Is Your Android Device Secure Enough?

How safe is my Android? Which Android version is best protected? Are legacy versions targeted by hackers? If you care about your personal data security, you've surely asked yourself one of those questions. In this brief roundup, we’ll cover all major Android versions for smartphones and provide best security practices and useful links for each one.

Legacy Versions

The general rule of thumb is: the older software you have, the more known vulnerabilities it has. This as well applies to operating systems including Android.

So, it’s generally recommended to have the latest device with all latest operating system updates. While this is a good recommendation, it’s not always possible to follow. So, let’s see what the perils and recommendations are if you are using legacy versions (i.e. 2.x to 4.x).

Android 2.x (codenames Eclair, Froyo, Gingerbread)

Versions 2.x have numerous severe vulnerabilities that may cause personal data leaking, including exploits that give the hacker root access (!) to your device. To have a general idea about the risks, you can check some reported issues here: https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/version_id-111360/Google-Android-2.3.4.html

If you or your dear person use such a device, like it and wouldn’t want to change it, we advise:

• Do not root this device.
• Do not use this device for web surfing.
• Have only on-demand Internet access on this device (this will as well save the battery). Avoid connecting to publicly available hot spots.
• Be extremely cautious about installing new apps, even from Google Play. Never install “performance optimizers”, “Internet speedup” apps and similar stuff.

Android 4.x (codenames Ice Cream Sandwich, Jelly Bean, KitKat)

While with Android 4.x there are less reported vulnerabilities as compared to 2.x, do not underestimate their severity, regardless of your device vendor. Android 4.4.4 goes as an example here: https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/version_id-177951/Google-Android-4.4.4.html

The vulnerabilities have been discovered only recently and they have maximum threat level.

So, while Android 4.x devices are still being sold (and there are a plenty of really awesome makes and brands), we can’t recommend 4.x if you want decent protection.

• If you are going to buy such a device, only buy it if the vendor still releases security fixes for this version of Android.
• Do not root the device.
• Observe extreme caution about what apps you install.
• Have only on-demand Internet access on this device, if possible. Avoid connecting to publicly available hot spots.

Current Versions and Security Patch Level

Before we talk about Android 5.x and 6.x, we’ll cite some good news from Google. Starting August 2015, Google releases security patches for Android every month, similar to Patch Tuesdays by Microsoft. While legacy versions do not get any updates from Google, if you have Android 5.1+, you may be getting the updates.

By the way, some vendors or carriers still may release patches even for pre 5 versions, especially given the lag between releases by Google and the vendors.

Android 5.x (codename Lollipop

Is my 5.x device upgradeable to 6.0?

While Android 5.x is a fairly recent major release, it’s not the latest one. Luckily, some vendors have announced upgrades to 6.0 for some of the existing 5.x lineups. A big list of major vendors and device models is found here: http://www.digitaltrends.com/mobile/android-6-marshmallow-updated-phones/  

Vulnerabilities

A few serious vulnerabilities have been discovered in 5.x already, which, however, can be counteracted if you use discretion. The vulnerabilities list goes here: https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/version_id-179829/Google-Android-5.0.html

Some more good news – Android 5.1 (build LMY48Z) is getting security updates. Samsung even enabled security patch level display for its Android 5.x devices.

Security patch level tells you the date of the last security update (which should not be more than 1 month before current date).

This way, we can recommend Android 5.x for use with the following recommendations:

• When buying a 5.x device, you may want to check if it’s upgradeable to Android 6.0 (or it’s a 5.1 device).
• Choose a vendor that regularly releases security fixes that can be checked via security patch level.
• Regularly check your security patch level under Settings -> About phone.
• Avoid installing apps from sources other than Google Play.

Android 6.0 (codename Marshmallow)

While many vulnerabilities are reported for 6.x, they are promptly fixed: https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/version_id-187788/Google-Android-6.0.html

If you use Android 6.0:

• Be sure to check the Security patch level under Settings -> About phone.
• While there are many good vendors, if you are after maximum security, devices from Google are your best bet. You will be the first to get the updates and you will have a chance to upgrade your device to a future major Android version (5.1 to 6.0, etc.).

Final Words

Having an older version of Android doesn’t mean attackers won’t bother to hack and exploit your device or steal your data. Older versions are an easier target as they have numerous known vulnerabilities.

Use Android 2.x and 4.x devices with extreme caution and avoid online exposure. While Android 5.x is considered fairly safe, be cautious about what apps you install. If you own an Android 5.1 or 6.0 device, be sure to check your patch level date regularly.

While 97% of infected devices are on Android, only 0.1% of apps in Google’ Play Store may have some sort of malware. So, almost all infected Android devices got infected from pirated apps or apps from untrusted vendors (shady third-party stores in Asia, etc.).

This way, you can stay fairly secure even with legacy devices, if you use discretion. So, in the next article we’ll explain how to protect your data using third-party utilities and apps.