Google’s Head of Security Claims Android Is As Secure As iOS
The Android operating system, despite its popularity, has had a history of security loopholes, some of which can be attributed to its open source nature and others to plain incompetence. One of the most notable exploits was discovered in 2015, the StageFright bug, which hackers could exploit just by sending a text message. Next year researchers revealed that millions of Android phones were infected with malicious software called HummingBad, which was used to generate bogus ad revenue. And in 2017, documents revealed by Wikileaks showed that a certain three-lettered agency had developed malicious software for Android phones.
Lack of security is one of the prime reasons why corporations shy away from using Android devices, but that’s set to change, thanks to Google’s new Android for enterprise program. Google’s head of security for Android, David Kleidermacher, claims that they are working hard on making the platform bug-free. This year’s Android Security Year in Review showcases some of the measures implemented by Google. Without further ado, let’s take a look at them.
Secure devices right out of the box
Due to the sheer number of devices on the market, it is only natural to assume that Android devices are more vulnerable than their Apple counterparts. The problem is worsened by the fact that not every manufacturer has the resources to track new exploits real-time and patch them accordingly.
When someone finds a major Android flaw, the company has to send updated software to all the manufacturers that sell Android phones, and who then have to deliver the updates. The process can take a long time, or not happen at all, depending on the manufacturer.
However, the biggest threat to Android devices are the users themselves, as there are few safeguards in place that prevent users from downloading malware on their devices. Here’s where Apple’s watertight environment reigns supreme. Users are restricted to the App Store for their downloads, and security flaws are patched fairly quickly.
To ensure better security, Android is taking an approach different from that of Apple. Instead of imposing restrictions on users, Android phones will be built with security as a top priority, above anything else.
Another effective method of keeping any platform secure is to open it up the public. Google has aggressively pushed several bug bounty programs, which pay a considerable amount of money if any device breaking exploits are found. Android’s open source nature makes it so that finding security holes is a never-ending competition between hackers and security researchers. Programs such as Pwn2Own incentivize the community to find any security holes and report them to Google before they can be exploited. There is still the risk of exploits being discovered and exploited, but that’s one of the disadvantages of an open-source platform
More frequent and timely security updates
Barring Pixel and Nexus devices, no other Android device receives critical security updates on time. Even industry giants such as Samsung often fall asleep on the wheel, when it comes to delivering regular security updates. The situation is only worse for budget devices made by manufacturers who often lack the resources to push out timely updates.
To stem the bleeding, Google has already come a long way in getting phone makers to provide regular updates, and it’s going to keep improving. The report doesn’t provide an exact number of how many Android devices are getting regular security updates, but it does give an approximate number. “The majority of the deployed devices for over 200 different Android models from over 30 device manufacturers are running a security update from the last 90 days,” the report says. The situation is slightly better than it was in 2016 when Google said that only half of the Android devices received a security update by the end of the year.
Google Play Protect
Google Play Protect has been long overdue, as most users rely exclusively on the Play Store for their apps. Before Play Protect was in place, publishing malware on the Play Store was relatively easy, which resulted in millions of users getting infected. With the Google Play Protect service, Android can scan devices for apps it knows are bad and warn users of the risks. Non-Play Store-based apps can still wreak havoc, but most people who install such apps are aware of the potential consequences.
In 2017, Android stepped in 1.6 billion times and stopped users from downloading “potentially harmful apps,” and also removed nearly 39 million bad apps from users’ phones. These include apps that mirror the way HummingBad worked, generating clicks for advertisers without the user even knowing about it. They also include “hostile downloaders,” which don’t do anything at first but pave the way for the more intrusive portions of the app to be downloaded later.
However, the Play Protect mechanism can only do so much to protect users, as no platform is safe from the biggest security threat of them all, human stupidity.