To be sure, many smartphone users quickly allow updates and patches on their devices when sent a notification that one is available. "I don't even think about" not doing an update or patch, said JR Raphael, a blogger for Computerworld on Android topics. "On the new Android phones, the process is totally seamless and far less invasive than it used to be."
Nancy Newkirk, an iPhone 6 user and CIO and vice president for technology for IDG, the parent company of Computerworld, said she does all updates "as soon as I see them, regardless of size and scope. I read the description but go ahead anyway. Then I let my family know if it's a big one that takes time or a small one that is pretty painless, and they wait a week to see if my phone acts funny or breaks" before they run the updates.
Part of running patches and updates promptly is out of the hands of users, who usually must wait for their wireless carriers to test patches they have learned about from phone vendors or security experts.
"All of us can do a better job at securing our mobile devices — manufacturers, carriers and users," said Varun Kohli, vice president of marketing for Skycure. He said users sometimes avoid patches for their phones because of concerns about performance. But often, users don't know there's a patch available or they have an older phone that doesn't support the latest patch.
Most of the security patches that Skycure detected in its global analysis were not sizable enough to affect a phone's performance, Kohli said. A patch is generally considered a small change to an operating system that addresses one or more specific bugs or holes, or adds support for new hardware or a configuration without adding new features or functionality, he said. They are delivered as "point releases" while updates offer added functionality.
Apple doesn't generally refer to its updates as patches the same way that Android does. Google began releasing monthly Android security patches in late 2015 after the discovery of the Stagefright vulnerability. "We highly recommend patching each Android device as soon as each security patch becomes available because they each address newly disclosed vulnerabilities that malicious attackers may leverage in exploiting unpatched devices," Kohli added.
Skycure's analysis allowed the company to analyze Android devices in January 2017 to determine the age of the security patches that were loaded on phones.
"The most recent security patch was only adopted by a very small percentage of the population, having just been released, but AT&T users were up to 10 times more likely to have this latest patch already installed," Skycure's report said.
Sign up for Computerworld eNewsletters.