Slashdot Mirror
Google: Less Than One Percent of Android Devices Are Affected By Harmful Apps
jfruh writes: One of the selling points of iOS is that its more restrictive nature makes it more secure. But even though it's easier for users to accidentally install malicious apps on Android, data collected by Google (PDF) indicates that less than one percent of Android users have actually done so. Quoting: "During October 2014, the lowest level of device hygiene was 99.5% and the highest level was 99.65%, so less than 0.5% of devices had a Potentially Harmful Application (PHA) installed (excluding non-malicious Rooting apps). During that same time period, approximately 0.25% of devices had a non-malicious Rooting application installed. ... Worldwide, excluding non-malicious Rooting applications, PHAs are installed on less than 0.1% of devices that install applications only from Google Play. Non-rooting PHAs are installed on approximately 0.7% of devices that are configured to permit installation from outside of Google Play. Additionally, the second graph shows devices with any PHA (including Rooting applications). Rooting applications are installed on about 0.5% of devices that allow sideloading of applications from outside of Google Play."
According to Apple, iOS users are more virile, and have love-making stamina for hours.
According the Microsoft, Windows Phone users are endowed with the power of invisibility, which is why they are so elusive.
Even in F-Droid, over half the apps want to read my device ID and permission to record all my calls and contacts, and less than 1% have a legit reason for that info. The vast majority of apps in their walled garden don't actually need any special permissions at all to do whatever the app does, or maybe 1 permission. Find an app that has only the permission it needs. Good luck, hope you ate a big breakfast before you started searching.
How is tracking me with nothing given in return not "harmful?" My privacy has value to me, surely. The claim that there is no harm relies on the known lie that my privacy has no value to me.
The honest truth is that they think less than 1% of android apps do harm that doesn't benefit google . That is actually a different thing than what they're saying, though. So I call lie .
the great Short Attention Span Company(tm) EOLs phones like there's no tomorrow. my older google phone is stuck at android 2.x and will never get updates. I don't care about features, but I'd like kernel, ip-stack and some onboard apps to have fixes for security.
it won't ever happen. we don't really own our phones. and we are suppose to keep landfilling perfectly fine hardware - to keep the monsters in high profit.
even if I ran no apps at all, the os is buggy and full of weaknesses. I'm sure I could be attacked with an old 2.2 android os, probably in just a few minutes time.
this is why I hate phones and have zero interest in spending more money and time on this crap. the ceo's might have gotton it right: use dumb feature phones and be more secure!
--
"It is now safe to switch off your computer."
Even .1% of a billion devices, is still a lot of devices affected. Even that is still a very conservative number: lowest rate listed and a very small number of devices. This says there are ~1.6 billion phones (http://www.statisticbrain.com/android-phone-statistics/), which doesn't include tablets or any other devices. So percent-wise .1% sounds great... but numbers-wise I hope they get that percent even smaller ;) Just saying...
"Waah! I don't like teh Appul! It's teh gay!!11111!1" (Self-entitled smirk) (Gets modded up by other smug, self-entitled Slashdotters)
If Google or Apple talk stats about their ecosystem, take it with a giant grain of salt.
It's pure marketing BS.
Take it with a grain of salt, sure, that's wise. However, there's nothing marketing-related about the numbers in the report. These numbers are snapshots of the data the Android anti-malware team uses internally to assess its effectiveness. The numbers are not fudged, and what they show is that while there are issues, Google's anti-malware team is making solid progress and the current state of the ecosystem is actually not too bad. There are some caveats (called out in the report) around the fact that the numbers describe the prevalence of known potentially-harmful apps. The charts get revised retroactively when new PHAs are discovered but snapshots in reports are static. Still, I think the numbers are quite reliable.
Note that I'm a member of the Android security team, and my manager is the primary author of the report and blog post, though I work on platform crypto features, not anti-malware.
At worst, the numbers in the report represent the ways in with the Android team fools itself about the state of ecosystem security. At best they're an accurate and nuanced reflection of the state of the ecosystem. The truth is somewhere in between, but I think it's far, far closer to the latter than the former. What the numbers definitely are not is anything cooked up specifically for the public.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
95% of the brand A cars build in the last 10 years are still one road, does not mean brand A cars have a 95% chance of lasting 10 years. Only 10% of the cars built over the last 10 years is likely to be 10 years old. So they could be talking of just 50-50 chance of their cars lasting 10 years.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Even in F-Droid, over half the apps want to read my device ID and permission to record all my calls and contacts, and less than 1% have a legit reason for that info.
(I'm a member of Google's Android security team.)
This is a valid issue, but separate from what the report is attempting to address. Well, not entirely separate, because the Android security team does in some cases classify apps that request excessive permissions as potentially-harmful, but only when there's evidence that the apps are actually trying to abuse the user.
Note that I'm not trying to downplay the issue of apps that request more permissions than they need. I think (based on lots of evidence) that in most cases this is more an artifact of developer laziness than malice; they aren't sure exactly what they need and definitely don't know what they're going to need in the future and so find it easier to ask for the world. This is a problem the Android security team recognizes and is working to address, in various ways that I can't go into.
How is tracking me with nothing given in return not "harmful?" My privacy has value to me, surely. The claim that there is no harm relies on the known lie that my privacy has no value to me.
Actually, Google specifically assumes that your privacy does have value to you, and that you should be able to decide what you'll trade it for.
The honest truth is that they think less than 1% of android apps do harm that doesn't benefit google.
Benefit to Google, or lack thereof, is completely irrelevant to the Android security team's decision to classify an app as potentially harmful or not. In general, the Android security team treats the rest of Google as just another app developer and online service provider. It's not our job to enable their revenue streams. Granted that we recognize that those revenue streams pay our salaries, but in the long run treating users well is what will enable Google to continue making money and paying our salaries.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Take a look at the permissions your average (free) flashlight app requests then reconsider your definition of harmful.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Actually, Google specifically assumes that your privacy does have value to you, and that you should be able to decide what you'll trade it for.
So when are you going to give us the ability to disable permissions on a per-app basis? You know, like you added to the OS a few revisions back, then took away again?
This is the biggest single reason I recommend people not to buy Android these days if they ask. I'm sick of apps asking for all kinds of permissions that I don't want to give them, and not having any way to block them.
I recently moved back to an iPhone, after a few years on Android. It is so very nice to be able to update my apps, and not have to review all of the extra permissions that every app is requesting. And not having to manage the permissions in appops/xprivacy.
Actually, Google specifically assumes that your privacy does have value to you, and that you should be able to decide what you'll trade it for.
Of course, then there's THIS .