Google Security Engineer Claims Android Is Now As Secure As the iPhone

An anonymous reader quotes a report from Motherboard: It's a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees -- but of course he would. "For almost all threat models," Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, "they are nearly identical in terms of their platform-level capabilities." In a short interview after a talk at a security conference in Manhattan on Tuesday the talk, Ludwig said that, "for sure," there's no doubt that a Google Pixel and an iPhone are pretty much equal when it comes to security. Android, he added, will soon be better though. "In the long term, the open ecosystem of Android is going to put it in a much better place," he said, without mentioning that Android has already been around for more than eight years at this point. During his talk at the O'Reilly Security Conference Ludwig said that Android's built-in security product called "Safety Net" scans 400 million devices per day and checks a stunning 6 billions apps per day. The result of these security checks, coupled with the exploit mitigation measures baked into Android, mean that a really small number of Android devices has malware or, as Google calls it, "Potentially Harmful Applications" or PHAs, according to Ludwig. In fact, Ludwig said showing a graph, less than 1% of Android smartphone contain malware.

Re:Exploding heads

[TheGratefulNet]

its a lie.

androids are mostly abandoned by vendors. no updates.

total BS. until they fix that, android as a whole will continue to suck.

Less than 1% have malware

[ljw1004]

"Less than 1% of Android phones have malware". Less than 140 million Android phones have malware.

Maybe true if you actually get updates

[Gumbercules!!]

Speaking as a long time Android fan who recently switched to iOS because work provided me an iPhone 7, this is only true if you actually get updates. And the vast majority of Android users, do not. So when they get a vulnerability found in their Samsung/HTC/Whatever device - chances are it will never get patched.

I had a Google Nexus 6P as my previous device (it's still on my desk in fact) and while I loved the device, updates where not as promised. Despite it being a Nexus, I was still beholden to my Telco for updates and they dragged their feet like mad. In fact, when I last turned off the Nexus 6P, the Nougat update was still not available (unless you manually enrol in the beta program, which I did, but then I had all kinds of issues with the Telco's LTE). So even on a damn Nexus, updates are hardly assured.

I fully realise older iPhones stop getting updates, too - but we're talking about a Nexus 6P here - the thing hasn't even been available for a year in Australia yet and Google and Telstra have already washed their hands of it. I also realise Google may / may not be responsible for the issues with Telstra's LTE on the Nexus 6P - but rest assured, if the iPhone has an issue, Telstra sits up and takes notice. When I first got my Nexus 6P, I spent the first 2 months locked to 3G because LTE wasn't supported at all on. (Source, in case you think I am making this up: https://crowdsupport.telstra.c...).

Re:Secure against who?

Location sniffing, local Wifi SSIDs sniffing, it assigns a unique ID to each phone used to track for adverts (and the id is still sent even if you opt out of user specific ads). And their new Privacy Policy lets them link all the shit up, since they control large DNS servers, and content delivery networks, analytics, advertising etc. every site you visit it tagged by Google, and given the ID means they can tag it to a phone, to any Google account (e.g. Google Play, and Google Play Credit Card details).

So yeh.

Oh and the "do you want to backup" thing, that uploads all your keys to their servers.

"OK Google" on every device cannot be uninstalled.

And that's even before you get to Microsoft's "Office" bundle installed on several phones, that does a shit load of surveillance stuff, and AT&T's compulsary spyware.

Being secure, I don't think that means what they think it means.

Fragmenttion makes this Fiction

[goombah99]

Security is always a moving target. While it's possible your leading edge phone is as secure as the leading iphone, what matters to security is how many people are running an older OS. Androids are always going to be running non-updatable OS just because of the bussiness model. So in terms of numbers of exploitable phones, swaths of the andorid ecosystem will be less secure than Apple ecosystem.

Bullshit...

[XSportSeeker]

There a whole mix of stuff being talked about there, and one is not equal the other.

For instance, Google Pixel cannot be generalized to the overall Android experience, not by far. It's probably not even the 0.0001% of Android devices.
The reality of Android as a whole is that it's extremely fragmented, and the absolute majority of it is not on Nougat, let alone being the same as Google Pixel.

As device encryption remains an optional step for most of these devices, most of them are not using it, so threat models be damned.
Not to mention how the vast majority of Android devices uses all sorts of custom versions coming from all sorts of companies in all possible states of vulnerabilities and expected update dates. Even Windows is better than that. Android pretty much represents one of the worst possible fragmentation scenarios.

You have all sorts of cheap generic tablets that I'm almost certain comes from factory with included malware, vulnerabilities, rootkits and backdoors installed. This is serious. I tested a cheap generic tablet just a few months ago (Multilaser was the brand on top of it if I'm not mistaken, but you can find the exact same tablet with several other brand names) that had very suspicious stuff pre-installed. It was impossible to uninstall it, so I rooted the damn thing to do it. And then the device factory reseted itself when I managed to remove the offending apps, everytime.

In general, there's still far more chances of you finding an Android phone/tablet that is either completely open or easy to crack because it has an outdated system or has not been properly locked by it's owner, in comparison with iPhone in general.

And sure, Android has the advantage of being an open os versus the extremely closed iOS - the standard defense for open source software which I do understand. But hoping that this will somehow count as a huge security advantage for the future of Android is quite frankly naive and kinda stupid in itself, specially for cases like Android vs iOS.

The open nature of Android might allow for better scrutiny of it in some stances, but much more, it allows for all sorts of shady companies to make their own Android versions however they feel like doing it... and as more shady businesses adopt that strategy to spy and take advantage of less knowledgeable costumers, the more difficult it gets for a conscious community to take note of it.

As long as Apple keeps getting as much money as they do from regular users to the loyal fanbase, they can just spend that much more money to close security holes and whatnot. One company developing both software and hardware while keeping a stance on security and privacy also makes it much more reliable. Things would have to change quite drastically for Android to ever be as secure and private as iOS. It's just the reality of it.

You only have to think about it a bit more. Apple will always be able to push updates faster, they will always be able to implement security functions for most of their userbase in a timely manner (excluding those with devices that are too old), they are always better able to convince more users to buy their latest devices. Community wise, you will always have more reach... if one knowledgeable costumers finds a security hole, it'll affect almost the entire userbase, so it just makes far more sense for Apple to fix it.
In grand scheme of security and privacy stuff, again for this particular case, the open source argument is minor in comparison to the whole.

And I'm talking all this while being an Android user, not wanting to touch an iPhone with a 10 foot pole. It is what it is.
See, this doesn't mean that I'm switching to iOS anytime soon. But to say Android as a whole is anywhere near as secure as iPhones is just delusional.

Re:Exploding heads

[Ol+Olsoc]

Don't hold the Note 7 so close to your head.

With apologies to Johnny Cash, I present Phone of Fire:

My phone is a burnin' thing

And its tone is a fiery ring

Lured by the size and power

I bought a phone of fire

My phone turned into a burnin' ring of fire

burned my car up

As the flames went higher

And it burns, burns, burns

The phone of fire, the phone of fire

A smartphone is really sweet

With no data cap, for it to meet

I fell for it like a child

Oh, but the fire it went wild

My phone turned into a burnin' ring of fire

burned my car up

As the flames went higher

And it burns, burns, burns

The phone of fire, the phone of fire