iOS is doing OK with about 72% running iOS 8.x but there is still that pesky 25% running iOS 7.x and 3% earlier than that. This is mainly due to it running slower on older hardware that will ‘expire’ soon. Apple’s usually taciturn CEO Tim Cook called Android “a toxic hellstew of vulnerabilities and securities …”

The majority of Windows Phone users are on 8.x and with its free offer to upgrade to Windows 10 Mobile (probably 2016) and the fact that Microsoft provides updates (similar to Apple) fragmentation in this OS should be a non-issue.

The problem with fragmentation – 98.4% in Androids case - is that there are over a billion devices running at least five earlier versions that are all vulnerable to malware, data theft, and other major security vulnerabilities. Google does not update these – the manufacturer has to. Google’s recent response “We will not fix issues in Jelly Bean 4.3.1 and prior.” What that means is unless you have a recent KitKat 4.4 device or Lollipop you are screwed – the only way to get a little more secure is to buy a new device.

One major corporate user has banned Android devices on its network. “We simply cannot cope with managing the plethora of Android devices and apps on our network. We are happy to support iOS 8.x and Windows Phone 8.x – and apps from their stores but that is it!” This company uses a Symantec mobile management suite to control personally owned devices as well as access to company data and email.

The comment on iTunes and Windows Store is interesting – both test all apps before listing and changes are monitored and retested. Google Play has found and removed malware from apps on its store but the issue is that there are thousands of alternative Android app stores that do not take the responsibility.

This article is not about scaremongering – the vast majority of reported vulnerabilities in Android thankfully do not seem to take hold. But the fact is that Android is the only mobile OS that has an active Botnet with millions of users unaware they are infected.

What can you do?

The average consumer with an Android device must run an antivirus/malware product – there are several in the Google Play store – AVG, AVAST, Norton to name a few. If they connect to corporate email only the chance of infection of the corporate network is low. The issue however escalates when they use remote access programs to gain access to server data or use terminal emulation.

Google could use the carrot and stick approach with device makers – either they update the OS or they don’t get it! But as Android is merely a thinly disguised vector for delivering advertising revenue to Google it probably won’t do that either.

In the interim Google is trying to take parts of Android out and spin them into API’s and apps it can update and control. And it is not the major manufacturers who are at fault – you can be reasonably sure Samsung, LG, Sony and HTC will provide some updates.

Personally I think Android is a fine OS – its update mechanisms suck because of the customisations done by manufacturers and others who would rather sell new products than waste time – sell and forget.

The answer for enterprise (business at least) seems to be to support iOS and Windows Phone 8.1 – Windows 10 will be no issue.