Slashdot Mirror
Google Security Engineer Claims Android Is Now As Secure As the iPhone (vice.com)
An anonymous reader quotes a report from Motherboard: It's a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees -- but of course he would. "For almost all threat models," Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, "they are nearly identical in terms of their platform-level capabilities." In a short interview after a talk at a security conference in Manhattan on Tuesday the talk, Ludwig said that, "for sure," there's no doubt that a Google Pixel and an iPhone are pretty much equal when it comes to security. Android, he added, will soon be better though. "In the long term, the open ecosystem of Android is going to put it in a much better place," he said, without mentioning that Android has already been around for more than eight years at this point. During his talk at the O'Reilly Security Conference Ludwig said that Android's built-in security product called "Safety Net" scans 400 million devices per day and checks a stunning 6 billions apps per day. The result of these security checks, coupled with the exploit mitigation measures baked into Android, mean that a really small number of Android devices has malware or, as Google calls it, "Potentially Harmful Applications" or PHAs, according to Ludwig. In fact, Ludwig said showing a graph, less than 1% of Android smartphone contain malware.
when Google defends a lawsuit to open up a phone due to -reasons-.
its a lie.
androids are mostly abandoned by vendors. no updates.
total BS. until they fix that, android as a whole will continue to suck.
--
"It is now safe to switch off your computer."
"We're as good as the other guy"
"Less than 1% of Android phones have malware". Less than 140 million Android phones have malware.
if you are really paranoid, you should probably use an iPhone, and not Android
wrong! if you are really paranoid, you shouldn't carry around something that could easily be described as the most sophisticated surveillance device that man has ever created.
Anons need not reply. Questions end with a question mark.
Eh, it's not so much that Android is great, but that security is very, very hard. The iPhone has had some very serious exploits in the last 18 months, same as Android. But Android's update model leaves many in the dust and unpatched.
My work has de-authed iPhones from their work network until updates were applied multiple times this year. It's a serious concern. I can only imagine how long we would be de-authed for a 3-year old Android phone waiting for a security patch.
I have an Android (Nexus) personal phone and a work iPhone, and based upon critical advisories of active exploits I would say that they are roughly the same. But my 3+ year old iPhone is still getting security updates pretty regularly. I went to Nexus for that feature, but still only get them for 2-3 years max.
Speaking as a long time Android fan who recently switched to iOS because work provided me an iPhone 7, this is only true if you actually get updates. And the vast majority of Android users, do not. So when they get a vulnerability found in their Samsung/HTC/Whatever device - chances are it will never get patched.
I had a Google Nexus 6P as my previous device (it's still on my desk in fact) and while I loved the device, updates where not as promised. Despite it being a Nexus, I was still beholden to my Telco for updates and they dragged their feet like mad. In fact, when I last turned off the Nexus 6P, the Nougat update was still not available (unless you manually enrol in the beta program, which I did, but then I had all kinds of issues with the Telco's LTE). So even on a damn Nexus, updates are hardly assured.
I fully realise older iPhones stop getting updates, too - but we're talking about a Nexus 6P here - the thing hasn't even been available for a year in Australia yet and Google and Telstra have already washed their hands of it. I also realise Google may / may not be responsible for the issues with Telstra's LTE on the Nexus 6P - but rest assured, if the iPhone has an issue, Telstra sits up and takes notice. When I first got my Nexus 6P, I spent the first 2 months locked to 3G because LTE wasn't supported at all on. (Source, in case you think I am making this up: https://crowdsupport.telstra.c...).
Doesn't the Google stuff on your Android steal your data anyways?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Until all the Android phones still in the wild (regardless of age) get patched for the Dirty COW vulnerability, how can anyone reasonably say they're "as secure as" anything other than Goatse guy's rectum?
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
You do know that Apple was doing everything REQUIRED BY LAW to help, but in the end were unable to because Apple also designed the systems so even they could not get at data that the user did not want them to?
So, um, yeah. Believe what you like but in real life data you choose to keep on your phone stays private - if you have an iPhone.
Androids of course are rooted all the time so police can get anything they like from them easily.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
"Engineer" is talking about Google Pixel, period. Headline is hyperbole.
Note they carefully slide from android into pixel vs iphone discussions.
Android's built-in obsolescence enforcement product called "Safety Net"
Safety Net is simply a part of the Obsolescence Enforcement Suite, which automatically makes devices incompatible, even if a certain platform would work with third-party ROMs or lets the user have their way. Your device can literally be told to "stop working" with it.
In the long term, the open ecosystem of Android is going to put it in a much better place
With SafetyNet, it's not open.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Security is always a moving target. While it's possible your leading edge phone is as secure as the leading iphone, what matters to security is how many people are running an older OS. Androids are always going to be running non-updatable OS just because of the bussiness model. So in terms of numbers of exploitable phones, swaths of the andorid ecosystem will be less secure than Apple ecosystem.
Some drink at the fountain of knowledge. Others just gargle.
Security engineer at Google love to ignore the full life cycle of a phone.
My mom got an iPhone 5 in December of 2012 and it still can be updated to the latest iOS 10. If she had gotten a Nexus 4 offered by Google at the same time, the latest version of Android that Google would officially offer her is Android v5 (Lollipop). Is Adrian Ludwig willing to make a claim that an up to date Nexus 4 is more secure than an up to date iPhone 5?
When claiming a Pixel will be just as secure as an iPhone, the engineer should be willing to discuss the *FULL* life cycle. If my mom selects this December between a Pixel for $650 or an iPhone 6S for $550, which is going to continue to be secure when my mom wants to continue using it in 2019? Based on Google's 2-year end of life on the Nexus 5X and 6P, it seems that the Pixel will stop getting Android updates before 2019. On the other hand, the iPhone 6S which was released a year ago is more likely to continue to get updates in 2019 than the more expensive Pixel just released! How can Adrian Ludwig justify this as being a product that is just as secure? If Google wants to make such claims, they need to adjust their EoL policy to match Apple's.
There a whole mix of stuff being talked about there, and one is not equal the other.
For instance, Google Pixel cannot be generalized to the overall Android experience, not by far. It's probably not even the 0.0001% of Android devices.
The reality of Android as a whole is that it's extremely fragmented, and the absolute majority of it is not on Nougat, let alone being the same as Google Pixel.
As device encryption remains an optional step for most of these devices, most of them are not using it, so threat models be damned.
Not to mention how the vast majority of Android devices uses all sorts of custom versions coming from all sorts of companies in all possible states of vulnerabilities and expected update dates. Even Windows is better than that. Android pretty much represents one of the worst possible fragmentation scenarios.
You have all sorts of cheap generic tablets that I'm almost certain comes from factory with included malware, vulnerabilities, rootkits and backdoors installed. This is serious. I tested a cheap generic tablet just a few months ago (Multilaser was the brand on top of it if I'm not mistaken, but you can find the exact same tablet with several other brand names) that had very suspicious stuff pre-installed. It was impossible to uninstall it, so I rooted the damn thing to do it. And then the device factory reseted itself when I managed to remove the offending apps, everytime.
In general, there's still far more chances of you finding an Android phone/tablet that is either completely open or easy to crack because it has an outdated system or has not been properly locked by it's owner, in comparison with iPhone in general.
And sure, Android has the advantage of being an open os versus the extremely closed iOS - the standard defense for open source software which I do understand. But hoping that this will somehow count as a huge security advantage for the future of Android is quite frankly naive and kinda stupid in itself, specially for cases like Android vs iOS.
The open nature of Android might allow for better scrutiny of it in some stances, but much more, it allows for all sorts of shady companies to make their own Android versions however they feel like doing it... and as more shady businesses adopt that strategy to spy and take advantage of less knowledgeable costumers, the more difficult it gets for a conscious community to take note of it.
As long as Apple keeps getting as much money as they do from regular users to the loyal fanbase, they can just spend that much more money to close security holes and whatnot. One company developing both software and hardware while keeping a stance on security and privacy also makes it much more reliable. Things would have to change quite drastically for Android to ever be as secure and private as iOS. It's just the reality of it.
You only have to think about it a bit more. Apple will always be able to push updates faster, they will always be able to implement security functions for most of their userbase in a timely manner (excluding those with devices that are too old), they are always better able to convince more users to buy their latest devices. Community wise, you will always have more reach... if one knowledgeable costumers finds a security hole, it'll affect almost the entire userbase, so it just makes far more sense for Apple to fix it.
In grand scheme of security and privacy stuff, again for this particular case, the open source argument is minor in comparison to the whole.
And I'm talking all this while being an Android user, not wanting to touch an iPhone with a 10 foot pole. It is what it is.
See, this doesn't mean that I'm switching to iOS anytime soon. But to say Android as a whole is anywhere near as secure as iPhones is just delusional.
Don't hold the Note 7 so close to your head.
With apologies to Johnny Cash, I present Phone of Fire:
My phone is a burnin' thing
And its tone is a fiery ring
Lured by the size and power
I bought a phone of fire
My phone turned into a burnin' ring of fire
burned my car up
As the flames went higher
And it burns, burns, burns
The phone of fire, the phone of fire
A smartphone is really sweet
With no data cap, for it to meet
I fell for it like a child
Oh, but the fire it went wild
My phone turned into a burnin' ring of fire
burned my car up
As the flames went higher
And it burns, burns, burns
The phone of fire, the phone of fire
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
If vendors either keep their devices updated for at least 4-5 years, or at the minimum, offer a method of unlocking the bootloader so the people at Cyanogenmod or other ROM shops can put a well maintained install on the device, then I'd be inclined to believe this. However, other than Nexus phones, and possibly HTC devices [1], usually the fact that the bootloader is locked makes the device only patchable by the device maker or the cellular carrier, whichever is worse.
I would say that a Nexus or a Pixel phone is probably as close to ideal as one can get. Here, Android can be argued to be as secure as iOS. Perhaps more secure with xPrivacy because an app that requests every permission under the sun can be granted it... and still be kept well away from sensitive stuff.
[1]: HTC is OK... at least one can unlock the bootloader then run Sunshine to S-Off the device. Better than other makers which blow e-Fuses for just rooting the device.
Either way, you're only as secure as the weakest link, and with both iOS and Android, the hardware continues to be a weak link. The Pixel may be as secure as the iPhone (and I have no reason to doubt that claim), but it's a drop in the bucket. What about the rest of the Andeoid market?
Even iPhones from a few years ago (e.g. iPhone 5c) that support the latest version of iOS are less secure than more recent models simply because they lack key hardware features (e.g. Secure Enclave). How much more true is that on the Android side, where the majority of phones shipping today still lack comparable features in their hardware? And, perhaps a better question, how much longer will we have to wait for the industry at large to wake up and start putting the security of their users first?
The Pixel has set a new standard that I sincerely hope others will follow, but we have yet to see if they will. In the meantime, it's a bit early to declare victory.
Aside from the fact that millions of Android apps contain native code which is very hard to find malware in and now we have a wonderful Dirty Cow vulnerability which affects almost 100% of Android devices, which means a new update or install from Google Play will automatically p0wn your device for good and will probably install an undetectable/unerasable rootkit.
I'd love to think that Android is secure but Google chose to use the Linux kernel which doesn't fare that well vs. microkernels like QNX. Call me crazy but I believe the QNX kernel would have been a much better choice for Android.
Android changed this year. SafetyNet does make the android eco-system more secure. However, it does not make an individual phone any more secure for the end-user.
SafetyNet is a bit like tripwire. It does a verification of running root-level processes and sends a signed device checksum off to Google. If your device is rooted / has malware / etc. then it won't pass this check. There are no indicators to the end-user that something bad has happened to their phone except that any apps that use SafetyNet will no longer work - e.g. Pokemon Go, Android Pay and the PlayStore.
The phone will still be usable, you can still side-load apps etc. so this actually encourages end-users to continue to use a phone that's probably got malware.
Oh and you can still root a phone, then unroot it and it'll be happy again. This is a security layer that benefits the the app developers only, no more cheating at online games.
However - I would hope this change would give the vendors a real motivation to release updates. If Apps are "No longer compatible with this device" because they are not keeping the phone updated with new releases, then you'd have a real legal case to return the phone. Not so much in the US, but the EU has good consumer protection.
Jason.
That's the impression that I had. We have the Google Galaxy Nexus, Nexus 4, Nexus 5 and Nexus 7 (2012) models. Google isn't providing OS updates for any of these now. They are providing some level of security updates I think and you can always install them manually except for the first one which was abandoned before KitKat. The Nexus 7, practically speaking, can't run anything past KitKat because of performance reasons. In the meantime, Apple looks like it is providing about five years of updates for their phones and tablets. I have a Moto E (2nd gen) and it came with Lollipop and it's still running Lollipop. Motorola said that it would get one update but I haven't seen it yet. Those with 3G Moto E models get no updates.
Well, you do have the specs to work off of, and you can audit Android 7.1 which it's running. Not that hard really.
This Sig does not Exist.