Google Security Engineer Claims Android Is Now As Secure As the iPhone

An anonymous reader quotes a report from Motherboard: It's a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees -- but of course he would. "For almost all threat models," Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, "they are nearly identical in terms of their platform-level capabilities." In a short interview after a talk at a security conference in Manhattan on Tuesday the talk, Ludwig said that, "for sure," there's no doubt that a Google Pixel and an iPhone are pretty much equal when it comes to security. Android, he added, will soon be better though. "In the long term, the open ecosystem of Android is going to put it in a much better place," he said, without mentioning that Android has already been around for more than eight years at this point. During his talk at the O'Reilly Security Conference Ludwig said that Android's built-in security product called "Safety Net" scans 400 million devices per day and checks a stunning 6 billions apps per day. The result of these security checks, coupled with the exploit mitigation measures baked into Android, mean that a really small number of Android devices has malware or, as Google calls it, "Potentially Harmful Applications" or PHAs, according to Ludwig. In fact, Ludwig said showing a graph, less than 1% of Android smartphone contain malware.

Re:Secure against who?

Location sniffing, local Wifi SSIDs sniffing, it assigns a unique ID to each phone used to track for adverts (and the id is still sent even if you opt out of user specific ads). And their new Privacy Policy lets them link all the shit up, since they control large DNS servers, and content delivery networks, analytics, advertising etc. every site you visit it tagged by Google, and given the ID means they can tag it to a phone, to any Google account (e.g. Google Play, and Google Play Credit Card details).

So yeh.

Oh and the "do you want to backup" thing, that uploads all your keys to their servers.

"OK Google" on every device cannot be uninstalled.

And that's even before you get to Microsoft's "Office" bundle installed on several phones, that does a shit load of surveillance stuff, and AT&T's compulsary spyware.

Being secure, I don't think that means what they think it means.

Re:Exploding heads

"Engineer" is talking about Google Pixel, period. Headline is hyperbole.

Security? More like obsolescence protection.

[sethstorm]

Android's built-in obsolescence enforcement product called "Safety Net"

Safety Net is simply a part of the Obsolescence Enforcement Suite, which automatically makes devices incompatible, even if a certain platform would work with third-party ROMs or lets the user have their way. Your device can literally be told to "stop working" with it.

In the long term, the open ecosystem of Android is going to put it in a much better place

With SafetyNet, it's not open.

Re:Exploding heads

[mlts]

If vendors either keep their devices updated for at least 4-5 years, or at the minimum, offer a method of unlocking the bootloader so the people at Cyanogenmod or other ROM shops can put a well maintained install on the device, then I'd be inclined to believe this. However, other than Nexus phones, and possibly HTC devices [1], usually the fact that the bootloader is locked makes the device only patchable by the device maker or the cellular carrier, whichever is worse.

I would say that a Nexus or a Pixel phone is probably as close to ideal as one can get. Here, Android can be argued to be as secure as iOS. Perhaps more secure with xPrivacy because an app that requests every permission under the sun can be granted it... and still be kept well away from sensitive stuff.

[1]: HTC is OK... at least one can unlock the bootloader then run Sunshine to S-Off the device. Better than other makers which blow e-Fuses for just rooting the device.