in the timely delivery of security updates across different device manufacturers and network operators. This provides a comparison point for purchasers and regulators to determine which device manufacturers and network operators provide security updates and which do not. We find that on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities and, across the ecosystem as a whole, assign a FUM security score of 2.87 out of 10. In our data, Nexus devices do considerably better than average with a score of 5.17; and LG is the best manufacturer with a score of 3.97.",

keywords = "Android, updates, vulnerabilities, metrics, ecosystems, operating systems security",

author = "Thomas, {Daniel R.} and Beresford, {Alastair R.} and Andrew Rice",

year = "2015",

month = oct,

day = "12",

doi = "10.17863/CAM.27064",

language = "English",

isbn = "9781450338196",

pages = "87--98",

booktitle = "ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM)",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

note = "5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices 2015, SPSM15 ; Conference date: 12-10-2015 Through 12-10-2015",

}

Thomas, DR, Beresford, AR & Rice, A 2015, Security metrics for the Android ecosystem. in ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). Association for Computing Machinery (ACM), pp. 87-98, 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices 2015, Denver, Colorado, United States, 12/10/15. https://doi.org/10.17863/CAM.27064, https://doi.org/10.1145/2808117.2808118

TY - GEN

T1 - Security metrics for the Android ecosystem

AU - Thomas, Daniel R.

AU - Beresford, Alastair R.

AU - Rice, Andrew

PY - 2015/10/12

Y1 - 2015/10/12

N2 - The security of Android depends on the timely delivery of updates to fix critical vulnerabilities. In this paper we map the complex network of players in the Android ecosystem who must collaborate to provide updates, and determine that inaction by some manufacturers and network operators means many handsets are vulnerable to critical vulnerabilities. We define the FUM security metric to rank the performance of device manufacturers and network operators, based on their provision of updates and exposure to critical vulnerabilities. Using a corpus of 20400 devices we show that there is significant variability in the timely delivery of security updates across different device manufacturers and network operators. This provides a comparison point for purchasers and regulators to determine which device manufacturers and network operators provide security updates and which do not. We find that on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities and, across the ecosystem as a whole, assign a FUM security score of 2.87 out of 10. In our data, Nexus devices do considerably better than average with a score of 5.17; and LG is the best manufacturer with a score of 3.97.

AB - The security of Android depends on the timely delivery of updates to fix critical vulnerabilities. In this paper we map the complex network of players in the Android ecosystem who must collaborate to provide updates, and determine that inaction by some manufacturers and network operators means many handsets are vulnerable to critical vulnerabilities. We define the FUM security metric to rank the performance of device manufacturers and network operators, based on their provision of updates and exposure to critical vulnerabilities. Using a corpus of 20400 devices we show that there is significant variability in the timely delivery of security updates across different device manufacturers and network operators. This provides a comparison point for purchasers and regulators to determine which device manufacturers and network operators provide security updates and which do not. We find that on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities and, across the ecosystem as a whole, assign a FUM security score of 2.87 out of 10. In our data, Nexus devices do considerably better than average with a score of 5.17; and LG is the best manufacturer with a score of 3.97.

KW - Android

KW - updates

KW - vulnerabilities

KW - metrics

KW - ecosystems

KW - operating systems security

U2 - 10.17863/CAM.27064

DO - 10.17863/CAM.27064

M3 - Conference contribution book

SN - 9781450338196

SP - 87

EP - 98

BT - ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM)

PB - Association for Computing Machinery (ACM)

T2 - 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices 2015

Y2 - 12 October 2015 through 12 October 2015

ER -

Security metrics for the Android ecosystem

Abstract

Conference

Keywords

Access to Document

Fingerprint

Profiles

Daniel Thomas

Cite this