Home - Android Vulnerabilities

Scores out of ten

N.B. These scores have not been updated since 2015

Nexus devices	5.76 (best)
LG	4.53
Motorola	3.34
Samsung	2.81
Sony	2.78
Asus	2.61
HTC	2.6
alps	0.726
Symphony	0.309
walton	0.272 (worst)

Calculating the score

We developed the FUM score to compare the security provided by different device manufacturers. The score gives each Android manufacturer a score out of 10 based on the security they have provided to their customers over the last four years.

The score has three components:

f: the proportion of devices free from known critical vulnerabilities.
u: the proportion of devices updated to the most recent version.
m: the number of vulnerabilities the manufacturer has not yet fixed on any device.

Further details.

Device Analyzer

We have only been able to produce these scores due to the contributions made to Device Analyzer by members of the public. The Device Analyzer app is no longer available, but information about the project is still available from the link above.

If you have information about a vulnerability not listed on this site then you can submit it.

If you have MDM data and want to know which devices used by your organisation are vulnerable then we can help: contact us.

Vulnerabilities and papers

We are collating all critical vulnerabilities in Android and storing this information in a machine readable format (json). The original data set only conidered critical vulnerabilities which an app could exploit. These are vulnerabilities that allow an app (malicious or compromised) to either gain root or gain privileges which can then be used to obtain root. However, we are now including all vulnerabilities marked as critical on Google's Android security bulletins.

List of vulnerabilities

Published papers

Security metrics for the Android ecosystem by Daniel R. Thomas, Alastair R. Beresford and Andrew Rice in ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) 2015
The lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface by Daniel R. Thomas, Alastair R. Beresford, Thomas Coudray, Tom Sutcliffe and Adrian Taylor in the Proceedings of the Security Protocols Workshop 2015

Press releases

Light Blue Touchpaper, Wednesday 10th July 2019: The lifetime of an Android API vulnerability
Thursday 8th October 2015: 87% of Android devices insecure - Manufacturers fail to provide security updates
Light Blue Touchpaper, Thursday 8th October 2015: 87% of Android devices insecure because manufacturers fail to provide security updates

Press coverage

ZDNet: Android security a 'market for lemons' that leaves 87 percent vulnerable
Arstechnica: University of Cambridge study finds 87% of Android devices are insecure
The Register: Android users left at risk... and it's not even THEIR FAULT this time!
Silicon Angle: The elephant in the room: Study confirms Android devices vulnerable due to lack of patches
Phone arena: Cambridge paper shows that LG is better than other OEMs when it comes to security
Digital Journal: 90% of Android devices left exposed to critical vulnerabilities
The Sydney Morning Herald: 9-out-of-10 Android phones are insecure, and manufacturers are to blame
Digital Trends: "Google-commissioned security report paints a bleak picture of Android" (Note: Google did not commission this report, they funded work on Device Analyzer which we used in this analysis)
Silicon Republic: 87pc of Android devices wildly insecure — report
Forbes: The Dangerous Vulnerabilities Hiding In The Heart Of Android
Gadgets 360: LG Top OEM for Issuing Security Patches to Its Android Devices: Report
Android Headlines: AH Primetime: Cambridge University Analyze Android Security Risk
Engadget: Most Android phones are vulnerable due to lack of security patches
Threatpost: Researchers Find 85 Percent of Android Devices Insecure
Guardian: Security is the loser in the holy war between Android and Apple

AndroidVulnerabilities.org