Google claims Android is "as safe as the competition" despite its outdated install base

Posted:
in iPhone edited March 2018
Google's head of Android security David Kleidermacher claimed in an interview that "Android is now as safe as the competition" on the release of the company's 2017 Android Security report, which seeks to reassure users that it is doing everything it can to protect them from malware and exploits. The problem is that Google can't secure the 2 billion Androids it claims as its platform.


Google claims a lot

Kleidermacher's claim, made during a media tour surrounding the release of its Android Security 2017 Year in Review, sounds a lot like one made in 2014 by Google's former chairman Eric Schmidt, who similarly boasted to the media that "our systems are far more secure and encrypted than anyone else, including Apple."

That was not true at the time and remains false today. A large number of Androids don't even support Full Disk Encryption, which has been on by default on iOS for years.

Of course, Schmidt regularly uttered bold pronouncements that turned out to be clear fictions, such as claiming in 2011 that third-party developers would prioritize Android over iOS in 2012 and that the majority of televisions would be running Google TV. Back then, the media uncritically reiterated his claims as if they were factual.

Google is now trying to peddle an alternative reality where Android is super secure, following several years of embarrassing, massive security lapses, wide scale malware outbreaks, malicious spyware and architectural errors that broke Android's Full Disk Encryption among the subset that could even support it in hardware--all exacerbated by Google's negligent security delegation strategy that inherently put Android users at high risk.

Google Play Protect

In fact, many of the security problems of Android come from Google's notion of "openness" in the loading of mobile software from any source. That's a strong point of differentiation from Apple, which curates App Store titles and works to prevent malicious or dangerous titles from even entering circulation. Apple's curation works to prevent toxic sewage from ever entering the water supply, Google's approach for Android is to try to filter out sludge after it notices that it's doing damage

While Apple's curation works to prevent toxic sewage from ever entering the water supply, Google's approach for Android is to try to filter out sludge after it notices that it's doing damage, using automated machine learning.

This retroactive security approach of Google Play Protect requires sewage filtration on the device because Google doesn't effectively control the flow of bad Android apps. But having another filtration task running in the background is more work for devices that are already underpowered and suffering from performance and battery life issues.

Yet as Google's latest security report noted, "we recognized that nearly 35 percent of new PHA [malware risk] installations were occurring when a device was offline or had lost network connectivity. As a result, in October 2017, we enabled offline scanning in Play Protect, and have since prevented 10 million more PHA installs." (PHA is Google's euphemism for viruses, malware, spyware and ransomware).


Google Play Protect adds further work to poorly performing Androids


Google noted that it removed 39 million bad titles automatically, so another ten million filtered out on the device means Google Play Protect managed to strain 49 million sewer downloads out of what it was actively delivering to users on Google Play.

The company also stated that "devices that downloaded apps exclusively from Google Play were nine times less likely" to end up with malware, meaning that users who dabbled outside of Google's store experienced a total of 441 million dirty downloads just last year--and Google Play Protect filtered out just 11 percent of them from Google Play.

The elusive Android Security Update

Google's security report next moved to security updates, stating that "we also partner with device manufacturers to make sure that the version of Android running on users' devices is up-to-date and secure. Throughout the year, we worked to improve the process for releasing security updates, and 30 percent more devices received security patches than in 2016."

Any improvement in security patches is great, but it's noteworthy that Google didn't provide any useful numbers to gauge how many users were actually receiving security updates. Last month, SecurityLab did profile mobile OS providers and the length of time it takes them to distribute software patches and how long they deliver them for their models, and it was not flattering for any of Google's Android licensees.

Smartphone security update availability report (February 2018)
Smartphone comparison : Android, iOS, PrivatOS, Windows.#Google #Apple #WindowsPhone #Samsung #Blackphone #FairPhone #Malware #MobileSecurity pic.twitter.com/EzFEP0GWKE

-- SecurityLab (@SecX13)

The rare Android Update

Google and its partners have also been doing a poor job of getting full Android updates to users. Over the first four months since its release, iOS 11 found its way to 65 percent of iOS devices, and only seven percent of Apple's installed base were using something earlier than iOS 10. On Android's side, barely one percent were running Oreo, and only 28 percent were running the iOS 10-era Nougat. Nearly seventy percent of active phones in use were running a version of Android more than two years old.

Google has worked to deliver some feature updates using Google Play Services, a software package it can push to users even on older versions of the Android OS. However, diagnostic testing indicates that this software is unstable and crashed more than any other code on Android devices. There are also a variety of security issues and features that Google Play can't address.

One is encryption. While all iOS devices have shipped with Full Disk Encryption since iOS 8, Google didn't even begin requiring FDE be active by default until Marshmallow (largely because most Androids were not fast enough to support encryption). Further, this requirement was only for manufacturers of new devices, not Over The Air Android updates to existing users, where encryption remained optional.

That means most Android users would need to manually erase and scramble every block on their devices to make sure their data could not be recovered by another user. Most of the people affected by this lapse in security probably don't even know that. On iOS, users can remotely erase a stolen phone or simply do a device reset that securely removes any ability to recover data from it, because the device is encrypted by default.

Another real-world example of the inadequacy of Google's software update policies for Android and the disconnect between supposed updates and real-world impact: graphics. Google added support for OpenGL ES 3.1 in Android 5.0. Today, that should theoretically be available to more than 80 percent of Android users, but Google's figures show that only 18.3 percent of devices actually support it, in large part because Google has no control over the graphics hardware its licensees use, just as it has historically had little control over encryption, the storage of biometric data and other serious aspects of security.

In contrast, Apple has an installed base that is not only automatically encrypted, but fully secured by Touch ID or Face ID, rather than experimenting with cheap fingerprint implementations like Samsung's that stored data insecurely or that featured "face recognition" security theater that didn't work.


Google can claim Android is secure, but it has no control of Android hardware


In parallel, that also means that rather than weakly pushing ahead on graphics standards for years and making little real progress, Apple could develop its own highly-optimized Metal API and very rapidly make it ubiquitous across virtually all of its iOS and Mac users. Support for iOS 11 means support for Metal.

Google advanced a new architecture for Android O intended to make it easier to deploy new updates to existing hardware. Called "Treble," the feature draws a separation between the low-level drivers related to fragmented hardware and the core OS above it. This modular design makes it easier to update higher level Android software across a wider range of devices. However, this requires support from hardware makers to enable Treble on their hardware.

Notably, Google did not support Treble on its own Nexus 5x, 6P or Pixel C, a hint that indicated that it didn't plan to continue supporting its products, even after building the mechanism to do this. If Google doesn't bother to implement its own Treble on the phones it makes for its fans, will third parties bother to do this when the only real difference it would make is possibly preventing a replacement sale?

4.5M Pixels show how bad the other 2B Androids are

"We've long said it, but it remains truer than ever: Android's openness helps strengthen our security protections," Google's security report stated, seemingly unaware of the fact that Android has been "open" for almost a decade but has also suffered far worse security lapses, architectural flaws and malware infections than iOS.


Google's Pixel shows how bad the rest of Android is in many areas, including security


Google also touted its Android Security Rewards program, which has paid developers millions of dollars to hunt down and report critical vulnerabilities. It then bragged that "at the 2017 Mobile Pwn2Own competition, no exploits successfully compromised the Google Pixel," a phone that has no commercial footprint and no significant user base, and which presumably has already paid for its security vulnerabilities.

What that really indicates is that Google's "Pure Android" Pixel vision of what an Android phone could be--secured and regularly patched by a vendor who cares about its security reputation--is not representative of the other 2 billion Androids that are in actual use around the world.
magman1979watto_cobra
«1

Comments

  • Reply 1 of 33
    rob53rob53 Posts: 3,241member
    When was the last news article from the FBI claiming they couldn’t break into an Android-based phone!? I don’t ever remember reading one. To me that means the FBI has no problem breaking in, which means there is zero security. Companies are claiming they can break into new iPhones but none are willing to document what was actually found so not sure they actually did. 
    baconstanglongpathmagman1979bb-15watto_cobraLukeCagejony0
  • Reply 2 of 33
    racerhomie3racerhomie3 Posts: 1,264member
    Android & secured. You must be joking. Android itself is Google malware. Reporting everything you do on your phone to Google.
    longpathmac_dogmagman1979bb-15brakkenwatto_cobraLukeCagebloodshotrollin'redjony0
  • Reply 3 of 33
    roakeroake Posts: 809member
    Android secures Google’s influx of private user data, but that’s about it.
    baconstanganton zuykovracerhomie3longpathmagman1979bb-15watto_cobrajony0
  • Reply 4 of 33
    lkrupplkrupp Posts: 10,557member
    I’m sure our resident Google sycophant will be along shortly to rebut this nonsense.  >:)
    longpathmac_dogmagman1979StrangeDayswatto_cobragilly33jony0
  • Reply 5 of 33
    gatorguygatorguy Posts: 24,176member
    Google's Android may well be just as secure as iOS, in fact the article author appears to admit as much, but the ecosystem as a whole still has a ways to go. 

    The author presumably does not really understand what Project Treble is tho or he(she) would know why the old Nexus phones and Pixel C cannot be made compatible with it. 
    edited March 2018 longpathmuthuk_vanalingamchasmsingularity
  • Reply 6 of 33
    fallenjtfallenjt Posts: 4,053member
    Android and secure? These two never go together.
    longpathmagman1979watto_cobralamboaudi4
  • Reply 7 of 33
    Wait I got this. In the past Android prevented few installs of PHA and now this last year they prevented 10 million installs. That is very high rate of growth, if you extrapolate that rate of growth out over a forever timeline then Android will eventually be blocking an infinite amount of PHA, so essentially they have already won this race. Look I am not dissing Apple and propping up Android with strawman arguments; Apple can’t top infinity exponential growth, that’s science.
    edited March 2018 brakkenwatto_cobra
  • Reply 8 of 33
    kruegdudekruegdude Posts: 340member
    Wait I got this. In the past Android prevented few installs of PHA and now this last year they prevented 10 million installs. That is very high rate of growth, if you extrapolate that rate of growth out over a forever timeline then Android will eventually be blocking an infinite amount of PHA, so essentially they have already won this race. Look I am not dissing Apple and propping up Android with strawman arguments; Apple can’t top infinity exponential growth, that’s science.
    It seems your assumption of infinite growth is the very definition of a Straw Man.  
    magman1979gilly33jony0
  • Reply 9 of 33
    lkrupp said:
    I’m sure our resident Google sycophant will be along shortly to rebut this nonsense.  >:)


    But I remember you yourself asking the question once - whether the security concerns on Android are really valid?


    Edit: I was able to find out the exact article.

    https://forums.appleinsider.com/discussion/200162/google-io17-android-deployment-rate-continues-to-slip-backward/p1


    Comment made:

    Yet we don’t hear much about Android users getting pwned do we? When have we heard about a WannaCry style attack on Android users that resulted in carnage? Plenty of reports about this or that vulnerability that could result in such an attack but nothing major has actually happened. Look, I’m a rabid iOS fanboy but even I can understand that a lot of this security and vulnerability FUD about Android just hasn’t happened... yet. Same goes for iOS. 

    edited March 2018
  • Reply 10 of 33
    gatorguy said:
    Google's Android may well be just as secure as iOS, in fact the article author appears to admit as much, but the ecosystem as a whole still has a ways to go. 

    The author presumably does not really understand what Project Treble is tho or he(she) would know why the old Nexus phones and Pixel C cannot be made compatible with it. 
    The article does not even hint at "appearing to admit" your bizarre postulation that "may-be" Android is just as secure as iOS. 

    The Android kernel is bad.
    The HAL is bad (which is what Treble is trying to address almost a decade late).
    The runtime is bad.
    Every architecture of Android is generally pretty awful, to the point where its security lapses are not even a surprise.
    Third party code is really bad. 
    Android is like Windows without any adults running things. 

    The reason Google's "old" Nexus phones (that shipped alongside iPhone 6s!) aren't getting future support is entirely Google's fault and choice. It's choosing not to support them because they didn't sell enough of them to matter, not because Google can't engineer a solution. New phones that ship with Oreo are supposed to support Treble but as we know from many years of history: new Androids don't ship with the latest OS. And just because there is some intention of improving things doesn't mean it will actually improve in the intended period. Being able to support Treble doesn't mean those phones will actually get updates, it just means that it could be easier for that to happen.

    Everything you say doesn't have to be inaccurate so please work on being less devious.
    magman1979bb-15brakkenStrangeDayswatto_cobragilly33jony0
  • Reply 11 of 33
    gatorguygatorguy Posts: 24,176member
    @DanielEran Yes you alluded to it:
    "What that really indicates is that Google's "Pure Android" Pixel vision of what an Android phone could be--secured and regularly patched by a vendor who cares about its security reputation--is not representative of the other 2 billion Androids that are in actual use around the world."
    What's amazingly silly in your response to me is that I parroted the exact same thing you said using different but very similar phrasing and you want to argue with it?

    Anyway your saying "bad" multiple times does not make it so any more than all the fear and trepidation that some authors promoted with scare stories about WannaCry, and Stagefright and Quadrooter and probably a handful of other horrible Android exploits destined to infect every Android handset that in truth affected no one at all (Stagefright) to very, very, VERY few (Quadrooter). 

    And yes I stand by my claim that you don't truly understand what Treble is since there is not "engineering" of old already manufactured hardware that could make it compatible, or you do already understand why old hardware is incompatible but it just doesn't fit with your strategy to admit to it. As I think you're probably a basically honest person I'll go with the former. 

    Now as for the effectiveness of Treble? I'm not convinced it will be any more successful than some of their previous efforts at "encouraging" partners to better support their users, and they've come up with a plethora of failed ways so far. Don't mix the failure of OEM's to push out updates with the relative security of Android the OS. Those are two separate issues (as I have zero doubt you understand) even if related. 
    edited March 2018 muthuk_vanalingam
  • Reply 12 of 33
    mac_dogmac_dog Posts: 1,069member
    Getting the popcorn ready…
    macxpressmagman1979watto_cobra
  • Reply 13 of 33
    hexclockhexclock Posts: 1,243member
    Wait I got this. In the past Android prevented few installs of PHA and now this last year they prevented 10 million installs. That is very high rate of growth, if you extrapolate that rate of growth out over a forever timeline then Android will eventually be blocking an infinite amount of PHA, so essentially they have already won this race. Look I am not dissing Apple and propping up Android with strawman arguments; Apple can’t top infinity exponential growth, that’s science.
    I think you need to read up on the both the concepts of infinity AND exponential growth. 
    magman1979
  • Reply 14 of 33
    magman1979magman1979 Posts: 1,292member
    gatorguy said:
    @DanielEran Yes you alluded to it:
    "What that really indicates is that Google's "Pure Android" Pixel vision of what an Android phone could be--secured and regularly patched by a vendor who cares about its security reputation--is not representative of the other 2 billion Androids that are in actual use around the world."
    What's amazingly silly in your response to me is that I parroted the exact same thing you said using different but very similar phrasing and you want to argue with it?

    Anyway your saying "bad" multiple times does not make it so any more than all the fear and trepidation that some authors promoted with scare stories about WannaCry, and Stagefright and Quadrooter and probably a handful of other horrible Android exploits destined to infect every Android handset that in truth affected no one at all (Stagefright) to very, very, VERY few (Quadrooter). 

    And yes I stand by my claim that you don't truly understand what Treble is since there is not "engineering" of old already manufactured hardware that could make it compatible, or you do already understand why old hardware is incompatible but it just doesn't fit with your strategy to admit to it. As I think you're probably a basically honest person I'll go with the former. 

    Now as for the effectiveness of Treble? I'm not convinced it will be any more successful than some of their previous efforts at "encouraging" partners to better support their users, and they've come up with a plethora of failed ways so far. Don't mix the failure of OEM's to push out updates with the relative security of Android the OS. Those are two separate issues (as I have zero doubt you understand) even if related. 
    Hey Mr. Google Apologist, we all know you have nothing better to do with your time than to come and twist reality in any way, shape or form that is possible to put Android into a better light than the steaming pile of shit it actually is, but NOTHING that DED said in his response to you, with perhaps the exception of the point about Pure Android being possibly as secure as iOS, is incorrect or hyperbole.

    WannaCry didn't target Android, it targeted Windows, sorry to burst your bubble... And Stagefright and Quadrooter were almost impossible to detect by most of the useless A/V apps for Android, and most of the time they'd just cause the device to crash anyway, so people just relate the crash to a bad device and MOST don't even realize they got hacked, so please save us the bullshit that this doesn't really affect anyone!

    I'm so sick of your Google PR bullshit, and am stunned how this site allows you to continue spreading all the BS and lies you spew out in defence of Google and their steaming piles of shit software and services.
    bb-15StrangeDayswatto_cobragilly33
  • Reply 15 of 33
    lkrupp said:
    I’m sure our resident Google sycophant will be along shortly to rebut this nonsense.  >:)
    LOL. He’s right on time.
    watto_cobragilly33magman1979
  • Reply 16 of 33
    gatorguygatorguy Posts: 24,176member
    gatorguy said:
    @DanielEran Yes you alluded to it:
    "What that really indicates is that Google's "Pure Android" Pixel vision of what an Android phone could be--secured and regularly patched by a vendor who cares about its security reputation--is not representative of the other 2 billion Androids that are in actual use around the world."
    What's amazingly silly in your response to me is that I parroted the exact same thing you said using different but very similar phrasing and you want to argue with it?

    Anyway your saying "bad" multiple times does not make it so any more than all the fear and trepidation that some authors promoted with scare stories about WannaCry, and Stagefright and Quadrooter and probably a handful of other horrible Android exploits destined to infect every Android handset that in truth affected no one at all (Stagefright) to very, very, VERY few (Quadrooter). 

    And yes I stand by my claim that you don't truly understand what Treble is since there is not "engineering" of old already manufactured hardware that could make it compatible, or you do already understand why old hardware is incompatible but it just doesn't fit with your strategy to admit to it. As I think you're probably a basically honest person I'll go with the former. 

    Now as for the effectiveness of Treble? I'm not convinced it will be any more successful than some of their previous efforts at "encouraging" partners to better support their users, and they've come up with a plethora of failed ways so far. Don't mix the failure of OEM's to push out updates with the relative security of Android the OS. Those are two separate issues (as I have zero doubt you understand) even if related. 
    ...we all know you have nothing better to do with your time than to come and twist reality in any way, shape or form that is possible to put Android into a better light than the steaming pile of shit it actually is...

    Stagefright and Quadrooter were almost impossible to detect by most of the useless A/V apps for Android, and most of the time they'd just cause the device to crash anyway, so people just relate the crash to a bad device and MOST don't even realize they got hacked, so please save us the bullshit that this doesn't really affect anyone!

    I'm so sick of your Google PR bullshit, and am stunned how this site allows you to continue spreading all the BS and lies you spew out ...
    If it was lies they wouldn't, and if it was lies you should easily find facts to dispute stuff I post instead of having nothing more than ad-homs and vulgarities to lob in my direction. Anyone could do what you did, it requires no thought at all. Heck, my 16  17-year old nephew is great at it. 

    ...but if you can find evidence of a single instance of Stagefright infecting any Google Android device in the wild I'll be the first to tell you I was wrong, instead of you are wrong. Should I wait for evidence that you weren't the one writing BS? 
    edited March 2018 avon b7muthuk_vanalingamsingularity
  • Reply 17 of 33
    sfolaxsfolax Posts: 49member
    Google is not really responsible for the outdated base if they didn't manufacture them.

    Why not blame the device manufacturers and cellphone companies that insist on adding their bloatware, and forget about a device 6 months after launch to focus on the next one.
  • Reply 18 of 33
    foggyhillfoggyhill Posts: 4,767member
    lkrupp said:
    I’m sure our resident Google sycophant will be along shortly to rebut this nonsense.  >:)


    But I remember you yourself asking the question once - whether the security concerns on Android are really valid?


    Edit: I was able to find out the exact article.

    https://forums.appleinsider.com/discussion/200162/google-io17-android-deployment-rate-continues-to-slip-backward/p1


    Comment made:

    Yet we don’t hear much about Android users getting pwned do we? When have we heard about a WannaCry style attack on Android users that resulted in carnage? Plenty of reports about this or that vulnerability that could result in such an attack but nothing major has actually happened. Look, I’m a rabid iOS fanboy but even I can understand that a lot of this security and vulnerability FUD about Android just hasn’t happened... yet. Same goes for iOS. 

    Right... IOS fanboy, you're fracking no such thing buddy, 70% of fracking Android versions I can "hack" (not really hack, it's so damn easy) in my sleep, but hey, no apocalypse... Why, because no one who gives a shit about security owns anything Android. Hard to complain when you don't give a shit.

    Do you get the god damn FBI constantly complaining about Android security.. No, because there is none.
    The crooks know it, the cops know it, the businessmen who wants their shit not leaked know it, etc , etc.

    When you put a sign saying kick me on your back, you don't complain when you get kicked. Maybe Android users are in fact lucid and simply don't give a crap about the insecurity of the platform and have in fact ready to accept that : good for them... If they did this choice with a clear mind.
    edited March 2018 watto_cobramagman1979
  • Reply 19 of 33
    gatorguygatorguy Posts: 24,176member
    lkrupp said:
    I’m sure our resident Google sycophant will be along shortly to rebut this nonsense.  >:)
    LOL. He’s right on time.
    Well he DID light up the Bat Signal... :)
    jony0
  • Reply 20 of 33
    brakkenbrakken Posts: 687member
    Wait I got this. In the past Android prevented few installs of PHA and now this last year they prevented 10 million installs. That is very high rate of growth, if you extrapolate that rate of growth out over a forever timeline then Android will eventually be blocking an infinite amount of PHA, so essentially they have already won this race. Look I am not dissing Apple and propping up Android with strawman arguments; Apple can’t top infinity exponential growth, that’s science.
    And here I was, all ready to make some devistatingly ironic comment about Orwell calling to get his book back, but you beat me to it!
    Completely agree! Apple can never have the security of Android now!
    watto_cobragilly33
Sign In or Register to comment.