Google Security Engineer Claims Android Is Now As Secure As the iPhone

An anonymous reader quotes a report from Motherboard: It's a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees -- but of course he would. "For almost all threat models," Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, "they are nearly identical in terms of their platform-level capabilities." In a short interview after a talk at a security conference in Manhattan on Tuesday the talk, Ludwig said that, "for sure," there's no doubt that a Google Pixel and an iPhone are pretty much equal when it comes to security. Android, he added, will soon be better though. "In the long term, the open ecosystem of Android is going to put it in a much better place," he said, without mentioning that Android has already been around for more than eight years at this point. During his talk at the O'Reilly Security Conference Ludwig said that Android's built-in security product called "Safety Net" scans 400 million devices per day and checks a stunning 6 billions apps per day. The result of these security checks, coupled with the exploit mitigation measures baked into Android, mean that a really small number of Android devices has malware or, as Google calls it, "Potentially Harmful Applications" or PHAs, according to Ludwig. In fact, Ludwig said showing a graph, less than 1% of Android smartphone contain malware.

Subjective Comparison

Eh, it's not so much that Android is great, but that security is very, very hard. The iPhone has had some very serious exploits in the last 18 months, same as Android. But Android's update model leaves many in the dust and unpatched.

My work has de-authed iPhones from their work network until updates were applied multiple times this year. It's a serious concern. I can only imagine how long we would be de-authed for a 3-year old Android phone waiting for a security patch.

I have an Android (Nexus) personal phone and a work iPhone, and based upon critical advisories of active exploits I would say that they are roughly the same. But my 3+ year old iPhone is still getting security updates pretty regularly. I went to Nexus for that feature, but still only get them for 2-3 years max.

Maybe true if you actually get updates

[Gumbercules!!]

Speaking as a long time Android fan who recently switched to iOS because work provided me an iPhone 7, this is only true if you actually get updates. And the vast majority of Android users, do not. So when they get a vulnerability found in their Samsung/HTC/Whatever device - chances are it will never get patched.

I had a Google Nexus 6P as my previous device (it's still on my desk in fact) and while I loved the device, updates where not as promised. Despite it being a Nexus, I was still beholden to my Telco for updates and they dragged their feet like mad. In fact, when I last turned off the Nexus 6P, the Nougat update was still not available (unless you manually enrol in the beta program, which I did, but then I had all kinds of issues with the Telco's LTE). So even on a damn Nexus, updates are hardly assured.

I fully realise older iPhones stop getting updates, too - but we're talking about a Nexus 6P here - the thing hasn't even been available for a year in Australia yet and Google and Telstra have already washed their hands of it. I also realise Google may / may not be responsible for the issues with Telstra's LTE on the Nexus 6P - but rest assured, if the iPhone has an issue, Telstra sits up and takes notice. When I first got my Nexus 6P, I spent the first 2 months locked to 3G because LTE wasn't supported at all on. (Source, in case you think I am making this up: https://crowdsupport.telstra.c...).

Fragmenttion makes this Fiction

[goombah99]

Security is always a moving target. While it's possible your leading edge phone is as secure as the leading iphone, what matters to security is how many people are running an older OS. Androids are always going to be running non-updatable OS just because of the bussiness model. So in terms of numbers of exploitable phones, swaths of the andorid ecosystem will be less secure than Apple ecosystem.

Pixel EoL vs iPhone EoL

Security engineer at Google love to ignore the full life cycle of a phone.

My mom got an iPhone 5 in December of 2012 and it still can be updated to the latest iOS 10. If she had gotten a Nexus 4 offered by Google at the same time, the latest version of Android that Google would officially offer her is Android v5 (Lollipop). Is Adrian Ludwig willing to make a claim that an up to date Nexus 4 is more secure than an up to date iPhone 5?

When claiming a Pixel will be just as secure as an iPhone, the engineer should be willing to discuss the *FULL* life cycle. If my mom selects this December between a Pixel for $650 or an iPhone 6S for $550, which is going to continue to be secure when my mom wants to continue using it in 2019? Based on Google's 2-year end of life on the Nexus 5X and 6P, it seems that the Pixel will stop getting Android updates before 2019. On the other hand, the iPhone 6S which was released a year ago is more likely to continue to get updates in 2019 than the more expensive Pixel just released! How can Adrian Ludwig justify this as being a product that is just as secure? If Google wants to make such claims, they need to adjust their EoL policy to match Apple's.

Re:Has nobody told him of Dirty COW?

[TheRaven64]

We had the head of Google's Android security team come and give a talk about a year ago. He was very proud of the fact that they'd enabled FORTIFY_SOURCE on their code. I was a bit surprised, because I'd yet to have FORTIFY_SOURCE find a single bug that the clang static analyser didn't find - it was great technology 15 years ago, but these days it only lets you catch at run time things that you can find at compile time with free off-the-shelf tools. I asked him if his team had any counterexamples, which might make us reevaluate using it. His answer? Static analysis is not part of their development flow at all. In contrast, when I've asked Apple folks about it, they've told me that it's part of their CI process and changes that introduce new bugs that static analysis catches are reverted.

If your development process doesn't even try to catch the low-hanging fruit, then I find it really hard to take any claims that you make about security seriously. The DRAMMER attack, for example, was only possible because Google implemented a really stupid API in Android (allowing untrusted code to explicitly map uncached memory, which is a bad idea for so many reasons, rather than providing cache flushing APIs for DMA). The API review process for Android is a joke and there's no evidence that they'll ever fix that. Part of it is the internal culture at Google: they have very good refactoring tools that they regularly run on large codebases, so have little incentive to get APIs right the first time.