Researchers at the U.K.’s University of Cambridge have confirmed in a study a fact that has always been the elephant in the room when it comes to Android devices: they just aren’t getting the security patches they need to be kept secure.

The study found that 87 percent of Android devices are exposed to at least one critical vulnerability due to Android handset makers failing to deliver patches.

Data for the study came from over 20,000 Android devices with the Device Analyzer app installed, and was tested against 11 known Android bugs that have been in the public domain in the past five years.

“The difficulty is that the market for Android security today is like the market for lemons,” the researchers explained. “There is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not.”

Not all Android phones are equal however, with the study finding that Google Nexus devices are the most secure Android devices as they run stock Android installs that don’t rely on manufacturers or telcos to issue patches.

Of the rest, LG phones received the highest scores for security, although that figure may be slanted as LG also has been a primary manufacturer of Nexus phones.

With poorer results were phones manufactured by Motorola, Samsung, Sony and HTC, while smaller Android manufacturers (particularly those from China) worse again, with some phones never being provided updates even once.

“The security of Android depends on the timely delivery of updates to fix critical vulnerabilities,” the researchers added. “Unfortunately few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices unpatched for long periods. We showed that the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.”

Needs to be fixed

The issue with the deficient provision of Android security updates is fairly said to be the elephant in the room because it is an obvious truth that is either being ignored or going completely unaddressed by Google, phone makers and telcos equally.

There is no easy solution that can fix the market as it stands today given the diversity of Android installs, but it is a problem that needs to be fixed, and there is one way Google could do it: it could split out security patches in Android from operating system upgrades that outside of Google’s own Nexus line of phones require the manufacturer, then often also the telco, to push it out to customers.

It may not be the perfect solution that covers every single potential issue, but if Google was able to push out those patches independent of manufacturers and telcos it would definitely go so way in addressing what continues to become are increasing severe problem.

Image credit: taken-screenname/Flickr/CC by 2.0