Image: ZDNet/CNET

Android security has been labelled a "market for lemons" because Android owners have no idea whether their devices will receive a patch when a new bug is made public.

UK researchers last year found that nearly 90 percent of Android devices contained at least one critical vulnerability, and blamed the woeful state of security on handset makers, as opposed to carriers or Google.

A new study by two-factor authentication firm Duo Security has found similar results, although in addition it found Android users aren't enabling available security features to protect data on their devices.

The company reports that just one in 10 Android devices has enabled pre-boot passcode device encryption, though this may change as more Android 6.0 devices are released.

Google updated its compatibility policy for OEMs to require they enable full-disk encryption by default out of the box, although according to Google's distribution figures, just 0.7 percent of devices are running Android 6.0.

An easier protection to enable, which is often ignored by Android owners, is the passcode on the lockscreen. According to the firm, one-third of Android devices don't use a passcode to secure their lockscreen. By comparison, only one in 20 iPhones fails to have the lockscreen enabled.

Android's operating system fragmentation problem has long been a source of criticism by security-minded observers and, as Duo Security highlights, this feature of the ecosystem poses a risk to users.

For example, it points out that 32 percent of Android devices are running version 4.0 and below, which makes them more vulnerable to Android's Stagefright media library bugs since they lack key exploit-mitigation defences available in new versions of Android.

By contrast, about half of all iPhones on Duo Security's service are on some version of iOS 9. However, as it notes, within that group only half are running 9.2, which was superseded with security updates included in iOS 9.2.1 on Tuesday.

Given that it still may be some time before Google, carriers, and device makers fix Android's fragmentation and patching problems, Duo Security recommends businesses encourage employees to use Google's Nexus devices over all other Android handsets -- advice that Samsung fans with BYOD smartphones would not like to hear.

Read more about Android security