As with Windows XP on the desktop, KitKat is the aging version of Android that just won't go away. An analysis of around one million enterprise and business users in the US by security firm Duo Security has found that a staggering third of Google devices from its customer base of several thousand are still running versions 4.0 or below, which means they haven't been updated for several years.
Another 14 percent were stuck on Android 4.4.2, nine percent on 4.4.4, which means that over half are using images that date back to the three years before October 2014 when Android 5.0 Lollipop made its appearance.
Often-voiced worries about Android's fragmentation have tended to centre on its effect on consumers but these figures offer a glimpse into the potentially more serious issue of what out-of-date mobile software could silently be doing to enterprise security.
Android and the enterprise 2016 - Stagefright
There are two problems. Any device running KitKat will be vulnerable to serious security issues such as the Stagefright flaw that emerged in August 2015 (see below), a potentially big hazard for the enterprise networks they connect to. Second, and perhaps worse, because such devices will never be updated, they will always be vulnerable to this flaw until they day they are de-commissioned, possibly years in the future.
According to Michael Hanley of Duo Security, the culprit is complacency about Bring Your Own Device (BYOD), a fashionable model of self-provisioning that has brought with it the problem that the user chooses the device, not the business.
It's a model in which IT departments don't feel inclined to ask people to upgrade even when they understand the risk of older devices.
"Most IT shops can't say 'don't use that device at all'. It's what the user has. It's what ends up being used for business use. It is too much to ask expect them to bring in a Nexus 5X or 6p," says Hanley.
There is no easy answer to BYOD on Android, despite the best efforts of vendors to come up with a separation between inside devices between personal and business data through developments such as Samsung's Knox. Android remains an inherently fragmented platform, not only at OS level but in terms of the number of distinct devices that had to be secured.
Hanley and Duo estimate that while around two thirds of the mobile devices used by its customers were a range of Apple models, that still left 3,700 individual products from two dozen or more vendors in the Android space.
The firm's figures show that Samsung is currently the most common with 57 percent of devices, with LGE (including Google's Nexus range) on 13 percent, Motorola also on 13 percent, with HTC and Sony on 6 percent and 3 percent respectively.
"The objective here is not to share data on android to scare people. IT managers don't realise the degree of fragmentation," says Hanley.
Beyond known security vulnerabilities, the study suggests that device security itself is also a low priority for many users.
- Only one in 10 employ boot-level hardware encryption probably because most devices aren't up to the job of running it. In future encryption might become a minimum standard and be enforced by admins.
- A surprising one third of users don't even use a lockscreen to protect the device. It's another number or unlock pattern to remember.
- A relatively high 1 in 20 Android devices have been rooted, a huge potential security worry for users who don't know what they are doing. The equivalent figure for iOS devices is 1 in 250.
As with a lot of firms moving into endpoint management, Duo's approach is not to block devices so much as offer admins visibility on the state of each device. It was up to organisations to make decisions about the level of risk they are willing to accept when their workforce connects using old versions of any mobile platform. Using an older device? That can't be used for authentication but is fine for emails, for example.
"The problem with a lot of Mobile Device Management (MDM) products is the friction with end users. Users have the perception that businesses have an undue level of access to their phones."
That is the obvious alternative of course - ditch BYOD completely and hand out mobile devices on the basis of an organisation's willing ness to tolerate risk. That would be back to the old days which for whatever reason a growing number of or organisations don't feel comfortable with. It is starting to look as if BYOD comes with its own problems.
"We would rather provide visibility and let admins make access control decisions on that basis," says Hanley.
Android and the enterprise 2016 - Android's recent flaws
Google started offering monthly updates and patches for Android after the Stagefright flaw came to light but only its own Nexus devices running Android 5.x get these. Other major vendors also offer patches sent to them by Google as and when they can.
Stagefright - 2015
Probably the most serious security flaw ever to hit Android, this one affecting a media playback component of the OS nobody usually thinks much about called Stagefright. Discovered by a researcher working for a firm called Zimperium, attackers could exploit the issue by sending a malicious video message to almost any Android handset on the plant, which would execute automatically. Incredibly, no user interaction is needed and the message could even render itself invisible by deleting itself.
Certifigate - 2015
Discovered by Check Point, this is a flaw in two mobile Remote Support Tool plug-ins used by many handset makers, including Samsung, LG, HTC, Huawei and ZTE running Android versions up to 5.1. Attackers could exploit it by sneaking a bogus app onto a phone which exploits the flaw in a way that elevates the attacker's permissions. From that point on, the attacker would have complete remote control over the smartphone. The products affected are Rsupport, CommuniTake Remote Care and TeamViewer.
Although harder to exploit than 'Stagefright' (see above) still difficult to fix because the flaw exists in an element added to smartphones by handset makers or carriers rather than Google. It will require them to act and that will take time - possibly a long time in some cases.
Android Installer Hijacking - 2015
Affecting older smartphones only - that was still around half of all Android smartphones at the time of its discovery - this offered a novel way of attackers to replace one installer (or APK file) with another one when using third-party app stores, in effect letting a malicious app replace a legitimate one without the user realising it. Discovered by Palo Alto Networks.
FakeID Flaw - 2014
Discovered by small security firm Bluebox Security, this offers a way for a malicious app to hijack the trusted status of a legitimate app through (by forging its digital certificate), effectively escaping any sandboxing security on the device. This was an alarmingly simple flaw in its execution, affecting every Android handset from 2.1 to 4.3.
TowelRoot - 2014
An unusual kernel-level flaw affecting something called the futex subsystem, the flaw vulnerability was originally discovered and disclosed by a white hat called Pinkie Pie. However, not long after it was incorporated into a tool designed to root Android 4.4 called TowelRoot (from noted hacker George Hotz), which effectively functioned as a benign proof-of-concept exploit.