Nearly three-quarters of Android devices on the five biggest U.S. carriers are running on security patches that are at least two months old, putting them at greater risk of being hacked.
That finding was made in an analysis released Thursday by Skycure, a mobile threat defense vendor.
The report also found that the city of Boston has had the biggest recent increase in smartphone and other wireless device threats — including malicious attacks — among 11 major U.S. cities. Incidents in Boston climbed by 960% in the fourth quarter of 2016. The analysis is based on millions of readings from network sensors that Skycure monitors globally.
Unlike Boston, several cities saw a flattening in the number of network incidents. San Francisco experienced a slight decline in the fourth quarter. Skycure didn't explain why Boston increased so drastically, but indicated that rates of incidents can vary widely, with some cities increasing while others hit a plateau.
While the company's analysis pointed especially at Boston and other cities seeing increasing numbers of attacks, mobile threats are generally on the rise. There is plenty of blame to go around, including the length of time it takes wireless carriers to pass along security patches and whether users install patches in a timely manner.
Skycure found that 71% of Android devices are running on security patches that are at least two months old — too old to be considered secure.
Devices with known vulnerabilities that are unpatched are more susceptible to breach, Skycure noted. That's the same advice that many independent security and mobile practitioners and analysts have offered.
That figure is also in line with a Google security report stating that half of all Android devices had not received a security update in the past year.
Roger Entner, an analyst at Recon Analytics, agreed that smartphone users need to quickly load security patches onto their phones. Many smartphone users have told Computerworld via email that operating system updates, sometimes including security patches, have slowed the performance of their phones and so they are reluctant to allow the updates to load.
But Entner used a rough paraphrase of an old Benjamin Franklin aphorism, saying, "those who trade convenience for security shall have neither — and that is true with security updates." (Franklin's famous saying was a bit different, but Entner's point is clear.)
The idea that a security patch should be avoided because it might slow a phone's performance is a fallacy, Entner said in an interview. "Nothing ruins performance as when spyware and malware is active on your phone," Entner said. "It's increasingly a realistic problem."
To be sure, many smartphone users quickly allow updates and patches on their devices when sent a notification that one is available. "I don't even think about" not doing an update or patch, said JR Raphael, a blogger for Computerworld on Android topics. "On the new Android phones, the process is totally seamless and far less invasive than it used to be."
Nancy Newkirk, an iPhone 6 user and CIO and vice president for technology for IDG, the parent company of Computerworld, said she does all updates "as soon as I see them, regardless of size and scope. I read the description but go ahead anyway. Then I let my family know if it's a big one that takes time or a small one that is pretty painless, and they wait a week to see if my phone acts funny or breaks" before they run the updates.
Part of running patches and updates promptly is out of the hands of users, who usually must wait for their wireless carriers to test patches they have learned about from phone vendors or security experts.
"All of us can do a better job at securing our mobile devices — manufacturers, carriers and users," said Varun Kohli, vice president of marketing for Skycure. He said users sometimes avoid patches for their phones because of concerns about performance. But often, users don't know there's a patch available or they have an older phone that doesn't support the latest patch.
Most of the security patches that Skycure detected in its global analysis were not sizable enough to affect a phone's performance, Kohli said. A patch is generally considered a small change to an operating system that addresses one or more specific bugs or holes, or adds support for new hardware or a configuration without adding new features or functionality, he said. They are delivered as "point releases" while updates offer added functionality.
Apple doesn't generally refer to its updates as patches the same way that Android does. Google began releasing monthly Android security patches in late 2015 after the discovery of the Stagefright vulnerability. "We highly recommend patching each Android device as soon as each security patch becomes available because they each address newly disclosed vulnerabilities that malicious attackers may leverage in exploiting unpatched devices," Kohli added.
Skycure's analysis allowed the company to analyze Android devices in January 2017 to determine the age of the security patches that were loaded on phones.
"The most recent security patch was only adopted by a very small percentage of the population, having just been released, but AT&T users were up to 10 times more likely to have this latest patch already installed," Skycure's report said.
The other carriers Skycure evaluated were Verizon, Sprint, T-Mobile and MetroPCS. Skycure didn't offer an explanation for why so many AT&T users loaded the latest patch.
In general, Skycure joined other security experts in recommending users update to the latest patch as soon as it is available. The company also advised to only download apps from trusted first party app stores and to avoid connecting to suspicious free Wi-Fi networks.
Skycure, like many other companies, offers a free threat defense app called Skycure in both the App Store and Google Play. The company offers enterprise Skycure security software as a service starting at less than $8 per device per month.
Even with such defenses, Newkirk said phone users need to back up their vital personal data, like videos and photos, in the event their phone is lost or stolen or attacked in a way that locks it or makes access to data impossible.
"It may seem obvious, but I can't tell you the number of people who don't do the basics like backing up their phones for pictures, etc.," she said in an email. "I'm always astounded by that. It's advice I give to everyone. And yet people don't do it."