Slashdot Mirror
Google Security Engineer Claims Android Is Now As Secure As the iPhone (vice.com)
An anonymous reader quotes a report from Motherboard: It's a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees -- but of course he would. "For almost all threat models," Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, "they are nearly identical in terms of their platform-level capabilities." In a short interview after a talk at a security conference in Manhattan on Tuesday the talk, Ludwig said that, "for sure," there's no doubt that a Google Pixel and an iPhone are pretty much equal when it comes to security. Android, he added, will soon be better though. "In the long term, the open ecosystem of Android is going to put it in a much better place," he said, without mentioning that Android has already been around for more than eight years at this point. During his talk at the O'Reilly Security Conference Ludwig said that Android's built-in security product called "Safety Net" scans 400 million devices per day and checks a stunning 6 billions apps per day. The result of these security checks, coupled with the exploit mitigation measures baked into Android, mean that a really small number of Android devices has malware or, as Google calls it, "Potentially Harmful Applications" or PHAs, according to Ludwig. In fact, Ludwig said showing a graph, less than 1% of Android smartphone contain malware.
I just came here to see some heads explode.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
when Google defends a lawsuit to open up a phone due to -reasons-.
"We're as good as the other guy"
is a mighty low bar.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
"Less than 1% of Android phones have malware". Less than 140 million Android phones have malware.
if you are really paranoid, you should probably use an iPhone, and not Android
wrong! if you are really paranoid, you shouldn't carry around something that could easily be described as the most sophisticated surveillance device that man has ever created.
Anons need not reply. Questions end with a question mark.
Biased?
Eh, it's not so much that Android is great, but that security is very, very hard. The iPhone has had some very serious exploits in the last 18 months, same as Android. But Android's update model leaves many in the dust and unpatched.
My work has de-authed iPhones from their work network until updates were applied multiple times this year. It's a serious concern. I can only imagine how long we would be de-authed for a 3-year old Android phone waiting for a security patch.
I have an Android (Nexus) personal phone and a work iPhone, and based upon critical advisories of active exploits I would say that they are roughly the same. But my 3+ year old iPhone is still getting security updates pretty regularly. I went to Nexus for that feature, but still only get them for 2-3 years max.
Speaking as a long time Android fan who recently switched to iOS because work provided me an iPhone 7, this is only true if you actually get updates. And the vast majority of Android users, do not. So when they get a vulnerability found in their Samsung/HTC/Whatever device - chances are it will never get patched.
I had a Google Nexus 6P as my previous device (it's still on my desk in fact) and while I loved the device, updates where not as promised. Despite it being a Nexus, I was still beholden to my Telco for updates and they dragged their feet like mad. In fact, when I last turned off the Nexus 6P, the Nougat update was still not available (unless you manually enrol in the beta program, which I did, but then I had all kinds of issues with the Telco's LTE). So even on a damn Nexus, updates are hardly assured.
I fully realise older iPhones stop getting updates, too - but we're talking about a Nexus 6P here - the thing hasn't even been available for a year in Australia yet and Google and Telstra have already washed their hands of it. I also realise Google may / may not be responsible for the issues with Telstra's LTE on the Nexus 6P - but rest assured, if the iPhone has an issue, Telstra sits up and takes notice. When I first got my Nexus 6P, I spent the first 2 months locked to 3G because LTE wasn't supported at all on. (Source, in case you think I am making this up: https://crowdsupport.telstra.c...).
Doesn't the Google stuff on your Android steal your data anyways?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Can the FBI, NSA, hacker have any access, the same level of access as the owner and god forbid more access than the owner of the phone?
The only real security is the ability not to send or receive anything on the phone. One must be wary of even the beeps emitted meaning something to someone who could decode it as something you are currently doing - even the bright flashes reflecting off your face as you use the user interface display panel.
So the ultimate security is to not even turn it on!
And, by implication if it is now as secure as the iPhone, then until recently it wasn't?
Specialist Mac support for creative pros, Melbourne
Until all the Android phones still in the wild (regardless of age) get patched for the Dirty COW vulnerability, how can anyone reasonably say they're "as secure as" anything other than Goatse guy's rectum?
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
Sounds like the best way to start improving Android security will be to pick a new director of security.
You do know that Apple was doing everything REQUIRED BY LAW to help, but in the end were unable to because Apple also designed the systems so even they could not get at data that the user did not want them to?
So, um, yeah. Believe what you like but in real life data you choose to keep on your phone stays private - if you have an iPhone.
Androids of course are rooted all the time so police can get anything they like from them easily.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Two of its biggest and most patriotic brands can now collect it all.
NSA Can Access More Phone Data Than Ever (Oct 20, 2016)
http://abcnews.go.com/US/nsa-p...
"...the percentage of available records has shot up from 30 percent to virtually 100. Rather than one internal, incomplete database, the NSA can now query any of several complete ones."
Domestic spying is now "Benign Information Gathering"
Apple must be getting its share of malware now.
Android's built-in obsolescence enforcement product called "Safety Net"
Safety Net is simply a part of the Obsolescence Enforcement Suite, which automatically makes devices incompatible, even if a certain platform would work with third-party ROMs or lets the user have their way. Your device can literally be told to "stop working" with it.
In the long term, the open ecosystem of Android is going to put it in a much better place
With SafetyNet, it's not open.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Security is always a moving target. While it's possible your leading edge phone is as secure as the leading iphone, what matters to security is how many people are running an older OS. Androids are always going to be running non-updatable OS just because of the bussiness model. So in terms of numbers of exploitable phones, swaths of the andorid ecosystem will be less secure than Apple ecosystem.
Some drink at the fountain of knowledge. Others just gargle.
Security engineer at Google love to ignore the full life cycle of a phone.
My mom got an iPhone 5 in December of 2012 and it still can be updated to the latest iOS 10. If she had gotten a Nexus 4 offered by Google at the same time, the latest version of Android that Google would officially offer her is Android v5 (Lollipop). Is Adrian Ludwig willing to make a claim that an up to date Nexus 4 is more secure than an up to date iPhone 5?
When claiming a Pixel will be just as secure as an iPhone, the engineer should be willing to discuss the *FULL* life cycle. If my mom selects this December between a Pixel for $650 or an iPhone 6S for $550, which is going to continue to be secure when my mom wants to continue using it in 2019? Based on Google's 2-year end of life on the Nexus 5X and 6P, it seems that the Pixel will stop getting Android updates before 2019. On the other hand, the iPhone 6S which was released a year ago is more likely to continue to get updates in 2019 than the more expensive Pixel just released! How can Adrian Ludwig justify this as being a product that is just as secure? If Google wants to make such claims, they need to adjust their EoL policy to match Apple's.
Seriously, Thanks Google, but we've been told that Android phones don't have asecurity problem in the first place, so how can they be as safe as iPhones now if they never had a problem?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
As long as it's off it's as secure as an iPhone. Once you turn it on, though, all bets are off.
There a whole mix of stuff being talked about there, and one is not equal the other.
For instance, Google Pixel cannot be generalized to the overall Android experience, not by far. It's probably not even the 0.0001% of Android devices.
The reality of Android as a whole is that it's extremely fragmented, and the absolute majority of it is not on Nougat, let alone being the same as Google Pixel.
As device encryption remains an optional step for most of these devices, most of them are not using it, so threat models be damned.
Not to mention how the vast majority of Android devices uses all sorts of custom versions coming from all sorts of companies in all possible states of vulnerabilities and expected update dates. Even Windows is better than that. Android pretty much represents one of the worst possible fragmentation scenarios.
You have all sorts of cheap generic tablets that I'm almost certain comes from factory with included malware, vulnerabilities, rootkits and backdoors installed. This is serious. I tested a cheap generic tablet just a few months ago (Multilaser was the brand on top of it if I'm not mistaken, but you can find the exact same tablet with several other brand names) that had very suspicious stuff pre-installed. It was impossible to uninstall it, so I rooted the damn thing to do it. And then the device factory reseted itself when I managed to remove the offending apps, everytime.
In general, there's still far more chances of you finding an Android phone/tablet that is either completely open or easy to crack because it has an outdated system or has not been properly locked by it's owner, in comparison with iPhone in general.
And sure, Android has the advantage of being an open os versus the extremely closed iOS - the standard defense for open source software which I do understand. But hoping that this will somehow count as a huge security advantage for the future of Android is quite frankly naive and kinda stupid in itself, specially for cases like Android vs iOS.
The open nature of Android might allow for better scrutiny of it in some stances, but much more, it allows for all sorts of shady companies to make their own Android versions however they feel like doing it... and as more shady businesses adopt that strategy to spy and take advantage of less knowledgeable costumers, the more difficult it gets for a conscious community to take note of it.
As long as Apple keeps getting as much money as they do from regular users to the loyal fanbase, they can just spend that much more money to close security holes and whatnot. One company developing both software and hardware while keeping a stance on security and privacy also makes it much more reliable. Things would have to change quite drastically for Android to ever be as secure and private as iOS. It's just the reality of it.
You only have to think about it a bit more. Apple will always be able to push updates faster, they will always be able to implement security functions for most of their userbase in a timely manner (excluding those with devices that are too old), they are always better able to convince more users to buy their latest devices. Community wise, you will always have more reach... if one knowledgeable costumers finds a security hole, it'll affect almost the entire userbase, so it just makes far more sense for Apple to fix it.
In grand scheme of security and privacy stuff, again for this particular case, the open source argument is minor in comparison to the whole.
And I'm talking all this while being an Android user, not wanting to touch an iPhone with a 10 foot pole. It is what it is.
See, this doesn't mean that I'm switching to iOS anytime soon. But to say Android as a whole is anywhere near as secure as iPhones is just delusional.
In order to use just about any Android app, you have to give it permission to root around in all your personal information, the personal information of all your friends and relatives, your tax records, your religion, whether your teenage kids are virgins and what brand of cat food the old lady down the street has to have for breakfast because the drug company just doubled the price of her meds.
Google just doesn't want anybody else getting hold of all that lovely data.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
There might be a super-duper secure, non-spyware version of Windows floating around in a Microsoft lab, but if no one gets to use it, it doesn't count. Same here.
Dewey, what part of this looks like authorities should be involved?
I use an iPhone, because 1) having used both OSes I prefer iOS to Android; and 2) I prefer to opt out of being part of Google's business model as much as is practical. But I'm aware others can legitimately hold opposite opinions.
In any case, the bottom line is - it seems pretty obvious that the race to ever-more-secure phones benefits all of us, no matter what platform we choose.
#DeleteChrome
at "Google Security Engineer"
Apparently Google has security now? Who knew.
If what you truly want is security I would not be using either. Android and iOS both trade off various levels of security over functionality and convenience, not really unreasonable since they are aimed at consumers but if your primarily goal is security I would not touch either with a 40 foot pole.
You mean my year old Nexus 5 that google stopped releasing updates for months ago is as secure as a year old iphone?
If you dont mind taking a few minutes of your time to listen to my story. I have been in very Bad situations recently just getting out of a terrible and messy divorce, i am not one who would ever do or engage in anything illegal of any sort but at this time in my life i was at my wits end. However as it turns out i am not one who is really good on the internet or even conversant with tech stuff i just knew at the time that i needed desperate help, It took me a long time searching i paid the price to those so called fake hackers out there who put me through hell and then one lucky day i happened to come across Dre he is a Black hat hacker and i can confirm tested and trusted not just from me but a very large confidential network of friends who have used his services and all including me can confirm that he is one of the best out there he hacks absolutely anything Ranging from hacking websites, mails, social networks, changing of grades, Recovering of passwords of mails, websites and social networks. Guaranteed to help you find your target person's password (friends', wife's, husband's, boss', girlfriend's or boyfriend's), I shouldn't really say this but if there is any one who has really honestly done you wrong he also offers Temporary or Permanent Damage to specified Targets. Now i must say this Dre is a professional at what he does and also has his own special medium, all of this services he offers at a specific Fee (If money isn't your problem and all you need is a man to get your job done you can be sure he is the man for you) please be advised that he offers Proof before payment for some but not all of his services. He does change school grades/erasing criminal records allover the world. In any data base. this is the best way to contact him via Email: geminiblackhathacker@gmail.com most importantly do mention that you were referred by Margaret it would help!
If you dont mind taking a few minutes of your time to listen to my story. I have been in very Bad situations recently just getting out of a terrible and messy divorce, i am not one who would ever do or engage in anything illegal of any sort but at this time in my life i was at my wits end. However as it turns out i am not one who is really good on the internet or even conversant with tech stuff i just knew at the time that i needed desperate help, It took me a long time searching i paid the price to those so called fake hackers out there who put me through hell and then one lucky day i happened to come across Dre he is a Black hat hacker and i can confirm tested and trusted not just from me but a very large confidential network of friends who have used his services and all including me can confirm that he is one of the best out there he hacks absolutely anything Ranging from hacking websites, mails, social networks, changing of grades, Recovering of passwords of mails, websites and social networks. Guaranteed to help you find your target person's password (friends', wife's, husband's, boss', girlfriend's or boyfriend's), I shouldn't really say this but if there is any one who has really honestly done you wrong he also offers Temporary or Permanent Damage to specified Targets. Now i must say this Dre is a professional at what he does and also has his own special medium, all of this services he offers at a specific Fee (If money isn't your problem and all you need is a man to get your job done you can be sure he is the man for you) please be advised that he offers Proof before payment for some but not all of his services. He does change school grades/erasing criminal records allover the world. In any data base. this is the best way to contact him via Email: geminiblackhathacker@gmail.com most importantly do mention that you were referred by Beth it would help!
STFU and stick your spyware-laden Android phone up you ass.
... that their new movie is as good as "Manos Hands of Fate", or speaking English as good as "Günther Ã-ttinger".
Seriously, _all_ mobile operating systems are shit when it comes to security. Android has the theoretical advantage that you can root it and hypothetically install iptables. That's not a lot, but it can help you to make sure your device only tries to talk to your server and not other servers.
Safety net DOWNLOADS AND RUNS CODE.
https://koz.io/inside-safetyne...
Yea, it can catch those viruses. You know what's better than downloading and executing remote code to catch your malware? NOT HAVING A FUCKING VIRUS IN THE FIRST PLACE!
It's already been used to shut down many applications on rooted phones. Effectively, rooting your phone is a lot like jailbreaking now, and will become moreso soon- technically allowed, but you are in a little ghetto for doing it.
This is only security by certain definitions. It is most definitely not privacy.
Indeed. Mentioning Safety Net and Android being an "open ecosystem" at the same time is ridiculous. Google's main use of Safety Net so far seems to be just to discourage people from running custom ROMs and instead force them to buy a new device.
Maybe right now, but give it two years and then let's check back in on that claim...
Avantslash - View Slashdot cleanly on your mobile phone.
Dirty COW?
Aside from the fact that millions of Android apps contain native code which is very hard to find malware in and now we have a wonderful Dirty Cow vulnerability which affects almost 100% of Android devices, which means a new update or install from Google Play will automatically p0wn your device for good and will probably install an undetectable/unerasable rootkit.
I'd love to think that Android is secure but Google chose to use the Linux kernel which doesn't fare that well vs. microkernels like QNX. Call me crazy but I believe the QNX kernel would have been a much better choice for Android.
That's roughly translating what he says.
yeah :]
Tip to get into any locked Google device -
talk your friend into saying the word OK and Google in a recording, piece it together.
http://www.csoonline.com/article/3137533/security/ok-google-two-words-to-describe-the-security-trade-off-on-googles-pixel.html#tk.twt_cso
I suppose you could argue that the current Android release is more secure. But the nature of the ecosystem and apps system is really the issue here.
Personally if you stay within the parameters of using a current Android OS and only install reputable apps from the Google store. Your probably pretty safe in assuming that Android is safe. Is it as safe as IOS on a modern Apple device? Probably not, but were talking Apple's vs Oranges on how these ecosystems work.
My POSIX compliant Unix clone is better than your POSIX compliant Unix clone!
Such bald-faced lies? Oh, that's right, Google is our government now. This isn't NewSpeak, it's red China or North Korean level shit. I implore people not to take the bait.
9.5-ish or so, but makes for a more dramatic headline.
Google is doing it's best to piss off it's android partners lately, which can't be good for the long-term viability. Yeah, they all deserve to be slapped for the half-assed job they do supporting their phones, but Google knew that full well going in.
Since the FBI can access any iPhone now, Android needs to be more secure.
This guy's title, "director of security," means he's in charge of the future of Android security.
Optimism is fashionable among wealthy monopsonys now, but it's toxic to security. I hope Android is walled off within Google, and that this thinking doesn't spread to other parts of Google like ChromeOS or their production environment.
The sad part is, if you're good at deluding yourself, you'll be much better at misleading others. His statements will probably convince users, even among the so-called "security community" that should know better.
What's the sense or use of making such an assertion when most of the Android phone OEMs do not appear to update their phones to incorporate the improvements.
Android will never be as secure as iPhone for one simple reason, namely that Android does not have a bureau certifying and censoring all apps. And that's exactly the reason why Android is and always will be infinitely better than iPhone.
0x or or snor perron?!
Pretty much every security expert agrees that Apple COULD have gotten into that iPhone, had they wanted to.
In fact pretty much no security expert says that, including myself. Stop being an idiot... but then you are AC, so I guess THAT'S hopeless.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
In my calendar it is still November...
Let's pick on Android's media player. Previous commentary from Jean-Baptiste Kempf, VideoLAN President and Lead VLC Developer:
The Android Zygote process links in Stagefright, and runs as root. Stagefright should be running in a chroot() as an unprivileged user.
THIS DESIGN CAN NEVER BE SECURE.
OK, fine, "abandoned with no updates" is technically false, but so what? You are claiming some kind of security superiority over one update? A single update??
The real world experience of computing devices on the internet is that patching is a constant process with no notional beginning or end. You patch for the entire life of the device. And patches must come in some sort of reliable stream as security flaws are found, and in direct response to finding those flaws. There must be a closed loop of arbitrarily small duration, between finding the vulnerability and closing it.
In this context, a single device update, or even a half-dozen device updates, is trivial and on the verge of useless. Not "technically useless", just "ineffective at securing the device" useless. Which, if you will note, is the entire point of this kind of activity.