After the discovery of several dangerous flaws in a few short weeks, Android’s security — or lack thereof — has been big news. Google has acted quickly to eliminate the Stagefright flaw that left 95% of Android devices vulnerable to attack, but others have since wormed their way out of the woodwork.
Now fans are asking how these flaws made their way into public Android releases, compromising the security of more than 1 billion users worldwide. Could Google be doing more to prevent it? And are its hardware partners doing all they can to patch holes in their own software?
Join us in this week’s Friday Night Fight between Cult of Android and Cult of Mac as we fight it out over these questions and more!
Luke Dormehl (Writer, Cult of Mac): Sorry to drag down the mood by making you defend Android, but there’s a topic I’ve wanted to discuss for ages — and that’s security.
There’s been loads in the news recently about malware and security concerns. The big one, as I’m sure you’re aware, is the Stagefright flaw — which allowed attackers to get access Android devices with a single malicious MMS. By any stretch of the imagination, it was a horrendous security lapse, which affected 95 percent of devices running Android 2.2 through 51.
Now, don’t get me wrong: there have been a few iOS and Mac security flaws over the years, but the situation with Android is considerably worse. And it’s made even more serious by the fact that, even when Google does seem interested in addressing a flaw, Android’s nightmarish fragmentation problem means OEMs don’t necessarily deem them worthwhile to pass on to users.
What say you to the charges?
Killian Bell (Writer, Cult of Android): There’s no denying that something has to be done about Android’s malware problem. Google must do more to plug the holes that allow flaws like Stagefight to do dangerous things, and its hardware partners must also work harder to deliver fixes to all users — not just those with a recent handset.
But the problem isn’t being ignored. Google, LG, and Samsung have already announced that they will soon deliver monthly security patches in an effort to make Android as safe as possible, and fix issues as soon as they arise — and if other manufacturers have any sense, they’ll do the same.
Android will always be a target because it’s such a big platform, and it’s designed to give users freedom. It’s the same reason why Windows has always been a bigger target than OS X. But attackers can be discouraged by stronger security, that’s for sure.
Photo: Killian Bell/Cult of Mac
LD: Well, I’m glad we’re in agreement that Android sucks. Want to finish up for the day and go and get a coffee?
KB: Let’s not get carried away here. While this is a serious problem, the reports you read will lead you to believe that the situation is actually a whole lot worse than it is.
Stagefright had the potential to affect around 95% of Android devices, but the flaw was discovered by security experts — not some teenage hacker who wants to steal everyone’s nudes — so it’s not like attackers have been using it to gain access to our phones. In addition, Google acknowledged the issue and started fixing it before Stagefright was made public.
Things like this make Android more secure. Every platform ships with flaws — it’s impossible to eliminate all of them before they’re out in the wild — and as more are detected and eliminated, the more secure the platform becomes.
Let’s not forget every version of iOS ships with its fair share of flaws, too. It’s not often they lead to malware and malicious apps — fortunately for Apple’s users — but every jailbreak takes advantage of a flaw in iOS to gain access to parts of the system that should be sealed off.
LD: That’s a fair point, but, really, is it any defense to say that it’s okay because it was discovered by the right people? I figured out a few weeks back that I could open the door at the back of my house by giving it a hard push — even when it’s supposed to be locked. Am I glad I discovered it rather than a thief? Of course. If it was a newly-installed door that did that, would I still be wanting to get a new builder next time round? Absolutely.
You’re right that nothing ships completely problem-free. It’s one reason why over-the-air updates are so good — when companies choose to use them. But this idea that security is something blown out of proportion by iOS users is ridiculous. It’s a massive, gaping hole in Android, and a reason why a lot of people stay away from it if they have the option. Yes, a reasonably savvy user can often get around these problems by being cautious when installing apps or checking carefully if an SMS is a phishing message. But you shouldn’t have to.
It’s a fundamental problem with Android’s approach to openness. Like a door that anyone can open, by it’s very nature it’s not secure.
Photo: Killian Bell/Cult of Mac
KB: What was your address again?
The point is, you can fix your back door before others find out about it and it becomes a real problem — just like Google can fix Stagefright before attackers take advantage of it. But if it’s taken you this long to find out about your dodgy door, how do you expect Google’s developers to know about every single flaw in millions of lines of code before it ships out to users? It’s impossible.
I didn’t say the issue was blown out of proportion by iOS users; I’m saying the issue is blown out of proportion by most people. Even Android fanboys are turning their back on the platform because of it. And I’m not dismissing it — I accept it’s a problem that needs fixing — I’m just pointing out that Google is working on it, and it will continue to do so to make Android as secure as possible.
Again, iOS has its fair share of “gaping holes,” too, they’re just not exploited in the same way. Plenty of malicious apps have made their way into Cydia and caused problems on jailbroken devices, but we don’t hear about them much because they only affect a small number of people.
If Google was ignoring this issue, then I could understand why people are so upset — but it isn’t.
The other thing I’d like to point out is that it’s incredibly easy even for novice Android users to keep themselves safe. Don’t downloaded dodgy apps from untrusted sources and don’t connect to insecure Wi-Fi networks, and you’ll be fine.
LD: Sounds like victim-blaming to me. Ultimately, it’s a problem that needs fixing — and despite the promises we’re hearing, it has yet to be fixed. Google accounts for 99 percent of mobile malware, which is just an horrific stat. Some people are going to put up with it because, to go back to my house analogy, it’s cheaper to have a house with no lock on your door than it is to buy one. But that doesn’t make it okay.
But let’s let the readers decide this one shall we? Leave your comments below saying who you think won this particular debate — and why I did.
Friday Night Fights is a series of weekly death matches between two no-mercy brawlers who will fight to the death — or at least agree to disagree — about which is better: Apple or Google, iOS or Android?
Killian Bell is a freelance writer based in the U.K. He has an interest in all things tech and also covers Android over at CultofAndroid.com. You can follow him on Twitter via @killianbell.
11 responses to “Are Android security scares really as bad as they seem?”
LD you defiantly won. As an Android user myself I am tired of being vulnerable and am switching back to iPhone today.
Even though you are entitled to your choice and opinion, you obviously missed the point of this editorial and verbal jousting. Most security flaws touted either on IOS or Android were flaws discovered by security hackers or researchers and not everyday Android or Apple fan boys..
Creating those level of exploits takes a level of expertise that most people do not have and as stated, iPhone has its security flaws too but Android issues likes to be screamed high…..
The level of access/restrictions allowed on each platforms creates those situations, IOS is strongly sand-boxed which restricts the level of customization compared to Android which isn’t but allows for more customization thus allowing for these security flaws.. it is simply a trade-off.
If you do not go about downloading from unknown/trusted sources in Android, you will rarely have issues with regards to security.
Sometimes these editorial pieces are never objective but pandering
#1 Both sides were represented so if all this completely fair.
#2 yes this is a high level attacking that only professionals could find and use. Tell me again how China, North Korea, and Russia are not professionals. Hacking into Sony, the Goverment, and many other companies does not make these people professionals. Tell me more.
#3 Willy Wonka meme
Imagine, each Android phone is one text away from being a spy camera against the user. I would be more petrified than having a case of stage fright…
I’m getting tired of the old cliché that Android is targeted by malware writers because, like Windows before it, it has more marketshare. Hog. Wash.
What about all those years where iOS had FAR more marketshare than Android, yet Android still had far more malware-share than iOS? What about the fact that we still see far more commercial transactions through iOS than Android?
Thieves rob banks because that’s where the money is. But when it’s a secure bank, with marked bills, stored in a vault, with guards patrolling (like iOS’s secure ecosystem), they turn to robbing 7-11’s — the glass-doored insecure cheap place everyone can get junk food at. Just like Android.
Android is targeted because it’s an easy target and has a flawed security model and ecosystem. Period.
And more important people use iPhones. They would be targeted more. Remember Android installs can be counted into $20 phones, emulators, cars, robots, computers, or anything else for that matter. Samsung made a stupid smart refrigerator running Android. Tell me again how you spend all day playing Nagry Burds standing up next to your refrigerator.
I do forensics for a living and Android vulnerabilities are mostly on paper. You’re far more likely to download something terrible on purpose or get hit with with a click-by than suddenly being struck dead as if by the hand of god. Security is 4/5ths human behavior.
I’d like to try and raise some points that weren’t mentioned here. First let me declare my biases: I definitely prefer iOS, but not by a whole lot and I’ve mostly had Android phones as, well, it’s just a freaking phone. I’d rather spend the money I save on a better MacBook. So I like to think, on mobile devices at least, I’m not a fanboy of anything.
1. After years on Android, I have to say that “99% of mobile malware” is, like, an awfully small amount of malware. Never heard of anyone actually getting a virus, never heard a virus or exploit named (i.e. not a vulnerability, but someone actually using a vulnerability to affect lots of people). Infosec companies gotta shift units, IT websites gotta get clicks. I think the problem, while real, is about as big an issue as shark attacks.
2. Flaws in Android are found not because it’s inherently more insecure, but because the entire source code is publicly available. Which does, of course, make it inherently less secure, but it’s been part of the deal from the start and the only way for Google to “fix” that is to close-source Android. If that’s an issue to you, you should never have been on Android in the first place (as many Cult of Mac readers probably haven’t been). And, while iOS is (more) closed source, just bear in mind that it doesn’t mean the secret service of hasn’t got access to the full source, and found some great ‘sploits that no security researcher is going to be able to. You wont know until someone decides to do a Snowden for you. At least with Android you now know to disable MMS by any means you can until you get a fix (or just leave it off)
3. I know Google is big and has resources, but they give Android away for free and the responsibility – objectively – of releasing fixes really does lie with the manufacturer of the individual phone. And the behemoth, Samsung, looks like it’s doing just that. A little belatedly for sure.
KB said “how do you expect Google’s developers to know about every single flaw in millions of lines of code before it ships out to users? It’s impossible.”
It is NOT impossible. I am a programmer and have dealt with millions of lines of codes. It takes DOCUMENTATION, DOCUMENTATION, DOCUMENTATION!!! It also takes a lot of oversight by the lead programmers to look for traps, bugs, loose ends, etc. in the different modules as they are designed. You must know that these ‘millions of lines of code’ are not contiguous. They are tasks, sub-tasks, etc. It is VERY possible to ship millions of lines of code without major security flaws.
Dude said finding problems like this help android be more “secured” mannnnnn that garbage called android is one of GOOGLES center for taking users data haha. Android isn’t secure.
KB : “… Plenty of malicious apps have made their way
into Cydia and caused problems on jailbroken devices, but we don’t hear
about them much because they only affect a small number of people.”
That’s a strange argument, jailbreaking and using Cydia or whatever apps is like removing your house door !