Are Android security scares really as bad as they seem?


It's that time of the week again!
It's that time of the week again!
Photo: Ste Smith/Cult of Mac

After the discovery of several dangerous flaws in a few short weeks, Android’s security — or lack thereof — has been big news. Google has acted quickly to eliminate the Stagefright flaw that left 95% of Android devices vulnerable to attack, but others have since wormed their way out of the woodwork.

Friday-Night-Fights-bug-2Now fans are asking how these flaws made their way into public Android releases, compromising the security of more than 1 billion users worldwide. Could Google be doing more to prevent it? And are its hardware partners doing all they can to patch holes in their own software?

Join us in this week’s Friday Night Fight between Cult of Android and Cult of Mac as we fight it out over these questions and more!

cartoonluke_360.pngLuke Dormehl (Writer, Cult of Mac): Sorry to drag down the mood by making you defend Android, but there’s a topic I’ve wanted to discuss for ages — and that’s security.

There’s been loads in the news recently about malware and security concerns. The big one, as I’m sure you’re aware, is the Stagefright flaw — which allowed attackers to get access Android devices with a single malicious MMS. By any stretch of the imagination, it was a horrendous security lapse, which affected 95 percent of devices running Android 2.2 through 51.

Now, don’t get me wrong: there have been a few iOS and Mac security flaws over the years, but the situation with Android is considerably worse. And it’s made even more serious by the fact that, even when Google does seem interested in addressing a flaw, Android’s nightmarish fragmentation problem means OEMs don’t necessarily deem them worthwhile to pass on to users.

What say you to the charges?

Killian-FNFKillian Bell (Writer, Cult of Android): There’s no denying that something has to be done about Android’s malware problem. Google must do more to plug the holes that allow flaws like Stagefight to do dangerous things, and its hardware partners must also work harder to deliver fixes to all users — not just those with a recent handset.

But the problem isn’t being ignored. Google, LG, and Samsung have already announced that they will soon deliver monthly security patches in an effort to make Android as safe as possible, and fix issues as soon as they arise — and if other manufacturers have any sense, they’ll do the same.

Android will always be a target because it’s such a big platform, and it’s designed to give users freedom. It’s the same reason why Windows has always been a bigger target than OS X. But attackers can be discouraged by stronger security, that’s for sure.

Samsung has already begun rolling out Stagefright fixes.
Samsung has already begun rolling out Stagefright fixes.
Photo: Killian Bell/Cult of Mac

cartoonluke_360.pngLD: Well, I’m glad we’re in agreement that Android sucks. Want to finish up for the day and go and get a coffee?

Killian-FNFKB: Let’s not get carried away here. While this is a serious problem, the reports you read will lead you to believe that the situation is actually a whole lot worse than it is.

Stagefright had the potential to affect around 95% of Android devices, but the flaw was discovered by security experts — not some teenage hacker who wants to steal everyone’s nudes — so it’s not like attackers have been using it to gain access to our phones. In addition, Google acknowledged the issue and started fixing it before Stagefright was made public.

Things like this make Android more secure. Every platform ships with flaws — it’s impossible to eliminate all of them before they’re out in the wild — and as more are detected and eliminated, the more secure the platform becomes.

Let’s not forget every version of iOS ships with its fair share of flaws, too. It’s not often they lead to malware and malicious apps — fortunately for Apple’s users — but every jailbreak takes advantage of a flaw in iOS to gain access to parts of the system that should be sealed off.

cartoonluke_360.pngLD: That’s a fair point, but, really, is it any defense to say that it’s okay because it was discovered by the right people? I figured out a few weeks back that I could open the door at the back of my house by giving it a hard push — even when it’s supposed to be locked. Am I glad I discovered it rather than a thief? Of course. If it was a newly-installed door that did that, would I still be wanting to get a new builder next time round? Absolutely.

You’re right that nothing ships completely problem-free. It’s one reason why over-the-air updates are so good — when companies choose to use them. But this idea that security is something blown out of proportion by iOS users is ridiculous. It’s a massive, gaping hole in Android, and a reason why a lot of people stay away from it if they have the option. Yes, a reasonably savvy user can often get around these problems by being cautious when installing apps or checking carefully if an SMS is a phishing message. But you shouldn’t have to.

It’s a fundamental problem with Android’s approach to openness. Like a door that anyone can open, by it’s very nature it’s not secure.

iOS has flaws, too -- but a lot less malware.
iOS has flaws, too — but a lot less malware.
Photo: Killian Bell/Cult of Mac

Killian-FNFKB: What was your address again?

The point is, you can fix your back door before others find out about it and it becomes a real problem — just like Google can fix Stagefright before attackers take advantage of it. But if it’s taken you this long to find out about your dodgy door, how do you expect Google’s developers to know about every single flaw in millions of lines of code before it ships out to users? It’s impossible.

I didn’t say the issue was blown out of proportion by iOS users; I’m saying the issue is blown out of proportion by most people. Even Android fanboys are turning their back on the platform because of it. And I’m not dismissing it — I accept it’s a problem that needs fixing — I’m just pointing out that Google is working on it, and it will continue to do so to make Android as secure as possible.

Again, iOS has its fair share of “gaping holes,” too, they’re just not exploited in the same way. Plenty of malicious apps have made their way into Cydia and caused problems on jailbroken devices, but we don’t hear about them much because they only affect a small number of people.

If Google was ignoring this issue, then I could understand why people are so upset — but it isn’t.

The other thing I’d like to point out is that it’s incredibly easy even for novice Android users to keep themselves safe. Don’t downloaded dodgy apps from untrusted sources and don’t connect to insecure Wi-Fi networks, and you’ll be fine.

cartoonluke_360.pngLD: Sounds like victim-blaming to me. Ultimately, it’s a problem that needs fixing — and despite the promises we’re hearing, it has yet to be fixed. Google accounts for 99 percent of mobile malware, which is just an horrific stat. Some people are going to put up with it because, to go back to my house analogy, it’s cheaper to have a house with no lock on your door than it is to buy one.  But that doesn’t make it okay.

But let’s let the readers decide this one shall we? Leave your comments below saying who you think won this particular debate — and why I did.

Friday Night Fights is a series of weekly death matches between two no-mercy brawlers who will fight to the death — or at least agree to disagree — about which is better: Apple or Google, iOS or Android?