Industry News

Barely 1% of Android users are running Nougat, as Apple shows how to properly update devices

What are the most commonly over-looked piece of professional security advice amongst computer users?

If you answered install security patches, use unique passwords and enable two-factor authentication – give yourself a point.

Although we obviously recommend that you run anti-virus software, are careful about the personal information you share online, and use hard-to-crack passwords there are other essential steps that security professionals recommend but are often not put into practice by regular users.

And in a world where we are increasingly using our smartphones to do business, make purchases and communicate with our friends and family it’s important to recognise that sensible security doesn’t start and end on your desk – it begins in your pocket.

So I was in turn both delighted and mortified to see the latest figures for how well iPhone and Android users were doing at keeping their mobile devices updated with the latest operating system patches.

Let’s look at Apple’s official figures first, measured by their App Store.

As on February 20, 2017, an impressive 79% of iOS devices were using iOS 10 – the latest version of Apple’s mobile operating system. That’s a three-point increase over the adoption rate recorded at the start of the year, and less than six months since iOS 10 was first released to the public last September.

I think everyone would argue that that’s quite impressive.

So how does it compare to Google Android? Well, it’s only fair to compare Apple’s official figures with Google’s official figures.

The latest major version of Android, Nougat, was released at the end of August 2016 – slightly earlier than iOS 10. So you might have hoped that they would have similar adoption levels amongst users. Sadly that’s not the case.

Android Nougat 7.0 and 7.1 account for a mere 1.2% of distribution. That’s a long long way behind iOS 10’s 79% adoption rate.

The most popular versions of Android are Lollipop 5.0/5.1 (with a combined 32.9%) and Marshmallow 6.0 (30.7%). For comparison, Lollipop came out in November 2014 and Marshmallow in October 2015.

Frankly, it’s pitiful. And if we are to believe security professionals recommendation that keeping your security patches up to date is one of the most important things you can do to protect your online devices, then frankly – heaven help you.

Apple and Google have taken a very different approach, of course.

Apple make their own hardware, and don’t allow anyone else to manufacture phones that run the iOS operating system. This gives them a high level of control, and makes the process of keeping iOS devices updated with the latest security patches much easier.

Google, in its desire to have the most widely-used operating system on the planet, allowed anyone to create an Android phone – with little consideration of how those phones would be updated when they were crying out for a security patch or an operating system upgrade.

There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren’t so simple for Google’s users. This fragmentation inevitably leaves Android devices open to security problems.

ZDNet journalist Adrian Kingsley-Hughes once declared that Android fragmentation was “turning devices into a toxic hellstew of vulnerabilities” and I cannot help but agree with him.

If you buy a phone that Google itself has manufactured then things are simpler, of course. But many consumers haven’t – and find themselves left behind with an out-of-date operating system on their phone or tablet.

And yes, you could choose to root your Android phone and install your own custom ROM on it… but is that really an achievable option for the average non-techie consumer?

Does the cheaper price of an Android phone make up for the difficulty in getting the latest updates? That’s a question only you can answer. But as the incidence of cybercrime rises, I certainly think it would be wise to consider just how long you’ll feel happy running a smartphone that is missing out on security updates.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • It would be nice to know which manufacturers are the best at keeping their Android phones up to date. I'd vote with my money and use this as a consideration when purchasing a new device.
    I've a Sony Xperia Z5 which was a flagship last year. Now I can see I'm running 6.0.1 with the November 2016 security patch level.

  • "I think everyone would argue that that’s quite impressive."

    *agree, not argue.

    There are some interesting iOS version statistics here:

  • ..meanwhile, my functionally reliable Blackberry Z10 has just had the latest OS update.. <warm fuzzy feelings>
    Do you have an opinion on Blackberry OS10 viz security? – better or worse than iOS?
    Is this OS fit only for the scrap heap or is it's demise premature?
    ..what if Blackberry had suitable hardware from a 3rd party running OS10 at a sensible price point?
    Do users really detest the OS or was it awful marketing (and silly high prices) that lost Blackberry their market share?

    What of Blackberry's attempt to create a secure version of Android? – Is this the secure version of Android that POTUS, Don the Samsung Galaxy S3 user, ought be using?

  • Sometimes, manufacturers, too, have a role to play in the delay with updates — mine, for instance: Motorola. I update my phone promptly — a day or two, at the most, after the public releases. But I checked just now, and while my handset says everything is up to date, it's running Android 6.0, with 1 Feb 2016 being the last time a security patch was applied.

  • Graham, carriers also need to take responsibility. They just don't release updates to the software.

  • I still don't have Android Nougat 7.0 on my unlocked s7 edge international variant running Nougat 7.0 beta, so yes, Samsung are very slow in pushing the update. By the time they get to it, it'll probably be out of date!

  • I searched around on my Galaxy 5 and found in Apps (not MetroPCS folder), under Settings an italic "i" which stands for About This Device — it allows you to check for info about the last update and so on. The first option is Download Updates Manually.

  • I have to disagree with a lot of what this article is purporting. Not running Nougat does not mean a device is vulnerable. For the most part, it just means the phone is lacking some incremental feature upgrades and whistles and bells. The more recent versions of Android still receive security updates. Don't get me wrong, it's still an issue – for example, KitKat has some vulnerabilities that aren't going to be fixed (i.e. stagefright), but this article makes it sound like 99% of Android devices are in serious trouble and that is just false.

    I also have a hard time taking anything ZDNet publishes seriously. I used to follow them but I stopped years ago because their articles just feel very slanted and biased. A lot of them read like hit pieces.