The new report from Google on the state of Android Security shows how the company is committed to fighting malware and fragmentation across devices and operating systems, however, there’s a still a way to go when it comes to Android app security.

The good news is that half of all Android devices are getting the benefit of Google’s recent Android security updates to patch the OS and device level flaws that malware takes advantage of. The bad news is that half are still failing to receive any updates.

The challenge for Google is getting Original Enterprise Manufacturers and carriers to commit to patching Android phones and tablets. The 50% rate is good progress, however, in developing countries where low cost Android phones are often key to their owner’s financial lives weak Android app security still puts personal and financial data at risk. Google is aiming for a 75% patch rate in 2017.

This is contributing to less malware on the Google Play store, stronger device encryption and Google’s bug bounty program are getting results. Still, less than three percent of Android phones are using the latest operating system, Nougat. The reality of the patching rate is that there are still 700 million devices open to historical vulnerabilities such as Quadrooter, contributing to persistent client side Android app security problems.

The fragmentation problem is best illustrated by looking at the example of Samsung. Samsung offers 13 devices, sold by 200 different carriers that each add their own customisation to the supplied OS. When there are 1500 variations of each version of the operating system it’s a problem to apply the patches. Around 60 percent of Samsung users got updates in 2016, with 15 percent still on old unsupported versions of Android, and another 15 percent ignoring the updates.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.