BIT9 REPORT

The Most Vulnerable Smartphones of 2011

November 21, 2011

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 The Raw Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Apple iPhone and iOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Vulnerability Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Attribution
Author
Harry Sverdlove

Contributors
Dan Brown Jonathan Cilley Kate Munro

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

Executive Summary
The explosion of smartphones on the market today has blurred the lines between personal and business computing. We are rapidly approaching half billion smartphones worldwide, with the majority of smartphone users accessing business information or corporate email on their personal devices. Mobile malware is on the rise as technology has outpaced security. The importance of understanding the risks to both your personal and corporate data in this changing landscape has never been more important. In this report, we analyzed the mobile market and identified the most vulnerable smartphones of 2011. What we found is that Android phones, which account for the majority of all new smartphones purchased in 2011, have the most complex software distribution model. Phone manufacturers and the phone carriers are responsible for distributing important updates, instead of Google, the makers of the Android operating system. The result is that Android phones are most likely to run for long periods of time with known security flaws. All 12 of the top most vulnerable phones in our report are Android models.

Ranking 1 2 3 4 5 6 7 8 9 10 11 12

Phone Model Samsung Galaxy Mini HTC Desire Sony Ericcson Xperia X10 Sanyo Zio HTC Wildfire Samsung Epic 4G LG Optimus S Samsung Galaxy S Motorola Droid X LG Optimus One Motorola Droid 2 HTC Evo 4G

33%
Portion of the Android user base represented by these phones

7 months
The average time for updates to start arriving after a new Android release

20 months
Oldest model on this list

10
Number of models in this list that are either no longer sold or no longer receiving Android updates

9
Number of models initially released at least one major version behind Android

Of the most popular Android phones, these are the ones most likely to be running out-of-date and insecure software, as well as being the slowest to provide updates when the Android operating system is revised. Of the top four Android phone manufacturers, Samsung was the slowest to provide updates to their phones, falling on average eight months behind Googles release cycle for the operating system. The open nature of the Android ecosystem has created a chaotic environment where users never know when important updates might be provided. Manufacturers are focused on providing newer phone models, often retiring existing models within 12 to 18 months of purchase, even as phone contracts are typically two years.

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

With Android phones containing disparate components, including manufacturer customizations and bundled third-party applications, the importance of providing timely updates is even higher . Manufacturers need to provide updates more frequently and commit to supporting their phones for at least two years, or they should relinquish control of the operating system to Google . Similarly, phone carriers need to remove their involvement in the update process . Just as we do not expect our Internet providers to be responsible for updating our personal computers, we should not expect carriers to own the software updates for our smartphones . In addition, the decentralized nature of app stores in the Android market has made it easier for malicious actors to attack Android smartphones . The extraordinary rise in Android malware has come largely from malicious apps finding their way into app stores . In summary, while the Android ecosystem has fostered great innovation in the mobile space, it is in need of significant change in order to protect the security and integrity of the fastest growing segment of mobile computing . The majority of all Android phones run outdated versions of the operating system for too long . The Apple iPhone 4 (and earlier models) earns an honorary spot as #13 on our top most vulnerable list . Adoption rates for major iOS versions is high, and with the release of iOS 5, Apple users can now receive updates over-the-air (OTA) . However, a significant portion of iPhone users never dock their phones, and therefore never receive software updates or security fixes . Apple iPhone devices running iOS 4 (or earlier) receive the honorary spot to raise awareness of the importance of docking these older devices . While there are no easy answers, we hope that by releasing this report, it will help raise awareness of the problem and encourage change toward a more secure ecosystem .

Background
For the past few years, Bit9 has released an annual report of the most vulnerable Microsoft Windows applications, based on vulnerability data from the U .S . National Institute of Standards and Technology (NIST) . The goal was to raise awareness of the need to understand where risks lie, and the importance of patching and controlling the software within your enterprise . While Windows remains the most popular operating system for corporate desktops and laptops, the exponential growth of mobile devices in the workplace is changing the risk landscape . The consumerization of IT, where 76% of smartphone users are bringing their personal mobile devices to work and using these devices for business purposes, presents and tablet users a new set of challenges for IT security . Seventy-six percent (76%)1 of smartphone and tablet users access business information on their mobile devices . With well over 300 million smartphones in use worldwide, we business access decided to focus our research this year on this emerging sector . The goal, similar to our previous reports, was to look at the information on their most vulnerable smartphones to understand where the risk lies to consumers and corporations .

76% of smartphone and tablet users access business information on their mobile devices.
Source: globalthreatcenter .com

globalthreatcenter .com

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

We began by looking at the overall smartphone market . While statistics vary on the current market share of mobile operating systems, they all agree on the trend . For new smartphones purchased in 2011, the plurality (and in recent studies, the majority) of new phone purchases in 2011 contain the Google Android operating system . Apple iOS (the operating system used on iPhones) comes in second, followed by RIM Blackberry, with the remainder having single digit percentages of new purchases (Microsoft Windows Phone, Symbian OS, HP webOS, et .al .) . An August 2011 report by Nielsen shows this graphically:

Operating System Share of Recent Smartphone Acquirers

US Mobile Insights, National 50 40 30 20 10 0

50% Android Blackberry 29% Apple Palm Symbian 11% 5% 2%

Q3 2009 Q4 2009 Q1 2010 Q2 2010 Q3 2010 Q4 2010 Q1 2011 Q2 2011

Windows Mobile Linux Windows Phone 7

As of Q2 2011, Android and iOS comprised almost 80 percent of the new smartphone purchases, so we decided to focus our research on these two platforms . We considered RIM Blackberry, the third most popular operation system Blackberry but quickly excluded these devices from the most vulnerable set . Blackberry offers an Enterprise Server where companies can manage updates and control applications running on users Blackberry devices, making them less likely to operate for long periods of time with known security flaws . While vulnerabilities do exist for Blackberry devices, these risks can be centrally managed and mitigated . We will be watching Windows Phone closely in the coming quarters . At less than 2 percent2 of the current market share, and falling by some estimates, we decided to exclude Windows Phone for now .

www .zdnet .com/blog/hardware/gartner-windows-phone-market-share-crashes/16279

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

A follow-up Nielsen report3 in September 2011 validates that this trend continues, with Android comprising a larger share of new smartphone purchases:
Share of Android Market of Top 20 Phones by Manufacturer
Operating System Share: All Subscribers and Recent Acquirers August 2011, Nielson Mobile Insights, National

Android code names its major updates alphabetically with the names of desserts:
Android 1.5 is called Cupcake Android 1.6 is called Donut Android 2.0 (through 2.1) is called clair Android 2.2 is called Froyo (for Frozen Yogurt) Android 2.3 is called Gingerbread Android 3.x, for tablets only, is called Honeycomb Android 4.x, just announced October 2011, is called Ice Cream Sandwich In addition to offering new functionality, each release, including the minor releases, contain important security fixes and patches to known vulnerabilities .

100%

11%
80%

7% 9% 28%

Android iOS Blackberry Other

18%

60%

28%

40%

56%
20%

43%

0% All Smartphones Subscribers 3 Month Recent Acquirers

The Android operating system used by smartphones is free and open source software based on the Linux kernel . Phone manufacturers are able to customize the software with their own features and behaviors and freely distribute those customizations . Google regularly updates the Android operating system, providing new functionality and security fixes, but it is up to each phone manufacturer to decide whether and when to incorporate those updates . While Google provides its own app store, users are not restricted to this one marketplace . There are dozens of smaller Android app stores, each with different standards (or none at all) for developers to publish their applications . This ecosystem has enabled a fast growing and diverse set of applications, but it also means there is no centralized standard on quality or security for Android applications . There are over 250 thousand applications available for Android devices . The number of known malicious Android applications grew 400 percent in the first six months of 2011, with Lookout Mobile Security reporting4 increase from 80 infected Android apps in January 2011 to over 400 infected apps detected in June 2011 . Juniper Networks is reporting5 another 472 percent increase in Android malware sample from July to November 10, 2011 .

3 4 5

blog .nielsen .com/nielsenwire/online_mobile/in-u-s-market-new-smartphone-buyers-increasingly-embracing-android www .mylookout .com/mobile-threat-report globalthreatcenter .com/?p=2492

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

Apple iOS, in contrast, is a proprietary operating system only available on Apple manufactured devices . This closed environment prevents the diversity of user experience seen on Android devices, but it also provides for less fragmentation in terms of software updates . When iOS updates with new functionality or security patches, Apple alone is responsible for pushing out those updates . There is only one official Apple app store, and the submission process for developers is more rigorous than for Android app stores (not necessarily more security focused) . There are over 500 thousand applications available for iOS devices .

Too Many Cooks in the Kitchen

In early October 2011, a security vulnerability was discovered 5 in the HTC Sense UI, the customized layer that HTC provides on top of Android . The vulnerability enables an attacker to access personal information on the phone, including recent phone calls and email addresses . This flaw impacted several models of HTC, including Evo, Sensation, Thunderbolt and Wildfire . HTC released an emergency patch in late October to address the issue . In announcing the patch, HTC included this quote: Sprint worked closely with HTC after reports emerged of a potential issue that could allow malicious third-party apps to compromise data on Android devices made by HTC. The security fix applies to phones from other carriers, such as T-Mobile and Verizon Wireless, so how is Sprint involved uniquely from the other carriers? When a security flaw is found in Windows, do you expect your home internet provider to provide a patch? This is part of the problem of the Android ecosystem . There are too many cooks in the kitchen . In this case, Google provides the underlying operating system, HTC provides a customized layer, and then Sprint provides additional customization (or something) . This causes unnecessary delays in releasing updates .

Peeling Back the Layers

Since the Android market is diverse, we realized the need to dig deeper to understand the update model of Android smartphones . The further we dug, the more complicated things became . There are several major Android phone manufacturers . Each phone model has several variants with different lifespans and update cycles . The models vary further depending on the carrier . For example, the LG Optimus One releases as LG Optimus S for Sprint, LG Optimus V for Virgin Mobile, LG Vortex for Verizon Wireless, and so on. Each sub-model has its own software update cycle, and that varies depending on carrier and geographic location . At the same time the HTC Desire was being updated to Android 2 .2 in Europe, for example, it was being released in the United States with Android 2 .1 .

Manufacturers release new phone models every 12 to 18 months, concentrating their development efforts on their newer models . The newer models are the first to receive the latest software updates . In many cases, Android users find themselves with an orphaned, or end-of-life, phone well before their two-year carrier contracts have expired . Often, customers are left with no choice but to purchase a new phone to receive the latest Android updates . In addition, most manufacturers add their own customizations or skins to the operating system, and those enhancements introduce additional vulnerabilities that require separate updates . Combined into the mix are third party components like Adobe Reader and Flash . Some models come pre-packaged with third-party components, with versions varying based on manufacturer and model, and others do not . Whether these third-party components are updated by the manufacturer, by the phone owner, or not at all, also varies . From a security perspective, the situation is disturbingly complex . It is not surprising that Android phones comprise the entire top 12 most vulnerable smartphones of 2011 .

Often, customers are left with no choice but to purchase a new phone to receive the latest Android updates.

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

Methodology
Selecting the Phones
We decided to start by identifying the most popular Android phone models by market share. AppBrain provides a list of the top Android phones based on its user base. We took a snapshot of that list on October 26, 2011, and did our investigation on those models. As new models are continuously being released and the Android market is growing rapidly, it is expected that the list will change over time, but this represented a good cross section and accounted for more than 50 percent of the overall Android phone market at the time. The list we chose is not a complete list of all Android phones on the market but it is a good cross section of the manufacturers and their top models. Breaking these models down by manufacturer shows a clearer picture:

Phone Samsung Galaxy S Samsung Galaxy S2 HTC Evo 4G HTC Desire HTC Desire HD Motorola Droid X Samsung Galaxy Ace HTC Droid Incredible Sony Ericsson Xperia X10 Sanyo Zio LG Optimus

Market Share 9.3% 9.2% 5.4% 3.9% 3.7% 3.2% 1.9% 1.7% 1.6% 1.6% 1.5% 1.5% 1.3% 1.2% 1.2% 1.2% 1.1% 1.1% 1.1% 52.7%

5.9% 4.4% 24.1%

Share of Android Market of Top 20 Phones by Manufacturer

Samsung HTC Motorola Other LG 2.7% Sanyo 1.6% Sony 1.6%

Samsung Galaxy Mini HTC Wildfire T-Mobile G2 (HTC) LG Optimus One Motorola Droid 2 HTC Sensation Samsung Epic 4G Nexus S (Samsung) Total Market Share

18.3%

Source: AppBrain (2011, October 26) www.appbrain.com/stats/ top-android-phones. Note: Only smartphone models included, tablets were removed from the list.

While market shares of manufacturers vary depending on the geography, the top four manufacturers worldwide are Samsung, HTC, Motorola, and LG. A report on the smartphone market by Nielsen,6 covering Q22011, shows a different order, but sales of Motorola models have slipped the past few months, while Samsung has gained market share. Overall, we felt this list accurately represents the Android smartphone market.

blog.nielsen.com/nielsenwire/online_mobile/in-u-s-smartphone-market-android-is-top-operating-system-apple-is-top-manufacturer

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

Establishing a Rating System

There is no such thing as flawless software . All software has issues, and over time these issues get discovered and resolved . While attackers are continually looking for the next unknown vulnerability (the Zero-Day), once a vulnerability is publicly known, it is open season until a fix is provided . That is why it is critical in security to provide regular and timely updates . The vulnerability of a given device is not just about how out-of-date that device is now; it is also about how out-of-date it has been in the past . This provides a good indicator of how well the manufacturer might respond to the next update . Android smartphones contain several software components: the underlying base Android operating system, manufacturer customizations (e .g . HTC Sense, Motorola MotoBlur, Samsung TouchWiz), and third-party components (e .g . Adobe Flash, Sun Java) . Each of these pieces can contain vulnerabilities or flaws that a malicious actor can use to steal personal information or take control of the device . It would be extremely difficult to gather the versions and update cycles of every component of an Android smartphone . Information on the manufacturer customizations is not as forthcoming as with the Android operating system itself . If Samsung pushes out an update to its TouchWiz interface, for example, it is not always clear when the update was first available, so we cannot measure the timeliness of the push . Measuring updates is further complicated by third-party applications . When a smartphone pre-provides third-party applications (e.g. a YouTube viewer, Adobe Reader), the application is not always properly associated with its Android market link. This means that the consumer may not be notified when there are updates to that application . The update may come from the Android market, from the manufacturer, or never at all .

We graded each model based on its current Android operating system version and when Android updates were provided over-the-air to the phone.
As with selecting Android models to review, we had to set parameters for measuring software updates . We decided to grade each model based on when its underlying Android operating system was updated . Since most manufacturers push out major updates that include both their own components along with updates to the Android software, this tends to be a good overall indicator . Sometimes a manufacturer will release an update as a file on their support web site . The process for installing such updates varies by manufacturer . In some cases, the process is extremely laborious: requiring you to manually backup your apps and data, navigate to a web site, download a specific file, unzip the package, install the package, reboot the phone, and finally reinstall your personal data . It also assumes the customer knows to look for the update in the first place . Some manufacturers distribute utilities to make this process easier . Samsung provides a program called KIES that automatically checks for and installs updates when you connect your phone to the computer . This utility does not work on all Samsung models or for all updates . The variations for how manual updates are distributed are complex and the adoption rates of these methods are not publicly available . Therefore, we decided to only count over-the-air (OTA) updates, not updates that manufacturers post online for manual download and installation .

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

We recognize this decision may generate some controversy. Over-the-air updates might occur weeks or months after a manual update is made available for download. However, for the general populationnot Android aficionadosthe manual update processes will never be used. The majority of Android users will only update when they turn on their phone and it says An update is available. Our goal was to measure the update times for the ordinary user. Our decision to only consider OTA updates is further validated by cross-referencing our results with those from Google. In fact, we are arguably too aggressive in our update estimates. The total market share of all smartphones in our list that are still running Android 2.2 (based on OTA updates) is 10.9 percent. As of the beginning of November, 2001, the latest version of Android OS was 2.3.7. According to Googles statistics,7 as of November 3, 2011, 40.7 percent of Android devices are running Android 2.2 (in total, 56 percent are running Android 2.2 or earlier). Googles data is based on all Android devices that have communicated with the Google app store in the preceding two weeks.

4.7%

Current Distribution
Android 2.3.3 2.3.7 Android 2.2

Platform Android 1.5 Android 1.6 Android 2.1 Android 2.2 Android 2.3 2.3.2 Android 2.3.3 2.3.7 Android 3.0 Android 3.1 Android 3.2

Code Name Cupcake Donut clair Froyo Gingerbread

Distribution 0.9% 1.4% 10.7% 40.7% 0.5% 43.9%

10.7%

Android 2.1 Android 1.6 43.9% Android 1.5 Android 3.1 Android 3.2

Honeycomb

0.1% 0.9% 0.9%

40.7%

Android 2.3 2.3.2 Android 3.0

Source: Google, (2011, November 3), developer.android.com/ resources/dashboard/platform-versions.html. Note: Data collected during a 14-day period ending on November 3, 2011

Our data is more forgiving than Googles in terms of estimating upgrade rates. This discrepancy could be explained by the fact that we chose only the most popular models, and perhaps the less popular models are disproportionately out-of-date. On the other hand, our phone list also does not include the dozens of newer models that have yet to reach popularity and are running newer versions of Android. However you reconcile the difference, we believe it is accurate to assume most Android users only upgrade their operating system when the update arrives automatically over-the-air.

Our data is more forgiving than Googles in terms of estimating upgrade rates.

developer.android.com/resources/dashboard/platform-versions.html

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

About the Vulnerability Score

Each smartphone in our list was assigned a vulnerability score; the higher the score, the more vulnerable (or at risk) the phone . The score was calculated from three variables (see Raw Data section for actual results):
1. CURRENT ANDROID VERSION

Each smartphone was assigned a Version Penalty based on the Android OS version currently available on the phone. The more outdated the version, the higher the penalty, using the following table:
Android Version 2 .1 Original Release Date January 12, 2010 Penalty 7 Comments If a phone is still running a version of the operating that is almost two years old, that should be considered extremely bad . There have been a number of major vulnerabilities fixed since 2 .1 . Note: None of the models we reviewed were still using Android 2 .1, so this is somewhat academic . This version is 18 months old, and had serious vulnerabilities that have since been fixed . Some of those fixes came in the form of point releases, like 2 .2 .2 . Since we were unable to get that granularity of data from the manufacturers, we did not distinguish between minor updates of 2 .2 .x . 2 .3 .x is latest version of Android . However, the first few releases 2 .3 and 2 .3 .3 are almost one year old . The reason we did not distinguish between 2 .3 and 2 .3 .3 is because we were unable to properly verify this distinction against manufacturer data . A number of manufacturer update announcements, for example, say Android 2.3 when they really mean Android 2.3.3. Even though 2 .3 .4 is seven months old, the subsequent point releases were relatively minor . Any phone that is currently shipped with, or automatically upgrading their users to, Android 2 .3 .4 or later was assessed no Version Penalty .

2 .2

May 20, 2010

2 .3 2 .3 .3

December 6, 2010 February 1, 2011

2 .3 .4 2 .3 .5 2 .3 .6 2 .3 .7

April 1, 2011 July 25, 2011 September 1, 2011 September 1, 2011

2. CURRENCY OF ANDROID UPDATES

We gathered data on when each smartphone was first available and when they distributed Android OS updates over-the-air . Comparing those dates against the original release dates for the same Android OS version provided an average lag time for each modelthe number of days between general availability of a version of Android OS and when it is available on a given smartphone . To account for margins of errors in the release dates, we divided this average by 90 (essentially, the average number of quarters each model took to update to any OS version). This value is the Currency Penalty assigned to each phone on our list. The higher this value, the longer that phone has been historically out-of-date and therefore the greater the security risk it poses . Determining accurate dates for each phone was challenging, and we used a few techniques to give the benefit-of-the-doubt to the manufacturer . See Determining Initial Release and Update Dates for further details .

10

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

3. ADDITIONAL EGREGIOUS BEHAVIOR

We assigned an Extra Penalty value to phones where there were additional risk factors in the phones update cycle that would not be picked up by the Version Penalty or Currency Penalty . There was only one phone on the list, the Sony Ericsson Xperia X10, which required this additional penalty . This particular model smartphone had three notable concerns, unique among all the phones on the list: It skipped a major Android release entirely (Android 2.2), going directly from Android 2.1 to 2.3.3. Even though it released around the same time or later as many of the other models, it released with Android 1.6. Every other phone released with a 2 .x version of Android . It is not clear whether its Android 2.3.3 update fits our must be available over-the-air criteria. The update was initially available as a manual download, did not appear to work with all Xperia X10 models, and installing the update came with several caveats . We decided to list 2 .3 .3 as its current version because it is hard to believe that such a popular phone would still be at 2 .1, but we do not have the same level of confidence in this fact as with the other models . Establishing the most vulnerable smartphone was then simply a matter of adding up the penalties, and taking the top 12 highest scores . Where models received equal total vulnerability scores, they were sorted from the most to the least popular . While this did not impact the number one position, it could be argued that sorting equally vulnerable phones by market share is somewhat arbitrary . However, some criteria must be used and the more popular a phone, the greater its impact on the general consumer base . For example, given two phones of equal vulnerability, the phone used by five million users is at higher risk of being attacked than the one used by one million users. Manufacturers know which of their models are most popular, and if there must be a prioritization of updates (an unfortunate reality), the more prevalent models should come first . More importantly, debating whether the phones in the second and third positions of our list should be swapped, for example, misses the point . The primary purpose of our research was to highlight the overall problem of poor currency and delays in software updates within the smartphone market and the impact this has on security .

Determining Initial Release and Update Dates

Obtaining reliable data on when smartphone models are actually available and when OTA updates are distributed was the most difficult part of this research. Phone manufacturers often announce a new phone model months in advance of that phone actually being ready for purchase. Similarly, they announce upcoming software update months in advance of actually rolling out those updates to customers . As noted earlier, manufacturers often post an update as a manual download on their support site either instead of, or in advance of, rolling out an OTA update . In a number of instances, we found updates that were pushed out, only to be pulled (un-released) a few weeks later due to stability issues. For example, the LG Optimus S pushed out its Android 2 .3 update in September 2011 and then halted the process . As of this writing, to the best of our knowledge, the LG Optimus S update still has not been re-released . Another example is the Sanyo (Kyocera) Zio . The Android 2 .2 update for the Zio was initially rolled out in February 2011, only to be halted in March 2011, and then re-released in May 2011 . In these cases, we took the later datethe date the update was actually sustained . To establish initial release dates and update dates, we had to rely on multiple sources, including manufacturer release notes, carrier release notes, press releases, Android developer forums, and trade articles . When possible, we used release and availability dates in the United States . There were several cases where phone manufacturers released updates in Europe or Asia months in advance of the US market, but international dates are harder to come by, less reliable, and impact only a subset of customers . In general, we found that the US dates were the most reliable indicator of when an update is available for all customers . There were only two models on our list that were not officially released in the US markets: the Samsung Galaxy Mini, and the Samsung Galaxy Ace . For those models, we used their UK release dates .

11

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

To account for potential inaccuracies in our data, giving as much deference as possible to the manufacturers, we did three things: We used the first available dates we could find, independent of carrier. Availability dates for updates usually depend on the carrier. For example, Verizon Wireless users might receive an update weeks (or even months) in advance of AT&T for the same model phone . Whenever the exact date was unclear, we assumed the first day of the month in which the update was released. We divided the average lag time (days between phone update and public availability of the base Android operating system) by 90 and used that rounded number as the Currency Penalty value . This provides for a margin of error of +/- 45 days in our data . For example, if the average days between smartphone update and Android OS update were 300, it would be assigned a Currency Penalty of 3 . In the end, we believe the dates we chose accurately reflect when manufacturers began rolling out an update in the US market (or UK market for the Samsung Galaxy Mini and Galaxy Ace) .

The Raw Data

Summary of the Vulnerability Scores for the Top Android Smartphones
Ranking 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Manufacturer/Model Samsung Galaxy Mini HTC Desire Sony Ericsson Xperia X10 Sanyo Zio HTC Wildfire Samsung Epic 4G LG Optimus S Samsung Galaxy S Motorola Droid X LG Optimus One Motorola Droid 2 HTC Evo 4G HTC Desire HD Samsung Galaxy Ave T-Mobile G2 HTC Sensation Samsung Galaxy S2 HTC Droid Incredible Nexus S Vuln Score 9 8 6 8 8 8 7 5 4 4 4 3 3 3 2 2 1 1 0 Market Share 1 .5% 3 .9% 1 .6% 1 .6% 1 .3% 1 .1% 1 .5% 9 .3% 3 .2% 1 .2% 1 .2% 5 .4% 3 .7% 1 .9% 1 .2% 1 .1% 9 .2% 1 .7% 1 .1% Release Date Apr-11 Aug-10 Aug-10 Oct-10 Oct-10 Aug-10 Nov-10 Jun-10 Jul-10 Nov-10 Aug-10 Jun-10 Oct-10 Mar-11 Oct-10 Jun-11 May-11 Apr-10 Dec-10 Initial Version 2 .2 2 .1 1 .6 2 .1 2 .1 2 .1 2 .2 2 .1 2 .1 2 .2 2 .2 2 .1 2 .2 2 .2 2 .2 2 .3 .3 2 .3 .3 2 .1 2 .3 Current Version 2 .2 2 .2 2 .3 .2 2 .2 2 .2 2 .2 2 .2 2 .3 2 .3 .3 2 .3 .3 2 .3 .3 2 .3 .3 2 .3 .3 2 .3 .4 2 .3 .4 2 .3 .4 2 .3 .4 2 .3 .4 2 .3 .6 Avg Lag (in days) 316 .00 232 .50 262 .33 304 .00 228 .50 291 .33 165 .00 254 .33 140 .50 188 .50 148 .00 114 .33 116 .00 225 .33 189 .00 135 .00 130 .50 121 .67 0 .00 Version Penalty 5 5 2 5 5 5 5 2 2 2 2 2 2 0 0 0 0 0 0 Currency Penalty 4 3 3 3 3 3 2 3 3 2 2 1 1 3 2 2 1 1 0 3* Extra Penalty

Data as of November 1, 2011 . US market release dates and versions used when available (UK data used for Galaxy Mini and Galaxy Ace) . * Sony Ericcson Xperia X10 received penalty for: skipping version 2 .2 entirely, releasing with version 1 .6 out of the gate, and questions surrounding the OTA nature and applicability of their 2 .3 .3 update .

12

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

The next table shows the dates we used to calculate average lag time between initial availability and over-the-air updates and Googles release of the underlying Android operating system .

Availability Dates of the Different Operating System Versions for the Top Android Smartphones
Manufacturer/Model Samsung Galaxy Mini HTC Desire Sony Ericsson Xperia X10 Sanyo Zio Htc Wildfire Samsung Epic 4G LG Optimus S Samsung Galaxy S Motorola Droid X LG Optimus One Motorola Droid 2 HTC Evo 4G HTC Desire HD Samsung Galaxy Ace T-Mobile G2 HTC Sensation Samsung Galaxy S2 HTC Droid Incredible Nexus S Google Android Availability (baseline dates) Sep-09 Jan-10 May-10 Apr-10 Aug-10 Dec-10 Dec-10 Feb-11 Feb-11 Jun-10 Jun-10 Jul-10 Aug-10 Aug-10 Oct-10 Oct-10 Oct-10 Aug-10 May-11 Dec-10 Mar-11 Nov-10 Mar-11 Sep-10 Nov-10 Aug-10 Aug-10 Oct-10 Mar-11 Oct-10 Aug-11 Jul-11 Jun-11 May-11 Nov-11 May-11 Jun-11 Sep-11 Sep-11 Jun-11 May-11 Sep-11 Oct-11 Aug-11 Sep-11 Sep-11 Apr-11 Apr-11 Jul-11 Jul-11 Sep-11 Sep-11 Sep-11 Nov-11 1.6 2.1 2.2 Apr-11 Feb-11 Jul-11 2.3 2.3.3 2.3.4 2.3.5 2.3.6 2.3.7

Released more than 315 days after the Android OS version was available Released between 226 315 days after the Android OS version was available Released between 136 225 days after the Android OS version was available Released between 46 135 days after the Android OS version was available Released within 45 days of the Android OS version availability

Data as of November 1, 2011 . US market release dates and versions used when available (UK data used for Galaxy Mini and Galaxy Ace) . Updates must be over-the-air (OTA) to be counted .

13

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

Observations: The Nexus S phone is the gold standard for currency within the Android market. Whenever Google releases an update to Android, the Nexus S receives that update almost immediately . Five of the smartphones on our list released or updated to versions of Android at a time that was almost one year after those versions had been made publicly available . 13 of the smartphones on our list were at least one major revision behind at the time they released. The phone with the highest vulnerability score on our list, the Samsung Galaxy Mini, was released in the UK in April 2011 running a version of Android from May 2010, and as of this writing, it has still not received any OTA updates . The Sony Ericsson Xperia X10 is also the only phone released with Android pre-2.2 to skip version 2.2 entirely. Across all models, excluding the Nexus S, the average delay in incorporating a newer Android release is over six months. The average delay across the top 12 phones with the highest vulnerability score is over seven months . Ten of the top 12 most vulnerable phones are end-of-life, meaning they are either no longer available for purchase or the manufacturer has publicly stated that they will not be delivering any further Android updates for the phone . This may change due to customer pressure, but remember that these are some of the most popular phones on the market, and all of them were released within the past two years . Grouping the delay times for updates by manufacturer reveals that Samsung is the worst offender among the top manufacturers when it comes to providing timely updates . Motorola is the best .
Average Time Before Releasing Android OS Update
300 250 200

Samsung LG HTC Motorola

DAYS

150 100 50 0

The above graph excludes the Nexus S which is made by Samsung, since its updates are controlled by Google . Both Sanyo (Kyocera) and Sony are worse than Samsung when it comes to currency, but because each have only one model in our list, and they have comparatively fewer Android phones on the market, we did not include them in the graph .

14

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

Apple iPhone and iOS

It did not make sense to analyze the iPhone (any model) using the same methodology as we applied to Android smartphones . Unlike the Android market, there is only one manufacturer of devices that run Apple iOSApple . When a new version of iOS is available, every eligible iPhone receives the update almost immediately, regardless of phone carrier . In this sense, the Apple iPhone is similar to the Google Nexus S smartphone . However, the Apple iPhone 4 and older models received an honorary #13 on our list of top most vulnerable smartphone for two reasons: First, Apple does end-of-life its older models. The original iPhone, which released in 2007, cannot be upgraded to IOS 4 (available June, 2010) or later . The iPhone 3G, which released in 2008, cannot be upgraded to IOS 4 .3 (available March, 2011) or later . The good news is that Apple seems to support their devices much longer than Android manufacturers, but if you own an older model iPhone, you will not receive the latest updates . Apple does not release statistics on the breakdown of currently active iPhone models and iOS versions. It is fair to estimate that only a small minority of customers still use iPhones purchased three or more years ago . Nonetheless, it is important to understand that all smartphones eventually reach end-of-life and no longer receive security updates . More importantly, prior to iOS 5 and its iCloud feature, you had to dock your iPhone to your computer in order to receive iOS software updates . Apple operating system updates were not delivered over-the-air . Since Apple does not provide statistics on how many users dock their phones, we had to rely on third-party sources and some anecdotal data . The adoption rate for major versions of iOS is extremely high, especially when compared against Android . In January 2010, less than seven months after iOS 4 was first released, the popular app Bump released statistics8 showing nearly a 90 percent adoption rate . By June 2011, apprupt was reporting9 a 95 percent adoption rate . Compare that to Android, where version 2 .3 of its operating system was released in December, 2010, and eleven months later in November, 2011, there was only a 44 percent adoption rate . In October, 2011, Apple released iOS 5 . Less than one month later, Chitika10 released statistics showing an almost 38 percent adoption rate of iOS 5 within the iPhone user base .
iOS Version Distribution by Device
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% iOS Version 3 iOS Version 4 iOS Version 5

iPad iPhone iPod

8 9 10

technologizer .com/2011/01/18/ios-4-has-90-adoption-rate-android-2-3-only-4 www .apprupt .com/en/blog/2011/06/28/mobile-quick-facts-apple-user-love-updates insights .chitika .com/2011/iphone-ipad-users-front-runners-in-ios5-update

15

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

A high adoption rate generally implies a high percentage of users connect their iPhones to their computer, at least periodically . However, a large portion of the growth can be attributed to new or replacement purchases . Unlike with most Android smartphones, where you are almost certain to have an outdated operating system at the time of purchase, when you activate an Apple iPhone, it automatically installs the latest iOS version . There is anecdotal evidence11 that as much as 50 percent of iPhone users have never docked after the initial activation . That statistic may be completely inaccurate, but it does not seem unreasonable . Ask any ten iPhone users how often they dock, and you will undoubtedly have at least one person who never plugs their phone into their computer . Even without hard data, it is fair to assume that some significant percentage of users do not dock their iPhones . This is why the Apple iPhone gets an honorary mention in our most vulnerable list . If you are running iOS 4 or earlier and you never dock your iPhone, you are not receiving important security updates .

Vulnerability Data
As part of our research, we looked at the vulnerability data from the U .S . National Institute of Standards and Technology (NIST)12 to see how many known vulnerabilities have been reported against the Android operating system and Apple iOS . We reviewed the data from the past three years (January, 2009 through October, 2011) . The number of vulnerabilities reported against a product is not a complete measure of vulnerability . As discussed earlier, all software has vulnerabilities . The key is to be able to push out updates as quickly as possible when flaws are identified . Nonetheless, reviewing known vulnerability data can help in understanding the threat landscape . Although this data did not directly influence our methodology for identifying the most vulnerable smartphones, we thought it would be useful to summarize because it illustrates a few important points . It also might dispel a few myths . A common myth is that the Apple iOS code is more secure than the Android operating system code . Apple iOS has more vulnerabilities reported against it than Android and its underlying components . The reason that Android malware is on the rise while there have been no major reports of iPhone malware outbreaks is because the Apple ecosystem is more secure . Apple security updates are distributed more quickly, there is only one Apple app store with a higher barrier to entry, and iPhones do not ship with third-party components like Flash .

Apple iPhone Can Be Compromised, Too

In November 2011, security research Charlie Miller discovered a vulnerability in iOS that let him steal data from an iPhone and remotely perform other command functions . He was able to get an application into the Apple app store that demonstrates the flaw . Within a week, Apple had issued a patch . Since Apple controls both the app store and the distribution channel, it was able to both remove the malicious app and distribute an update to all affected iOS devices . It is not surprising that such vulnerabilities exist . Apples rapid response demonstrates why having an efficient distribution channel for updates is as important as having a secure operating system .

A common myth is that the Apple iOS code is more secure than the Android operating system code.

11 12

developer .android .com/resources/dashboard/platform-versions .html nvd .nist .gov

16

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

One of the challenges we faced in analyzing the NIST data is the difficulty of determining which vulnerabilities impact the Android operating system . This is partially because the NIST vulnerability data is often not well categorized, but also because the Android operating system is made up of several open source components . A vulnerability that affects Android may also impact other Linux distributions and therefore might not be classified against Android at all . For example, in March 2011, a series of over 50 apps on the Google Android app store were discovered to be malware . The malware, named DroidDream, took advantage of two exploits to gain complete control over a phone (root access) . Google took the unique step of invoking a kill switch that allowed them to remove the applications from over 250,000 phones where the malicious apps had been installed . We were unable to identify any CVE (common vulnerability and exposures) related to DroidDream that was directly assigned to the Android product . DroidDream took advantage of a variant of 2009 vulnerability (CVE-2009-1185) which was assigned to vendor Kernel and product udev. Google patched this vulnerability in its Android 2.2.2 release. Therefore, in calculating our list, we included any vulnerability reported against Linux or the Linux kernel. Not all of these vulnerabilities apply to Android; in fact, most probably do not . It is simply that they might apply to the Android OS . In addition, many Android devices ship with third-party components like Java and Adobe Flash . The version of each varies for each phone model and each phone model update . As with the Android OS itself, it is impossible to tell which Flash exploits, for example, apply to the version of Flash on each different Android smartphone . Therefore, we included all Java and Flash exploits in our list to demonstrate what might apply to Android . Summary of Complete Integrity Loss Vulnerabilities
Component iOS Android Linux Java Flash 2009 6 1 36 16 17 2010 29 0 32 30 52 2010 32 3 12 20 43

To keep the list manageable, we filtered the set of vulnerabilities to only those which can be used to completely compromise a system . In NIST terms, this means looking for CVEs where the integrity impact is the most severe (complete). We did not count vulnerabilities which could only be used for data or personal information loss . As noted, not all of the Linux/Java/Flash vulnerabilities apply to Android, and even if they do, it may differ between different smartphone models .

Observations: Apple iOS, as a standalone operating system, has more known vulnerabilities than either Android or Linux. This may simply be due to better classification when dealing with Apple, but it does dispel the idea that iOS has no vulnerabilities . Very few Complete Integrity Loss vulnerabilities are reported directly against Android. This makes it very difficult for security professionals to know where they are at most risk when faced with a device running Android . It may also be an indicator that the core Android components are fairly secure . The concern raised by this report is not that Android OS is insecure, but that the manufacturer and distribution model, along with a less stringent app store model, is what creates the risk . For the past two years, of all the components listed above, Flash has the highest number of vulnerabilities. Since the 2011 data only counts through October, Flash appears to be on track to have another record high year . Coincidentally, in November 2011, Adobe announced that it will discontinue Flash for mobile devices .13

13

www .usatoday .com/tech/news/story/2011-11-09/mark-smith-adobe-flash-mobile/51135466/1

17

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

Conclusion
The mobile space is one of the fastest growing technology segments . Nearly half of all mobile phones purchased in the United States by the end of 2011 will be smartphones . With the average smartphone user spending only three percent of their time on the device actually using the phone, these devices are really miniature computers that happen to be phones, not phones that happen to be smart. The culture of bring-your-own-device (BYOD) to work is expanding. The majority of smartphone users perform business tasks on their phones and a growing number of companies are allowing these devices into their corporate network . These devices contain both sensitive personal information and confidential business data .

In 2012 there will be a rise in targeted attacks, where the mobile device is used as a conduit to steal corporate intellectual property.
In 2011, we have seen a rapid rise in the amount of malware targeting mobile devices, specifically Android smartphones . The majority of these attacks have been malicious apps written by actors with a profit motivee .g . identity theft and premium SMS charges . We expect that growth trend to continue . We also believe that in 2012 there will be a rise in targeted attacks, where the mobile device is used as a conduit to steal corporate intellectual property (IP) . We have seen a similar pattern occur in the PC market, where crimeware has been replaced by cyber espionage and IP theft as the largest concern amongst security professionals .

In order to protect against mobile threats, it is critical that both consumers and corporate IT departments be able to receive updates and security patches in a timely manner.
In order to protect against mobile threats, it is critical that both consumers and corporate IT departments be able to receive updates and security patches in a timely manner . Android is the most popular operating system for smartphones today because its open environment has allowed for rapid innovation and diversity . Unfortunately, this innovation has come at the price of security . A review of the most popular Android smartphone models reveals serious concerns about how quickly manufacturers and carriers can respond with software updates . The majority of the phones reviewed took, on average, over seven months to update their operating system . This does not take into account vulnerabilities that might exist in any of the dozens of other customizations and third-party applications that manufacturers are providing .

18

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

There are too many actors involved in the Android smartphone distribution . Manufacturers are primarily responsible for distributing updates, but their strength is hardware not software . Manufacturers are incented to sell newer phones rather than patching older models . The phone carriers have also injected themselves into the process to establish brand loyalty, but their strength is infrastructure not software . The Apple model for controlling and distributing updates has proven to be more effective from a security perspective . In response to the major flaw with Apples model, that of requiring users to dock their iPhones, Apple released iOS 5 with iCloud to provide over-the-air updates . Its time to ask difficult questions of the Android smartphone industry: Can smartphone manufacturers take a page from the PC industry (or from Apple or the Google Nexus) and defer system updates to the makers of the operating system? Manufacturers can retain the ability to customize their phones . When you purchase a Dell Windows computer, it comes with Dell-specific customizations and programs, but these additions do not interfere with Microsofts ability to update Windows as needed . What is the role that phone carriers are playing in the distribution process, and do they really need to be involved in the software aspect at all? No one expects their home Internet provider to be responsible for operating system updates on their personal computers . Why do Android manufacturers roll out updates on different schedules for different carriersfor the same phone models? There is probably a valid reason, but whatever it is, it is worth revisiting to see if improvement can be made . Why do (at least some) phone carriers charge usage time for important software updates? Receiving OTA updates must be free. Smartphone users should not have to choose between stability and security over whatever other activities they may do online . It is in the interest of carriers to have their customer running the latest updates, as this reduces support costs and increases customer satisfaction . In the meantime, consumers need to raise industry awareness on security dangers of smartphones . In addition to exercising basic safety rules when using a smartphone, we need to exert pressure on manufacturers to prioritize security as much as they prioritize new models and features . When purchasing a new Android smartphone, do not just choose based on size, keyboard or camera megapixels. Look at the system settings and check what version it is running . If it is significantly out of date, think twice . Any new smartphone still running Android 2 .2 or earlier should be viewed with extreme skepticism . The very latest version, Android 4 .0, is being released now (November, 2011) . By March or April, 2012, you should expect your new phone to have this version . If you own an Android phone that has become orphaned (no longer updated) within two years, put pressure on the manufacturer, or do not purchase one of their models again . As long as the manufacturer is responsible for providing updates, demand that they support and update your phone for at least as long as the average phone contract . If your carrier is charging you usage time for operating system upgrades, demand a credit. As long as updates include even the smallest of fixes, you should not have to pay for them (at least for as long as you are under any contract) . When using a smartphone, exercise caution in selecting and installing apps from unknown or unreliable sources. An August 2011 study by Dasient found that eight percent of Android apps (842 out of 10,000 apps tested) leak private data. Your smartphone is just as capable of being attacked as your personal computer .

14

www .dasient .com/news-and-events/press-releases/

19

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

Security professionals and IT managers need to understand the challenges and risks of allowing personal mobile devices into the workplace . Set specific policies regarding which devices are allowed to connect to your corporate network. Given the importance of currency in the security field, it is reasonable to set guidelines restricting smartphones running versions of operating systems that are more than a year old, or that have a poor track record for providing timely updates . Implement both authentication and encryption technologies on the devices you allow into the workplace. Require passcodes or other authentication means before any smartphone can access your corporate email or other network resources . Look into mobile data encryption solutions . There are a number of technologies available for encrypting mobile data, both at rest on the device and in transit, and these can be an important layer to your security posture . There are security products available that isolate work data from the operating system and other programs running on smartphones. However, realize that if a phone is compromised at the root level, it still may be able to monitor passwords or even view sensitive data as it is being rendered or transmitted . Understand the risks and do your research . Educate your users about the risks of installing unknown and untrusted mobile apps. This is especially important for Android users, where apps may come from a variety of different places . In 2011, the majority of Android attacks were done through malicious apps . Until solutions are available that properly vet the trustworthiness of mobile apps, every time a user installs a new application, they are increasing the risk to your companys intellectual property . These are not simple problems or simple solutions, but one thing is clear: the Android ecosystem is too complex and security is suffering as a consequence .

20

BIT9 REPORT THE MOST VULNERABLE SMARTPHONES OF 2011

References
AppBrain, Top Android Phones, www.appbrain.com/stats/top-android-phones (October 26, 2011) Juniper Networks (Juniper Global Threat Center), Mobile Malware Development Continues To Rise, Android Leads The Way, globalthreatcenter.com/?p=2492 (November 15, 2011). Google (Android Developers site), Android Platform Versions, developer.android.com/resources/dashboard/platform-versions.html (November 3, 2011) Nielsen, In U.S. Market, New Smartphone Buyers Increasingly Embracing Android, blog.nielsen.com/nielsenwire/online_mobile/in-u-s-market-new-smartphone-buyers-increasingly-embracing-android (September 26, 2011) Nielsen, In U.S. Smartphone Market, Android is Top Operating System, Apple is Top Manufacturer, blog.nielsen.com/nielsenwire/online_mobile/in-u-s-smartphone-market-android-is-top-operating-system-apple-is-top-manufacturer (July 28, 2011) Nielsen, All About Android, www.nielsen.com/us/en/insights/events-webinars/2011/all-about-android-insights-from-nielsens-smartphone-meters.html (September 15, 2011) Lookout Mobile Security, Lookout Mobile Threat Report, www.mylookout.com/mobile-threat-report (August 2011) Ed Oswald, Technologizer, Bump: iOS 4 Has 90% Adoption Rate, Android 2.3 Only .4%, technologizer.com/2011/01/18/ios-4-has-90-adoption-rate-android-2-3-only-4 (January 18, 2011) Gabe Donnini, Chitika, iPhone, iPad Users Front-runners in iOS 5 Update, insights.chitika.com/2011/iphone-ipad-users-front-runners-in-ios5-update (November 8, 2011) Kevin Fogarty, IT World, Study shows 8% of Android apps leak private data on purpose, www.itworld.com/security/185485/study-shows-8-android-apps-leak-private-data-purpose (July 21, 2011) National Vulnerability Database, National Institute of Standards and Technology, nvd.nist.gov

Related Articles
Michael Degusta, The Understatement, Android Orphans: Visualizing a Sad History of Support, theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support (October 26, 2011) Justin Shapcott, Android and Me, Updates or lack thereof, on the Android Update Alliance, androidandme.com/2011/08/news/updates-or-lack-thereof-on-the-android-update-alliance (August 30, 2011)

21

266 Second Avenue Waltham, MA 02451 USA P 617 .393 .7400 F 617 .393 .7499 www.bit9.com

About Bit9, Inc.

Bit9 is the leader in Advanced Threat Protection . The companys award-winning Application Whitelisting solutions provide total visibility and control over all software on endpoints, eliminating the risk caused by malicious, illegal and unauthorized software . Bit9 specializes in protecting organizations against the Advanced Persistent Threat . Copyright 2011 Bit9, Inc . All Rights Reser ved . Bit9, Inc ., Automatic Graylists, FileAdvisor, Find File, Parity, and ParityCenter are trademarks or registered trademarks of Bit9, Inc . All other names and trademarks are the property of their respective owners . Bit9 reserves the right to change product specifications or other product information without notice .
REPORT/SMARTPHONES/1111