"The objective here is not to share data on android to scare people. IT managers don't realise the degree of fragmentation," says Hanley.
Beyond known security vulnerabilities, the study suggests that device security itself is also a low priority for many users.
- Only one in 10 employ boot-level hardware encryption probably because most devices aren't up to the job of running it. In future encryption might become a minimum standard and be enforced by admins.
- A surprising one third of users don't even use a lockscreen to protect the device. It's another number or unlock pattern to remember.
- A relatively high 1 in 20 Android devices have been rooted, a huge potential security worry for users who don't know what they are doing. The equivalent figure for iOS devices is 1 in 250.
As with a lot of firms moving into endpoint management, Duo's approach is not to block devices so much as offer admins visibility on the state of each device. It was up to organisations to make decisions about the level of risk they are willing to accept when their workforce connects using old versions of any mobile platform. Using an older device? That can't be used for authentication but is fine for emails, for example.
"The problem with a lot of Mobile Device Management (MDM) products is the friction with end users. Users have the perception that businesses have an undue level of access to their phones."
That is the obvious alternative of course - ditch BYOD completely and hand out mobile devices on the basis of an organisation's willingness to tolerate risk. That would be back to the old days which for whatever reason a growing number of or organisations don't feel comfortable with. It is starting to look as if BYOD comes with its own problems.
"We would rather provide visibility and let admins make access control decisions on that basis," says Hanley.
Android and the enterprise 2016 - Android's recent flaws
Google started offering monthly updates and patches for Android after the Stagefright flaw came to light but only its own Nexus devices running Android 5.x get these. Other major vendors also offer patches sent to them by Google as and when they can.
Stagefright - 2015
Probably the most serious security flaw ever to hit Android, this one affecting a media playback component of the OS nobody usually thinks much about called Stagefright. Discovered by a researcher working for a firm called Zimperium, attackers could exploit the issue by sending a malicious video message to almost any Android handset on the plant, which would execute automatically. Incredibly, no user interaction is needed and the message could even render itself invisible by deleting itself.
Sign up for CIO Asia eNewsletters.