Samsung's Android-powered Galaxy Note 5. Photo: Samsung.

From July, 2011 to July, 2015, nearly 88% of Android-powered devices on average suffered a critical security flaw, according to a new study from The University of Cambridge. Most of the blame lies with Alphabet's (GOOG 0.36%) (GOOGL 0.29%) many hardware partners, which often fail to deliver security updates on a timely basis.

In the past, Apple (AAPL 1.76%) has often criticized the Android platform for its relative lack of security. CEO Tim Cook once characterized Android as a "toxic hellstew" of vulnerabilities. This study appears to lend credence to that assessment.

A complicated process
Patching an Android device is a complex process, with many different firms playing key roles. Alphabet develops Android, but it remains open source -- device-makers are free to modify it as they see fit. Alphabet often releases Android updates, but manufacturers are responsible for pushing those updates to the many devices they make and sell. Carriers often add another layer of complexity to the mix, standing between device-makers and consumers in some markets. For these reasons, Android updates are often delayed weeks or months, if they're delivered at all. 

Earlier this year, researchers discovered a series of bugs present in some newer versions of Android that allowed attackers to take control of a device by sending a simple text message. Collectively known as Stagefright, Alphabet quickly patched the flaw, but its hardware partners took several weeks to update their devices. The most popular Android handsets have received updates, but given the thousands of different Android models in use, plenty of Android devices may remain vulnerable to this day. 

Apple, in contrast, uses a completely different model, pushing iOS updates to the iPhone directly -- with no partner or carrier involvement. iOS is not an invulnerable platform, but it's likely more secure than Android. In its study, The University of Cambridge awarded individual Android devices and manufacturers security scores on a scale ranging from 0 to 10. One of the study's authors, Daniel Thomas, told ZDNet that Apple and the iPhone wouldn't score a perfect 10, but would likely outrank every Android manufacturer and device.

Nexus does better than the others
Alphabet's own Nexus devices were found to be the most secure, with the Galaxy Nexus, Nexus 4, and Nexus 7 among the top-scoring models on The University of Cambridge's scale. Like Apple, Alphabet pushes Android updates to its Nexus devices directly. Among Android manufacturers, LG and Motorola scored the best, while two firms most have likely never heard of -- Symphony and walton -- scored the worst. Both Symphony and walton make cheap Android handsets sold in Bangladesh -- a powerful testament to Android's ability to bring connectivity to consumers everywhere, but also a perfect example of the platform's fragmentation.

In the wake of the Stagefright vulnerability, two of Alphabet's most dominant partners -- Samsung and LG -- promised to push security updates to their Android handsets monthly. But last month, HTC said that goal was unrealistic. Ultimately, most Android handset buyers must put their trust in individual manufacturers -- not Alphabet -- for security updates.

It's unlikely that consumers will parse through Cambridge's study before purchasing their next handset, but the relative reputation of the two platforms could have an effect on sales. Fair or not, Alphabet's mobile operating system has earned a reputation for security problems, and this latest study lends further credence to that notion.