Narrative: Android's Poor Security
Each narrative page (like this) has a page describing and evaluating the narrative, followed by all the posts on the site tagged with that narrative. Scroll down beyond the introduction to see the posts.
Narrative: Android’s Poor Security (Jan 10, 2017)
This content is restricted to paid subscribers to the Tech Narratives service. You can sign up on this page for a 30-day free trial, which will give you access to all the content on the site including the daily comments, narrative essays, subscriber forums, and other restricted features. If you’re already a subscriber, you can sign in using the link below.
If you’re already a member, you can sign in here.
Google Provides an Update on Android Security (Mar 23, 2017)
This is a year-in-review post from the Android security team, and it’s supposed to be reassuring on the state of Android security. However, there are several fairly worrisome data points in here worth pulling out. Google says 0.71 percent of all Android devices had a “potentially harmful app” installed at the end of 2016, so almost 1% of the roughly 1.5 billion Android devices in use, which amounts to almost 11 million actual devices, and that number has risen rather than fallen in the past year. Secondly, even though Google has been working with carriers and OEMs to push security updates to devices outside the very slow OS upgrade cycle, about half of devices in use at the end of 2016 had not received a platform security update in the previous year. Given how frequently Android exploits are discovered, that’s pretty worrying. On the plus side, Google has reduced installations of malware from the store by around 50% across several categories, which is obviously good news, but the fact that it acknowledges some of the apps installed from the official store still contain malware is a sign that it isn’t doing its verification job well enough.
CIA Leak Reveals Gaps in Patchwork of Android Software – WSJ (Mar 11, 2017)
The CIA leak taught us nothing new about the slow rate of Android adoption, but it did perhaps serve as a reminder of its consequences for security. Android adoption is notoriously slow, and it’s something I’ve written about quite bit (see here for my most recent deep dive into the numbers). It takes roughly two years on average for a new version of Android to reach 50% adoption among the base, and no version ever gets above about 40% adoption before a new version begins eating into its share. Compare that to iOS, which typically gets to about 70% adoption within a few months of release, and whose two most recent versions usually account for over 90% of the total base. In the past, this was very problematic, because it meant security vulnerabilities weren’t patched and users were left open to hacks and malware. However, more recently Google and its partners have separated some of the security patches from major OS updates and fast tracked these through a separate update process with the carriers. It’s not a universal solution, but it has helped mitigate some of the security impacts that result from slow OS updates. However, Android in general continues to be far more vulnerable to malware than iOS both because of the slow update issue and because of its overall architecture.
99% of Mobile Malware Targets Androids Because of Open Store and Infrequent OS Updates – F-Secure (Feb 15, 2017)
This data comes from the blog of F-Secure, a European cyber-security company which tracks malware. The key finding here shouldn’t be a surprise – Android sees 99% of malware activity on mobile, for three simple reasons: it has by far the largest share, its app stores are open and often weakly policed, and Android devices are often very slow to get OS updates and software patches, although it has been doing better on that last point recently. Interesting, there’s still far more malware being created for Windows PCs than Android, even though there are fewer of them, but the range of malware being created for Android is approaching that which targets PCs, even though the main focus is still trojans. All of this, of course, only serves to reinforce the narrative about Android being insecure.
This is another one of those occasions where Android’s relatively open and complex structure allows for malware which couldn’t exist on iOS. In this particular case, it’s the layering of third party software (a customized version of the SwiftKey keyboard) on top of a customization of the UI and services (by Samsung) on top of the Android base layer. To be fair, this attack isn’t nearly as broad a threat as malware distributed through the Google Play Store – it requires a man in the middle attack and is therefore mostly a risk to those who might be deliberately targeted by hackers – but it’s still not good news, especially given the wide distribution of the devices in question. The complex route security patches have to take in the Android world is another element that will hamper the resolution of this issue.
via Ars Technica
Virulent Android malware returns, gets >2 million downloads on Google Play | Ars Technica (Jan 23, 2017)
Malware continues to be one of those things that essentially only affects Android in the smartphone world – iOS is for all intents and purposes immune to it because of the strong review process that all apps go through and because apps are sandboxed within the OS. The biggest single downside of Android’s relative openness is this vulnerability to malware, and that’s especially worrisome when the malware is distributed through the official Google Play Store. The numbers here are small in the grand scheme of the Android installed base of well over a billion users, but if you’re one of those two million, that doesn’t matter.
This sort of thing is exactly why Apple makes such a big deal about the secure enclave on iPhones (and the new MacBook Pro) – fingerprint security is only as secure as the encryption and protection for the sensor data on the device. The biggest issue for Android vendors here is that this isn’t really the kind of vulnerability that can easily be patched after the fact.