Nearly three-quarters of Android devices on the five biggest U.S. carriers are running on security patches that are at least two months old, putting them at greater risk of being hacked.
That finding was made in an analysis released Thursday by Skycure, a mobile threat defense vendor.
The report also found that the city of Boston has had the biggest recent increase in smartphone and other wireless device threats — including malicious attacks — among 11 major U.S. cities. Incidents in Boston climbed by 960% in the fourth quarter of 2016. The analysis is based on millions of readings from network sensors that Skycure monitors globally.
Unlike Boston, several cities saw a flattening in the number of network incidents. San Francisco experienced a slight decline in the fourth quarter. Skycure didn’t explain why Boston increased so drastically, but indicated that rates of incidents can vary widely, with some cities increasing while others hit a plateau.
While the company’s analysis pointed especially at Boston and other cities seeing increasing numbers of attacks, mobile threats are generally on the rise. There is plenty of blame to go around, including the length of time it takes wireless carriers to pass along security patches and whether users install patches in a timely manner.
Skycure found that 71% of Android devices are running on security patches that are at least two months old — too old to be considered secure.
Devices with known vulnerabilities that are unpatched are more susceptible to breach, Skycure noted. That’s the same advice that many independent security and mobile practitioners and analysts have offered.
That figure is also in line with a Google security report stating that half of all Android devices had not received a security update in the past year.
Roger Entner, an analyst at Recon Analytics, agreed that smartphone users need to quickly load security patches onto their phones. Many smartphone users have told Computerworld via email that operating system updates, sometimes including security patches, have slowed the performance of their phones and so they are reluctant to allow the updates to load.
But Entner used a rough paraphrase of an old Benjamin Franklin aphorism, saying, “those who trade convenience for security shall have neither — and that is true with security updates.” (Franklin’s famous saying was a bit different, but Entner’s point is clear.)
The idea that a security patch should be avoided because it might slow a phone’s performance is a fallacy, Entner said in an interview. “Nothing ruins performance as when spyware and malware is active on your phone,” Entner said. “It’s increasingly a realistic problem.”
To be sure, many smartphone users quickly allow updates and patches on their devices when sent a notification that one is available. “I don’t even think about” not doing an update or patch, said JR Raphael, a blogger for Computerworld on Android topics. “On the new Android phones, the process is totally seamless and far less invasive than it used to be.”
Nancy Newkirk, an iPhone 6 user and CIO and vice president for technology for IDG, the parent company of Computerworld, said she does all updates “as soon as I see them, regardless of size and scope. I read the description but go ahead anyway. Then I let my family know if it’s a big one that takes time or a small one that is pretty painless, and they wait a week to see if my phone acts funny or breaks” before they run the updates.