The timespan between reports of Android phone data security problems is getting shorter. As soon as one major security vulnerability is discovered and addressed, other security flaws are found. Due to the number of security issues with the devices, some view Android Smartphones as a data breach waiting to happen. Bad news for healthcare providers with a BYOD policy allowing the devices to connect to their networks.
Critical Vulnerabilities Exist on 87% of Android Devices
Google, the company that developed the Android platform, recently commissioned a report on Android data security and the results are worrisome. The researchers discovered the majority of Android phones contain at least one critical security vulnerability: 87.7% of devices according to the security report.
The study was conducted in the UK by the University of Cambridge and was partially funded by Google. The researchers discovered that while Google is addressing security vulnerabilities by releasing Android updates for the latest version of the Android platform, the majority of Android phone owners are not running that version on their phones. As such, security vulnerabilities are not being addressed for the vast majority of users.
Even phones that run the current Android version are not being updated in a timely manner. Google has been unable to issue updates for the platform quickly enough. As a result, the Android environment can be considered unsafe. Any phone that is not updated could potentially allow cybercriminals to take advantage and infect the device with malware.
The Stagefright vulnerability is a good example. This serious security vulnerability potentially allows hackers to take control of a device, unbeknown to the user. A fix has now been issued, but any user that has not had their phone upgraded will be at risk of infection.
The Brand of Android Device Really Does Make a Difference
The level of risk depends on the brand of phone purchased. Some manufacturers are very quick to issue upgrades, others less so. The study involved different brands of phones being assessed for security vulnerabilities, and some major brands – Sony and HTC – were found to be far more vulnerable than others due to tardiness in issuing security updates. Furthermore, some network providers are preventing phones from being updated. AT&T and Verizon Wireless for example, have slowed the rolling out updates.
The researchers assessed different mobile phone manufacturers and allocated each with a security score. Lexus mobiles were found to be the most secure, with LG in second place and Motorola third. Samsung, one of the most popular brands, came fourth with a security score of less than half that of Lexus. Sony and HTC were next, and were the riskiest of the devices under test.
Android is not as secure as iOS, which is far from perfect, but does have the advantage of quick updates when a security vulnerability is discovered. For the most security conscious healthcare providers looking to supply phones to their physicians, Apple is the brand of choice.
The new Android data security report should be taken seriously, but users of the phones will not necessarily be attacked. For that to happen, in the most part, they will need to respond to a phishing campaign, download a malware-infected app or visit an infected website.
Don’t Ignore the Android Phone Data Security Risks
It may not be time to replace organization-supplied phones, but Android phone data security issues should not be ignored. Healthcare providers operating BYOD schemes or supplying phones to staff should consider the security of the devices. If phones are being supplied to physicians for example, Lexus, LG, and to a lesser extent, Motorola, would be the brands of choice, if Apple devices prove to be prohibitively expensive.
Regardless of the phones used, it is essential to conduct mobile data security awareness training. Alerting employees to Windows, iOS, and Android phone data security risks will help to ensure that their devices are not hijacked, lessening the risk of hackers gaining easy access to healthcare data via network-connected phones.