A new Android vulnerability is discovered today. When will the phone in your pocket be patched? We studied firmware update events across millions of Android devices around the world, to answer this question and many more. As it turns out, updating mobile devices is significantly more complex than the desktop world.
Android has become a top player in the smartphone explosion. Its success is due in no small part to its openness and flexibility, enabling an entire ecosystem of unique devices built on an open-source core. This proliferation has not been without the challenge of fragmentation. In this talk, we survey what it takes to push a security update in the Android ecosystem, study prominent vulnerabilities that have affected the platform, and examine the patch history and current state of prominent devices to answer the question: What is the half-life of a vulnerability on Android?
Anthony Lineberry is a security researcher from Oakland who has been active in the security community for many years, specializing in reverse engineering code, researching vulnerabilities, and advanced exploitation development. He has written an open source kernel from scratch, helped with the first iPhone jailbreak, and feels uncomfortable speaking in the 3rd person. Professionally his experience includes working as a security researcher for McAfee, NeuralIQ, and currently with Lookout. He has spoken previously at SCaLE, DefCon, and BlackHat EU/US.
Tim Strazzere is a Security Engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include having reversing the Android Market protocol, Dalvik decompilers and memory manipulation on mobile devices.
Tim Wyatt is a software engineer whose career has focused primarily on security product development. This has led him to Lookout Mobile Security where he leads the Security Engineering team. Prior to Lookout, Tim was a lead engineer for the Vontu Network Data Loss Prevention suite.