Narrative: Android's Poor Security
Each narrative page (like this) has a page describing and evaluating the narrative, followed by all the posts on the site tagged with that narrative. Scroll down beyond the introduction to see the posts.
Narrative: Android’s Poor Security (Jan 10, 2017)
Written: January 10, 2017
Android is the world’s dominant operating system, running on significantly more devices than any other smartphone or PC operating system, and with several times the market share of Apple’s iOS in smartphones. And yet it has struggled throughout its history with both the reality and the perception of poor security relative to iOS in particular.
The most obvious reason is Android’s deliberate openness – whereas Apple’s iOS is tightly controlled from the App Store to default applications to browsers to content purchasing, Android is the Wild West in comparison. That’s a key part of the value proposition, and it’s served Google and its OEMs very well. But it also allows the installation of malicious apps and other vulnerabilities which iOS for the most part simply doesn’t suffer from.
On top of that, the loose nature of the ecosystem means that whatever is in the latest versions of Android from a security perspective, only a tiny minority of the installed base actually runs it at any given time. The rest of the base, meanwhile, has often remained open to threats which target older versions of Android and the vulnerabilities they offer. Google has reduced this threat somewhat over time with a parallel set of security updates which are fast-tracked by OEMs and carriers, but they still don’t reach all devices quickly.
Lastly, some vulnerabilities result from the fact that OEMs and Android aren’t as tightly integrated or the resulting devices as locked down as iOS from a security perspective. Fingerprint technology on the iPhone uses a secure enclave with encrypted data that makes it all but impossible to crack, especially when running the latest software on recent hardware. Android devices, however, have been looser when it comes to such elements, and that looseness has been exploited.
For all the legitimate criticism of Android as a less secure operating system, it has got better over time, and iOS isn’t exactly invulnerable either. The latter doesn’t suffer from the same vulnerabilities and the security problem on iOS is marginal in comparison, so there shouldn’t be any false equivalence here, but it’s a matter of degree rather than a binary yes/no situation. All told, however, iOS remains the more secure operating system by some way, and that’s likely to continue to be the case.
Google Provides an Update on Android Security (Mar 23, 2017)
This is a year-in-review post from the Android security team, and it’s supposed to be reassuring on the state of Android security. However, there are several fairly worrisome data points in here worth pulling out. Google says 0.71 percent of all Android devices had a “potentially harmful app” installed at the end of 2016, so almost 1% of the roughly 1.5 billion Android devices in use, which amounts to almost 11 million actual devices, and that number has risen rather than fallen in the past year. Secondly, even though Google has been working with carriers and OEMs to push security updates to devices outside the very slow OS upgrade cycle, about half of devices in use at the end of 2016 had not received a platform security update in the previous year. Given how frequently Android exploits are discovered, that’s pretty worrying. On the plus side, Google has reduced installations of malware from the store by around 50% across several categories, which is obviously good news, but the fact that it acknowledges some of the apps installed from the official store still contain malware is a sign that it isn’t doing its verification job well enough.
CIA Leak Reveals Gaps in Patchwork of Android Software – WSJ (Mar 11, 2017)
The CIA leak taught us nothing new about the slow rate of Android adoption, but it did perhaps serve as a reminder of its consequences for security. Android adoption is notoriously slow, and it’s something I’ve written about quite bit (see here for my most recent deep dive into the numbers). It takes roughly two years on average for a new version of Android to reach 50% adoption among the base, and no version ever gets above about 40% adoption before a new version begins eating into its share. Compare that to iOS, which typically gets to about 70% adoption within a few months of release, and whose two most recent versions usually account for over 90% of the total base. In the past, this was very problematic, because it meant security vulnerabilities weren’t patched and users were left open to hacks and malware. However, more recently Google and its partners have separated some of the security patches from major OS updates and fast tracked these through a separate update process with the carriers. It’s not a universal solution, but it has helped mitigate some of the security impacts that result from slow OS updates. However, Android in general continues to be far more vulnerable to malware than iOS both because of the slow update issue and because of its overall architecture.
99% of Mobile Malware Targets Androids Because of Open Store and Infrequent OS Updates – F-Secure (Feb 15, 2017)
This data comes from the blog of F-Secure, a European cyber-security company which tracks malware. The key finding here shouldn’t be a surprise – Android sees 99% of malware activity on mobile, for three simple reasons: it has by far the largest share, its app stores are open and often weakly policed, and Android devices are often very slow to get OS updates and software patches, although it has been doing better on that last point recently. Interesting, there’s still far more malware being created for Windows PCs than Android, even though there are fewer of them, but the range of malware being created for Android is approaching that which targets PCs, even though the main focus is still trojans. All of this, of course, only serves to reinforce the narrative about Android being insecure.
This is another one of those occasions where Android’s relatively open and complex structure allows for malware which couldn’t exist on iOS. In this particular case, it’s the layering of third party software (a customized version of the SwiftKey keyboard) on top of a customization of the UI and services (by Samsung) on top of the Android base layer. To be fair, this attack isn’t nearly as broad a threat as malware distributed through the Google Play Store – it requires a man in the middle attack and is therefore mostly a risk to those who might be deliberately targeted by hackers – but it’s still not good news, especially given the wide distribution of the devices in question. The complex route security patches have to take in the Android world is another element that will hamper the resolution of this issue.
via Ars Technica
Virulent Android malware returns, gets >2 million downloads on Google Play | Ars Technica (Jan 23, 2017)
Malware continues to be one of those things that essentially only affects Android in the smartphone world – iOS is for all intents and purposes immune to it because of the strong review process that all apps go through and because apps are sandboxed within the OS. The biggest single downside of Android’s relative openness is this vulnerability to malware, and that’s especially worrisome when the malware is distributed through the official Google Play Store. The numbers here are small in the grand scheme of the Android installed base of well over a billion users, but if you’re one of those two million, that doesn’t matter.
This sort of thing is exactly why Apple makes such a big deal about the secure enclave on iPhones (and the new MacBook Pro) – fingerprint security is only as secure as the encryption and protection for the sensor data on the device. The biggest issue for Android vendors here is that this isn’t really the kind of vulnerability that can easily be patched after the fact.