Cheap clone Android tablets of the sort that crowd the shelves of many bricks-and-mortar US stores are often riddled with dangerous but hidden security flaws, a test by BlueBox Security has found.
The firm's motivation for carrying out the test of a dozen popular tablets was to advertise the capabilities of its own Trustable assessment tool, but what it found suggests there is still plenty to worry about.
The problem, of course, is that tablet reviews rarely mention security beyond what comes with Android itself because it's hard to know whats going on at a low level. And yet there are many places where it can fall down badly without the user or buyer realising.
The first and unexpected finding was that having a more recent version of Android isn't necessarily a reliable indication of how secure a tablet is. Sure enough, the top-scoring tablet was the brand new HTC Nexus 9 running Android 5.0 but yet the second-best performer was Samsung's $100 Galaxy Tab 3 Lite, which scored a creditable 8.6 out of a maximum of ten despite running the aging 4.2.2.
This not only beat the other five tablets running the same version by some distance, but five others running later versions such as 4.4.2. The DigiLand sold by Best Buy was apparently running 4.4.0 but was so poor that it was given no score at all.
Caveat emptor: within the bulk of tablets, the Android version is only a vague indicator of security - the brand and underlying engineering competence is more important.
The full field of tablets is represented in this table (apollgies for the size) with their scores and sellers such as Walmart, Staples, Kmart, Fred's, Walgreens, Kohl's, BestBuy and Target.
Some of these tablets are unbelievably cheap. For instance the Kmart and Staples' tablets will set consumers back a ludicrous $40 (£30) while several others can be bought for $50. What can people possibly expect for such small sums?
DigiLand's poor device suggests not a lot. Its makers had opened it up to potential Trojan attack by signing firmware with an Android Open Source Project (AOSP) test key, while the USB debugging port was running with root privileges. It was also vulnerable to one significant flaw - the Futex vulnerability - although it's fair to point out that it is not alone in that.
Many other manifested similar engineering weaknesses with a common issue that third-party app downloads were enabled by default. Allowing third-party app stores automatically lowers security protection not least because it makes it possible for dodgy apps that get on to the device to call secondary downloads.
Sign up for CIO Asia eNewsletters.