'Dirty Dozen' most insecure smartphones share same problem: negligence

For phone makers, failure to update the OS is the greatest sin in mobile security

Mobile security risk realities:

  • Android is the No. 1 target for malware writers;
  • Radio-based digital data links such as those on smartphones are inherently insecure;
  • No data is secure when you carry it around in a pocket and often can't remember where you put the phone that holds it.

All those risks of mobile computing apply to all smartphones equally, but none has anything to do with the single fault to blame for making the "Dirty Dozen" smartphones "dirty," according to a study published by Bit9 identifies 12 smartphones as the most insecure on the market.

"The Most Vulnerable Smartphones of 2011" come from a range of manufacturers – Samsung, HTC, Motorola, LG and Sony, for example. All have one thing in common: failure by the manufacturer to update the smartphone's software in a timely and reliable way.

For example, the number of pieces of malware aimed at Android increased more than 472 percent between July and Nov. according to Juniper Networks – an annual rate of 1,320 percent.

That's partly because Android is so popular; much of the reason that malware can be successful is because 56 percent of Android devices on the market are running out of date, insecure software, Bit9 reported.

Android runs on 52 percent of smartphones covered in Bit9's report, 30 percent run iOS and 20 percent run other operating systems.

None of the 12 most insecure smartphones run iOS – because of Apple's higher level of control over the OS, Bit9's report showed.

Apple is able to limit risk first by controlling the market for iOS applications and filtering it for unauthorized code.

Second, and possibly more important, Apple controls the manufacture of the devices and schedule by which the operating system is updated. That single point of contact is a huge advantage in some ways, according to Harry Svedlove, Bit9's chief technology officer, as quoted in Network World.

"The challenge we had in the Android ecosystem is it's unbelievably fragmented," Svedlove said. "From a security perspective, this eco-system is broken."

Apple's iPhone running versions of iOS older than 4.3, which shipped in March of this year, gets an honorable mention as the 13th most-vulnerable phone due to their age and end-of-life status, which ends or restricts updates, the report said.

Because Android is a more open operating system and open development process, owner Google shepherds the development work of others, rather than controlling everything itself.

That leaves the market open to new developers, but also means less control over how often manufacturers apply patches.

On average, it took makers of Android devices six months to update all their devices to a new version of the OS – delays that put customers directly at risk, Svedlove said.

Samsung has the longest lag time of any major manufacturer, followed by HTC and Motorola in a close heat for second- and third-worst.

    The Dirty Dozen, in order are:

  • Samsung Galaxy Mini
  • HTC Desire
  • Sony Ericsson Xperia x10
  • Sanyo Zio
  • HTC Wildfire
  • Samsung Epic 4G
  • LG Optimus S
  • Samsung Galaxy S
  • Motorola Droid X
  • LG Optimus One
  • Motorola Droid 2
  • HTC Evo 4G

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon