Flabbergastingly insecure: Google's Android is the new Flash

Posted:
in iPhone edited August 2015
Several years ago, Steve Jobs called out Adobe Flash as a trainwreck of security and performance problems, garnering him contempt from industry players deeply invested in the software platform. Today, Google's Android platform is getting same brutal appraisal, but it's coming from Android's own fans.

Google's Flash in the Android pan

Today, virtually everyone agrees that Flash is a petulant boil on the web. Wired recently referred to Flash as "that insecure, ubiquitous resource hog everyone hates to need," in an article detailing both Mozilla's efforts to disable Flash in its browser and Facebook's security chief Alex Stamos calling for Adobe to give Flash a kill date.

Even Google--once a staunch proponent of Flash back in 2010 when hoped to wield the closed source web middleware as a distinguishing feature of Android tablets compared to Apple's Flash-free iPad--has made great efforts to distance itself from the persistent headache that is Flash.

Google's new opinion of Flash came only after a very painful experience of working to deeply integrate Adobe Flash into Android and its web browser. Rather than proving that Apple was wrong about Flash being unsuitable for mobile devices, Google provided clear evidence that its years of engineering efforts expended on baking Flash into Android was a fool's errand.

Hundreds of millions of Android devices gained a supposed advantage in being able to play back some Flash content, but at the painful cost of suffering grievous software flaws, including massive security holes such as the serious malware vector for the "Fake ID" exploit discovered by Bluebox Security last year.

Despite earning so much contempt, Flash remains ubiquitous. If you surf the Web with Flash warnings turned on, a startlingly high percentage of websites insist on trying to load the Flash Player plugin, even when there's no obvious reason; no videos to playback, no weblet games and no over-the-top navigation animations. Flash on the web is like High Fructose Corn Syrup in America: broadly frowned upon, but awfully difficult to avoid.

Hence, the increasing volume of a chorus of security experts and platform vendors calling for Adobe to simply call it quits on Flash.

Android is a lot like Flash

The same engineers and product managers at Google who thought shoehorning Flash into Android was a good idea also created the rest of Android. Somewhat ironically, Google even brands Android with a robot logo usually portrayed in the sick color of a sinus infection discharge.

The lack of thought put into every aspect of Android clearly shows: the platform is now the world's largest toxic malware sinkhole, a dubious achievement given that Microsoft garnered so much outrage for building a platform of garbage so terrible that a Windows PC was guaranteed to be automatically deluged with malware and viruses simply by being plugged into the Internet.

Android recently surpassed Windows not only in unit shipment "popularity," but also in its rampant insecurity as a platform. What started with a series of massive vulnerabilities--exacerbated by Flash but not entirely the fault of Flash by any means--has now gotten to the point where virtually any Android device can be taken over by a single malicious text message, thanks to the latest flaw to be discovered: Stagefright.

Android Stagefright malware


Vulnerabilities exist for other platforms too, for everything from RedHat Linux to Apple's own iOS and OS X. The primary difference is that serious enterprise software vendors--like Apple--work diligently to patch and distribute their fixes to every possible user. For years, Apple has been patching potentially exploitable flaws for iPhones, iPads and Macs originally sold three to four years ago, and in some cases many more years prior to that. That's helped to secure Apple users from exploits in most cases before malicious code could even be written to take advantage of discovered flaws.

Other mobile platforms can't claim that: Symbian, webOS, BlackBerry, Windows Mobile and in particular Android have all done a terrible job in distributing new software patches to existing phone users. The same hardware vendors who previously maintained a dismal record in distributing security update patches for their phones before Android have continued to shirk their responsibility to quickly work to patch vulnerabilities under Android.

Even when Google makes efforts to patch a known flaw in Android, hardware vendors seem to have little interest in promptly rolling out the patches to their existing users, in large part due to the complexities in tweaking patches to work across the tens of thousands of slightly different Android models now in use. On top of that, mobile carriers often erect their own impediments to complicate the distribution of Android patches, because each carrier also tweaks the legions of hardware models they carry with their own customizations.




Lorenzo Franceschi-Bicchierai, a self described Android fan, recently wrote a piece for Vice Motherboard that lamented the sloppy state of security that exists for Android, noting that "Android users are basically at the mercy of their carriers and phone manufacturers when it comes to getting updates or new operating system versions."

He cited a deleted tweet by security researcher Nicholas Weaver which stated, "Imagine if Windows patches had to pass through Dell and your ISP before they came to you? And neither cared? That is called Android."

Android security problems are worse than Flash

Really, the security problems on Android are worse than Adobe's incessantly-updated garbage-ware known as Flash. It's a pain to keep your browser's Flash Player up-to-date, but at least it's possible if you don't mind installing new software updates over and over, seemingly every time you are forced to use it.

With Android, basic security isn't even a possibility unless you are a savvy enough engineer to maintain your own code base and regularly compile a new kernel yourself. Even then there's a problem: in many cases, Google doesn't care about your problems any more than the carriers and their hardware partners do.

For example, Google's Android WebView, tainted by the company's efforts to deeply integrate Flash, remains unfixed for hundreds of millions of users despite the fact that a 60 percent majority of Android users were affected by it back in January when the code was publicly reported to be riddled with serious flaws.

While Google's adoption figures for newer versions of Android software continues to slowly increase, six months after the issue was widely reported, nearly half of the entire Android installed base actively using Google Play continues to remain vulnerable to the serious flaws in WebView that Google simply refuses to fix.

Imagine if there were long list of severe flaws in Flash, affecting the majority of its users, which Adobe shrugged off fixing because it hoped those users would just eventually buy newer computers. That would be outrageous anywhere else but in Android-land, where it's just business as usual.

Android's security issues a result of Google's design

Android isn't just poorly maintained by a series of partners who don't care about their users. Google has regularly taken positions that put Android users at high risk by design, carelessly hoping that nothing would go wrong. This is evident in Android's core policies, often made in ideological contempt for Apple--of which Google's breathtakingly stupid embracing of Flash for mobile devices is just one example.Google has regularly taken positions that put Android users at high risk by design, carelessly hoping that nothing would go wrong

At the very core of Android's ideological open-source freedom concept is the notion that devices don't need any sort of security policy blocking executable software from being casually installed via a URL link, NFC or most recently, Google's latest "Eddystone" attempt to compete with Apple using an iBeacon-rivaling new protocol that lets random BTLE devices send URLs to mobile devices. It's almost as if Google wants Android to be insecure.

From the very start, Google championed the idea of being able to load software from virtually anywhere as an example of Android's "freedom," but the reality is that "open app stores" are just as insane from a security point of view as hardwiring Flash into the browser. The primary reason why virtually all mobile malware in existence is written for Android is the simple fact that it is astoundingly easy to distribute malware leveraging the permissive security policies that let most Android devices install software from anywhere, in some cases without the user ever being aware that software is even being installed.

Last year, Google's Android chief Sundar Pichai stated, "If I had a company dedicated to malware, I would also send my attacks to Android," suggesting that his platform's malware problem was mostly due to Android's broad use, drawing parallels with Microsoft's notoriously malware-riddled Windows platform.

If Android and Windows were the only global platforms with around a billion users, that idea might be believable. For years, Apple's relatively small Mac market share among PCs kept alive the notion that as soon as Macs reached a certain proportion of PCs, they too would be overcome with rampant malware issues.

However, Apple's iOS is now poised to soon pass Windows in unit shipments. And while a greater number of generic mobile devices have some version of Android on them, Apple's ability to keep most of its users on a modern version of iOS less than a year old means that a greater number of devices run iOS 8 than run a year or two old version of Android. Apple has hundreds of millions of iOS users, and tens of millions of Mac users; it just doesn't have the massive malware problem of Android and Windows.

That indicates pretty clearly that malware isn't just an unavoidable byproduct of popularity. Like other predators, malware authors seek out vulnerable populations, not just crowds. Apple's security policies that keep iOS vulnerabilities patched, iOS users up to date and iOS apps secured hasn't stopped the media from writing deceptive scare pieces implying that iOS is just as bad as Android, but it has made it virtually impossible to commercially benefit from writing malware for iOS.

On the other hand, there's lots of money to made in scamming and spying on Android and Windows users. Software to spy on Android and Windows users is openly sold on the Internet, but similar tools for iOS aren't available--even to law enforcement--unless the spy victim has their phone jailbroken.

FinSpy malware can't infect iOS without jailbreakFinSpy malware can't infect iOS without jailbreak


That indicates that while iOS is clearly a valuable target to malicious hackers, the platform is protected enough to by Apple to make it effectively too expensive to continuously target and retarget as past exploit vectors are eliminated or blocked.

Google has repeatedly left the majority of its users unprotected against known problems, making it easy to exploit those users and profit from doing so. That makes the hundreds of millions of iOS users like a swiftly moving school of fish in the eyes of hungry predators, while Android users are more like a herd of caribou where more than half of the population are lame and unable to evade even the laziest of attackers. iOS is a frustrating target, while Android is an easy kill.

Android's demographic becoming even less valuable for Google to secure

Complicating the current malware situation for Android is the reality that iOS already represents the demographic cream of the market. Apple's users shop the most, buy the most apps, browse the most and are worth more to advertisers. As Android's malware issue continues to raise hackles among even the platform's most ardent fans, that value proportion will increasingly favor iOS as the remaining valuable users defect to the only secure platform left.

That in turn will leave Google with even less valuable users to maintain and support. That migration isn't just conceptual. Apple's latest iPhone 6 has attracted record numbers of new users from Android, while Samsung, Android's largest licensee, has experienced a massive drop in revenues over a series of quarters. Few other Android vendors are even breaking even, let alone earning sustainable profits.

And yet, the same sources who consistently reported that Apple was fated to eventually inherit a malware crisis due to volume shipments are now fretting that Apple is on the brink of disaster, and that next year's iPhone will have a hard time attracting users, even though there is zero evidence supporting this idea.

It's almost as if pundits and ideologues think that making excuses for Android will erase its problems, while inventing new catastrophes of doom for Apple will sink its success, if only they can repeat themselves enough to make their ideas come true.

That's a strategy that hasn't worked out for them for the last decade.
«134567

Comments

  • Reply 1 of 127
    danielswdanielsw Posts: 906member
    What strikes me about Android is its original concept: a pale copy of iOS, but with the intent of it being an advertising tool for Google.
  • Reply 2 of 127
    b9botb9bot Posts: 238member

    And that's what you get with an "open" operating system. "Open to all to attack you". And Google doing nothing about security updates. Android is left like a bunch of fish bate for the sharks to take a bite out of you.

  • Reply 3 of 127
    lkrupplkrupp Posts: 10,557member
    Quote:

    Originally Posted by b9bot View Post

     

    And that's what you get with an "open" operating system. "Open to all to attack you". And Google doing nothing about security updates. Android is left like a bunch of fish bate for the sharks to take a bite out of you.




    To be truthful Google IS making and releasing patches but they are not getting to Android owners in any kind of timely manner because of how Google allowed the OEMs and carriers to control updates in the name of ‘open.’ I think only Nexus owners can get patches quickly and directly from Google.

  • Reply 4 of 127
    bocboc Posts: 72member
    I simply don't see any way a secure mobile payments system can be used on Android safely by consumers.

    It seems like it is destined to be attacked with new malware vectors daily.

    I simply can't imagine what Eric Schmidt thought was going to work long term with Android being "open" and essentially unresponsive to end user needs.
  • Reply 5 of 127
    "Somewhat ironically, Google even brands Android with a robot logo usually portrayed in the sick color of a sinus infection discharge. "

    Really? Going a little over the top on a Friday, aren't we DED?
  • Reply 6 of 127
    bapplebapple Posts: 1member

    Oh my, if Apple could just make a lower cost phone like the iPhone 5c that is MUCH more affordable, then that would make all of our lives a whole lot easier. Like $299 without a contract and $49 with a two year, mid-teer plan. 90% of people who buy Android phones are buying it because they are told it's like an iPhone but cheaper. Which is why I don't get why people are mad over the "if it's not an iPhone, it's not an iPhone" campaign. It is basically the only reason iOS marketshare is not number 1.

  • Reply 7 of 127
    plovellplovell Posts: 824member

    To give credit where credit is due, Microsoft has been supplying security patches for older versions of Windows  - stretching much further back than Apple does for OS X versions. People with older hardware (maybe can't afford a new Mac) can't get security patches and are left exposed. I can agree with Apple not adding features to old versions, but it should do more with regard to security updates.

  • Reply 8 of 127
    bugsnwbugsnw Posts: 717member

    Apple seems to have the right blend of Open and Proprietary. Given what the security situation is today for everything related to consumers - everything from credit cards to securing your identity - it seems reasonable to keep much of an OS proprietary.

     

    I'm glad Apple has been responsive to security in their products. I'm impressed with fingerprint recognition and their ideas to protect Apple Pay.

     

    Given how determined Apple is to strengthen its security and the nature of it's iOS, I don't know why anyone would pick Android. Of course, only people that follow Apple know this. Most people who appreciate cheap Android phones either don't know or don't care (or both).

  • Reply 9 of 127
    >"Somewhat ironically, Google even brands Android with a robot logo usually portrayed in the sick color of a sinus infection discharge. "
    >
    >Really? Going a little over the top on a Friday, aren't we DED?

    Yep, that's exactly where I rolled my eyes and stopped reading.
  • Reply 10 of 127
    tdknoxtdknox Posts: 82member
    Quote:

    Originally Posted by sog35 View Post

     

    Why would anyone choose to buy an Android phone over an iPhone?

     

    You would only get an Android if:

     

    1. You can't afford an iPhone (this makes the bulk of Android's customers)

    2. You are a tweaker and enjoy messing with writing code and custom ROM's

    3. You need stylus support (Note4)

    4. You just want something different

     

    I think #1 covers several hundred million Android purchases.

     

    #2 is a very small slice of the population.  May a few million.  #3 is probably another few million.  

     


    You forgot:

     

    5. "Apple is teh evilz" Linux/Open Source neckbeards who would never, ever, ever buy anything from Apple because "open". This is a lot smaller number of people than they would like to believe.

  • Reply 11 of 127
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by bugsnw View Post

     

    Apple seems to have the right blend of Open and Proprietary. Given what the security situation is today for everything related to consumers - everything from credit cards to securing your identity - it seems reasonable to keep much of an OS proprietary.


    Proprietary software adds a little bit of security but we all know that 'security by obscurity' is not a sound policy. Take an open source project like Linux. They have thousands of professional programmers from around the world maintaining and contributing to the code base for free. Open source has to be hardened and tested because every line of code is public. The difference is, that the programmers for Linux are passionate and generous. I don't think Android has that much good will. The only people examining it line by line are companies that want to fork it or hackers with malicious intent.

  • Reply 12 of 127
    Quote:

    Originally Posted by appletweak View Post



    "Somewhat ironically, Google even brands Android with a robot logo usually portrayed in the sick color of a sinus infection discharge. "



    Really? Going a little over the top on a Friday, aren't we DED?



    I agree with you.  When he goes over the top like that, it ends up taking attention away from the valid points that he does make :=(

  • Reply 13 of 127
    anantksundaramanantksundaram Posts: 20,403member
    maxgraphic wrote: »
    >"Somewhat ironically, Google even brands Android with a robot logo usually portrayed in the sick color of a sinus infection discharge. "
    >
    >Really? Going a little over the top on a Friday, aren't we DED?

    Yep, that's exactly where I rolled my eyes and stopped reading.

    As what kind of green would you describe it? 'Spring' green?
  • Reply 14 of 127
    anantksundaramanantksundaram Posts: 20,403member
    appletweak wrote: »
    "Somewhat ironically, Google even brands Android with a robot logo usually portrayed in the sick color of a sinus infection discharge. "


    Really? Going a little over the top on a Friday, aren't we DED?


    I agree with you.  When he goes over the top like that, it ends up taking attention away from the valid points that he does make :=(

    Really? Do you seriously mean that? Is your attention span truly that poor? (These are honest questions, I am not trying to be snarky).

    Edit: oops...
  • Reply 15 of 127
    geokengeoken Posts: 2member
    Quote:


     

    You would only get an Android if:

     

    1. You can't afford an iPhone (this makes the bulk of Android's customers)

    2. You are a tweaker and enjoy messing with writing code and custom ROM's

    3. You need stylus support (Note4)

    4. You just want something different



     

    I think there are a few subgroups for #1

     

    I can afford an iPhone but that doesn't mean I wouldn't rather get an Nexus 5 for half the price if I think it would be good enough (or possibly be better in many ways).

     

    Also, I might not want to spend the money on the ancillary Apple devices needed to complete the ecosystem. With iOS, you need an Apple computer to gain access to cool things like texting from your desktop computer. With android devices, these abilities are usually cross platform.

  • Reply 16 of 127
    chadbagchadbag Posts: 1,999member
    Quote:

    Originally Posted by mstone View Post

     

    Proprietary software adds a little bit of security but we all know that 'security by obscurity' is not a sound policy. Take an open source project like Linux. They have thousands of professional programmers from around the world maintaining and contributing to the code base for free. Open source has to be hardened and tested because every line of code is public. The difference is, that the programmers for Linux are passionate and generous. I don't think Android has that much good will. The only people examining it line by line are companies that want to fork it or hackers with malicious intent.




    Tha actual fact is that most open source software is not any more secure (or less) than proprietary and most OSS does not have thousands of engineers pouring over the code looking for deficiencies.   There have been malware exploits snuck into OSS and no one found them (for a long time at least).  Again, most OSS does not have these millions of eyeballs looking at them, and those that do, how many of those eyeballs spend all their time looking for malware and exploits, and how qualified are these millions of eyeballs to be doing so.   Most OSS lacks funding and resources to even improve the software, let alone do regular security audits.

     

    This is not the article I was looking for but alludes to this:

     

    http://www.zdnet.com/article/six-open-source-security-myths-debunked-and-eight-real-challenges-to-consider/

  • Reply 17 of 127
    john.bjohn.b Posts: 2,742member

    My biggest knock against Android is that it doesn't allow access to privacy features including location, contacts, cameras/microphones, etc. to be turned off individually to applications.

  • Reply 18 of 127
    Quote:

    Originally Posted by anantksundaram View Post





    Really? Do you seriously mean that? Is your attention span truly that poor? (These are honest questions, I am trying to be snarky).



    Yeah, I do mean it.  Some of us have larger attention spans than others, but we've all got limits.  I don't come to AppleInsider for snot jokes so it'd be OK with me if DED employed the "focus means saying no" philosophy.

  • Reply 19 of 127
    gatorguygatorguy Posts: 24,176member
    john.b wrote: »
    My biggest knock against Android is that it doesn't allow access to privacy features including location, contacts, cameras/microphones, etc. to be turned off individually to applications.
    http://www.androidcentral.com/app-permissions-are-getting-massive-overhaul-android-m
  • Reply 20 of 127
    john.bjohn.b Posts: 2,742member
    Quote:

    Originally Posted by Gatorguy View Post

     
    Quote:

    Originally Posted by John.B View Post



    My biggest knock against Android is that it doesn't allow access to privacy features including location, contacts, cameras/microphones, etc. to be turned off individually to applications.

     

    http://www.androidcentral.com/app-permissions-are-getting-massive-overhaul-android-m


     

    That's really a step in the right direction.  Good on them for moving forward on this.

Sign In or Register to comment.