Why Upgrading Your Android OS Is Better than Android Security Patches

At Honeywell, we have seen an escalation of cyberattacks of our customers across of all sizes throughout the world. Cybersecurity attacks can come from external and internal sources. Cybersecurity is about protecting your company’s valuable information, your customers information, and your reputation and brand by preventing security breaches.

Cybercriminals use computers and networks to commit crimes.  Their technical skills and knowledge range from being able to write "script kiddies" who use others' malicious code, to those that are very talented hackers. Their motives for committing the crime range from monetary gain to the desire for just having fun. ¹ Hackers understand how people work and will find a way to hack into your system if they try long enough. Once the cybercriminal gains access, they stay inside your system unnoticed for some time. Hackers may never be found or even discovered until it’s too late. According to Gartner, “More than 50% of breaches are undetected for multiple months, which can lead to unrecoverable data corruption.”² Let’s take a closer look at external vs internal attack risks.

External cybersecurity risk.  Imagine your network receiving zero-day or brute force password attack that focuses on looking for a way into your system a thousand times second until gaining access.  Attacks can come in the form of viruses and methods such as

• Malware. Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
• Malvertising. The use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.
• Phishing and spear phishing. A phishing attack is where hackers send fraudulent emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business.
• DDoS (distributed denial-of-service) attacks. A malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This takes place when massive number of machines are directed to attack the target with traffic. These machines are typically infected with viruses controlled by one over all attacker.
• Session hijacking. This is an attack where a user session is taken over by an attacker. A session starts when you log into a service, for example your banking application, and ends when you log out. The cybercriminal replaces their IP address for the client’s and the server continues the session. During this attack, the server believes it is still communicating with the trusted client.
• Ransomware. Malicious software that blocks you from accessing your own data. The digital extortionists encrypt the files on your system and add extensions to the attacked data and hold it “hostage” until the demanded ransom is paid. Ransomware is often hidden in downloads made to appear like video clips or games.
• Drive-by attack. Malicious scripts spread malware around the web. Drive-by downloads happen most commonly on web pages, pop-ups and emails. Cyberhackers look for insecure websites and plant scripts in the code on one of the pages. The malicious scripts, for example, can install malware on the computer of a web page visitor or redirect the visitor to a website that is controlled by the cybercriminal.

These are just a few of the viruses and methods cybercriminals/hackers can use to externally gain access to your site, software, or network.

Internal cybersecurity risk.  Internal risk stems from employees. Most of the time is purely by accident unbeknownst to the worker.  The cybercriminal is focused on obtaining an employee or admin credentials which will then allow them to move inside the network with complete access to the system. Now your internal data is exposed such as

• Trade secrets and intellectual property
• Regulated data
• Sensitive data
• Information about products and internal research
• Financial and personal staff information
• Source code

Even if your devices only connect to an internal server and don’t reach the internet, you need to be concerned. There have been more breaches “inside 4 walls” than out. In 2018 59% of attacks were not through the internet. Vulnerabilities may be exploited by a breach elsewhere in the network and attack unprotected devices from the “inside out.”

External vs Internal Cyberattack: Which is Worse? Whether you get a cyber attack externally or internally, they both have very severe implications. The cost of a data breach averaged $3.9 million in 2019³. Exposure of critical data and/or disruption to operations can be devastating and expensive to an organization. Reputation gets damaged and brand value devalues.

Security Patches Help Prevent Breaches

According to Poneman Institute report, 57% of cyberattack victims report that their breaches could have been prevented by installing an available security patches.⁴

Whenever software is written, it will innately contain errors/bugs. It is the goal of every software engineer to reduce the number of those bugs at the time the software is written and as they are found. There are two categories of software bugs:⁵

• Bugs that cause the software behave incorrectly. For example, a user using a calculator app enters two numbers in a multiplication equation and comes up with incorrect answer. Sometimes these types of bugs can be manipulated and become bugs that affect the second type of bugs, software security.
• Bugs that impact the security of the software and of the installed device. For example, an app will ask for a username and password. The user enters the correct name but leaves the password blank and is granted access. This is a bug that permits unauthorized access to private data. A security bug/error allows a third-party to gain access they shouldn’t have. When these errors are found they need to be immediately fixed and deployed quickly to protect users.

A security patch is essentially a small piece of software to fix security flaw that has been uncovered. It covers a hole that keeps hackers from exploiting the flaw. When a security patch has been installed on your device, you will not notice any difference it its functionality.  Security patches are important because they protect your device from would-be hackers who want access. Think about your personal phone and how it’s being used to do banking, shop on Amazon/eBay, Google Pay and the list is endless of what would be of interest to cybercriminal.

Backporting vs Security Updates

Backporting is not the same as security updates or OS version upgrades.  Backporting is essentially taking parts of newer version of a software system or software component and porting them to an older version of the same software.  It is used for fixing security and feature issues in older version of software.  

Hidden Issues with backporting. Some companies of mobile devices refer to their backporting practices to older OS by calling them security updates.  These backporting practices, marketed as security updates, come with hidden issues that enterprises need to understand.

• New OS features not available for backporting. New security features included in new OS versions are not made available to backport to earlier OS versions.
• Incomplete security patching. Vendors cannot guarantee that every vulnerability found in newer Android versions can and will be backported.Backporting is only possible where the functionality previously existed and/or the update does not impact the integrity of the platform.
• Processor level vulnerabilities. Patches for proprietary low-level processor code must come from the chipset vendor and are often not available for older OS versions.
• Lack of new security features. Customers relying on older Android versions can't take advantage of security features added to newer versions.

At Honeywell, we believe that anyone promoting backporting over OS upgrades does not have the customers best interest in mind. Honeywell works closely with customers to make it as smooth of a transition as possible to upgrade from one Android OS to the next.  Here’s why

• Android uses an incremental approach.Each version builds on the last, maintaining backwards compatibility, making maintenance and upgrades easier.
• The only way to receive the best available security and features are through the latest OS version
• When following Android best practices, little to no adjustment should be needed beyond updating the device OS version

Honeywell customers have the choice to decide when they believe it is their best interest to upgrade.  Backporting is the action that takes parts from newer software and applying it to an older version of software. 

Honeywell offers backporting service only as a last resort, as some customers have situations in which are delayed or decided to stay on old OS version. Why would a company decide to stay on an old Android OS? Some common reasons include:

• Companies have made the false assumption that updating Android versions requires an effort like updating Windows did.In reality, Google’s approach to Android is different than Windows.
• Companies have developed their own applications that weren’t developed using the best practices and need to be updated in order operate on a newer OS version.

Bottomline: Backporting leaves your devices with a security gap because not all OS changes/updates can be patched. And the older your OS the more risk you have of being exposed to cybersecurity threats. For example,

Upgrading Android OS vs Security Patches

Security patches help, but the benefits of upgrading to a new Android version are even better.

• As new features are introduced that work with the latest Android versions, older versions cannot leverage these features. You may find that a critical new feature cannot be supported on their outdated Android version.
• Staying current in OS versions helps ensure the stability of your critical business applications. A device with the latest backported patches may not work properly with newer applications built for a newer Android version.
• For example, in Android 9.0 Pie all nonprivileged apps with a target API version equal to or greater than 28 must run in individual SE Linux sandboxes. This protection improves app separation and prevents apps from making their data accessible to the “world.”

Honeywell Mobility Edge Makes It Easy to Upgrade Android OS

Mobility Edge is the first and only platform to guarantee support through Android 11 and is committed working towards Android 13 compatibility.

Honeywell has made it easy for our enterprise customers to migrate applications from one Android version to another. Honeywell has built the mobile device platform Mobility Edge. 

Mobility Edge™ is based upon extensive research gathered from Honeywell’s global community of customers from a range of technologies. Honeywell recognized that businesses wanted a unified hardware and software platform for all form factors – one that allowed for rapid deployments, robust performance, and adaptability to changing needs.

We completely innovated our approach to meeting the challenges of supporting a mobile workforce, and Mobility Edge was the answer. This unified, dynamic platform for mobile computing is designed to:

• Accelerate Deployments. Validate once. Deploy everywhere. Faster, easier, and at lower cost. Enabling versatile out-of-the-box capabilities and a rapid provisioning suite, Mobility Edge expedites development, certification, setup, and training involving multiple form factors at once.
• Optimize Business Performance. Boost productivity and drive efficiency. Powerful, embedded tools across the platform drive faster data capture and secure, enhanced worker communications. The unified, intuitive experience facilitates user adoption and helps employee’s complete vital tasks.
• Extend Lifecycle. Forward compatible. Future-proof. Mobility Edge reduces TCO and minimizes headaches with an enterprise-wide approach to maintenance releases, and hardware designed to support ongoing upgrades to the operating system through Android 13, and extended support 5 years beyond that.

• Strengthen Security. Mobility Edge™ provides a unified, dynamic hardware-and-software platform with built-in security and the best available future security made possible through Android forward compatibly.

Mobility Edge Platform Devices, Best-in-Class OS Support and Lifecycle

Honeywell offers a line of more than 10 Mobility Edge models built on a stable, common HW/SW platform. This platform has enabled Honeywell to be the first to guarantee Android 11 support, and unlike our primary competitors, to provide uninterrupted OS support from launch to end-of-life, with best-in-class security patch support beyond based on our Sentinel service.

Continuing this leadership, Honeywell is committed to delivering support for Android 12 and 13 if shown to be technically feasible and is working with our technology partners to maximize that possibility.

The common platform provides for the efficient reuse of IT investment across multiple form factors both across the present fleet and over the future roadmap.  It is accompanied by a common deployment toolset that speeds time-to-value and the Operational Intelligence cloud optimization and management platform that provides visibility into device location, condition and full-life maintenance history. All of the devices are supported by popular MDM solutions as well.

Contact a Honeywell Solutions Expert today! Call 1-800-934-3163

¹ Profiling and categorizing cybercriminals

² Source: Securing End-of-Support Production Systems, Tony Harvey, Neil MacDonald, Sam Evans, Published 24 December 2019.

³ What’s New in the 2019 Cost of a Data Breach Report

⁴ How to close the patch gap

⁵ What are Android security updates, and why do they matter?

Google and Android are trademarks or registered trademarks of Google LLC. All other trademarks are the property of their respective owners.