Mobile Security - it could be this easy...

01/07/2020
G DATA Blog

The situation with security for smartphones using the Android operating system is improving - albeit very slowly. A major reason for this is the large variety of versions used. In a two-part series, we highlight the current problems and give tips on how to improve the security of the devices.

Eleven years have passed since the launch of the first mobile phone with an Android operating system. Nowadays, the market share in Germany is over 80 percent. Although the very first version can no longer be found on current smartphones, various versions of the fourth generation, better known under the names of “Jelly Bean” and “Kitkat”, are still installed seven years after their first release. In May 2019, the share of what was then the most current version 9 (Pie) was 10.4 percent. The eighth generation of the operating system (Oreo) was running on more than 28 percent of the mobile devices. Even though Google has now released Android 10, little has changed with the generally fragmented situation. In addition, electronics stores are still allowed to sell out-of-date, unsafe Android smartphones without informing customers of the risks. A recent court ruling in Germany has confirmed this practice. So the responsibility lies with the consumer.

Alexander Burris

The problem with these old versions is that Google has long ceased to support them, so updates and security patches are no longer available. Using devices with old versions is very risky.

Alexander Burris

Lead Mobile Researcher at G DATA CyberDefense

Do-it-yourself

Before users panic and rush out to buy a new device with the latest version, the first piece of advice is to keep calm. The first important thing to do is to check which version is currently running on your smartphone. As a rule, this is a question no user can answer right away, but a quick look at the settings will help clarify things. Users can find the answer under Apps > Settings > About Device or About Phone > Android Version. If you have enabled “Automatic Updates” in the settings, you should usually be always up to date. However, each manufacturer has its own update policy, which further complicates the situation. Another catch is that, unfortunately, the latest version of an out-of-date operating system does not offer complete security. In addition to operating system updates, Android repeatedly rolls out security updates to close the latest gaps. These are also installed automatically. If you want to know more, you can find the most important information in the Android Security Bulletin. Google publishes details of the monthly updates here every month.

A glimpse into the technical depths

Over the past eleven years, the developers have continuously enhanced and improved Android. They have integrated new features and implemented special variants such as the Android “Go Edition” variant for low-end devices. This targeted devices with low RAM (1 GB or less), slow Internet connections and a smaller CPU. The current Android 10 system, on the other hand, offers improved support for data protection. For example, even access to the storage location or files in the background requires authorisation. Access to unique device identifiers is restricted. Other Android projects such as Treble or Pony EXpress (APEX) are discussed in more detail in the second part of this article.

However, the Android world is more complex than it appears at first glance. Besides version numbers, there are still API levels and NDK versions as well as platform encodings. In Android 8.0.0.0 (“Oreo”) and higher, individual builds are identified with the build ID format PVBB.YYMMDDD.bbb[.Cn]. But what lies behind this complicated sequence of letters and numbers, such as QD1A.190821.014.C2...?

  • P stands for the first letter of the code name of the platform release, e.g. O is Oreo.
  • V represents a supported vertical. According to the convention, P represents the primary platform branch.
  • BB is an alphanumeric code that allows Google to identify the exact code branch from which the build originated.
  • YYMMDDD identifies the date on which the release branches out from or is synchronised with the development branch. It is not always the exact date on which a build was created, as it is common for minor changes added to an existing build to reuse the same date code as the existing build.
  • bbb identifies individual versions that refer to the same date code, starting with 001.
  • Cn is an optional alphanumeric function that identifies a hotfix on an existing PVBB.YYMMDDD.bbb build, starting with A1.

Older Android versions use a different, shorter build ID code (e.g. FRF85B):

  • The first letter is the codename of the release family, e.g. F is Froyo.
  • The second letter is a branch code that allows Google to identify the exact branch of the code from which the build was made. By convention, R is the primary release branch.
  • The third letter and the following two numbers are a date code. The letter counts the quarters (A is Q1 2009, F is Q2 2010, and so on). The two numbers count the days within the quarter (F85 is June 24, 2010). The date code is not always the exact date a build was created, as it is common for minor changes added to an existing build to reuse the same date code as the existing build.
  • The last letter identifies individual versions that refer to the same date code and that run sequentially starting with A (this is implicit and is usually omitted for brevity reasons).

Updates - more than new features

  • Software updates not only bring new emojis or a new design for a smartphone’s user interface, they also improve device security. Developers or security researchers regularly discover new vulnerabilities in operating systems. Some of them are harmless, others massively jeopardize security - the most prominent example being a gap in a library for displaying media content revealed a few years ago. On that particular occasion, 95 percent of all Android mobile devices were affected. Therefore, providing the latest updates is extremely important.

    However, smartphones and regular software updates are complicated. Stiftung Warentest, for example, monitored the distribution of updates for more than 100 devices over a period of two years. The product testers summarise who is best at delivering updates by ranking them. The result was that, while other manufacturers only provide their devices with software updates irregularly, or not at all, Apple and Google are exemplary with their own devices (iPhone as well as Pixel and Nexus from Google). They score 100 points (for Apple) and 98 points (for Google) in the test. This is certainly due to the fact that the two companies produce both software and hardware. They can use this pole position to their advantage. Among the other manufacturers, Oneplus ranks at number three, with 83 points. According to Stiftung Warentest, the company conscientiously delivers updates - every model has received at least one higher Android version. They are followed by Motorola, with 81 points, Samsung (80 points), Huawei (76 points) and Sony (67 points). For the record: it should be mentioned that the manufacturers in the first three places offer a relatively uncluttered portfolio and therefore have to supply fewer device models with updates. Other companies, such as industry leader Samsung, are different. The South Korean company offers a wide range of smartphones in every price range. Therefore the situation with updates looks more confusing with Samsung. According to Warentest, the company “looks after expensive top models carefully”. However, cheaper or older models have only received two updates in the past two years. The situation is similar with other companies such as Huawei and Sony.

    In the second part of the article, we will look at the subject of Android updates in more detail and reveal the current projects with which Google is aiming to improve security.