Android Is Now as Safe as the Competition, Google Says (cnet.com)

← Back to Stories (view on slashdot.org)

Android Is Now as Safe as the Competition, Google Says (cnet.com)

Posted by msmash on Friday March 16, 2018 @04:00AM from the apple-to-oranges dept.

In an interview with CNET, David Kleidermacher, Google's head of security for Android, Google Play and Chrome OS, said Android is now as safe as the competition. From the interview: That's a big claim, considering that Android's main competitor is Apple's iPhone. This bold idea permeates the annual Android Security Report that Google released Thursday. "Android security made a significant leap forward in 2017 and many of our protections now lead the industry," the report says on page one. Echoing the report, Kleidermacher told CNET that Android flaws have become harder for researchers to find and that the software now protects users from malicious software so well the problems that used to leave users exposed to bad actors aren't such a big problem anymore.

20 of 116 comments (clear)

Min score:

Reason:

Sort:

How can this possibly be true? by Teckla · 2018-03-16 04:04 · Score: 4, Insightful

Given the ridiculously short amount of time Android devices get updates -- including devices from Google itself -- how can this possibly be true from a realistic viewpoint?
1. Re:How can this possibly be true? by dbialac · 2018-03-16 04:22 · Score: 4, Insightful
  
  But is Android safe from Google? Spyware is spyware.
2. Re:How can this possibly be true? by Austerity+Empowers · 2018-03-16 04:26 · Score: 2
  
  I think you need to read into this a very narrow viewpoint. He's specifically referring to the latest OS and hacks injected from downloaded software/apps. He's not focused on any other aspect of the android ecosystem that is presently a source of concern:
  1) Devices running old software that isn't secure
  2) Devices running co-opted software from various sources (often legit sources) from vendors
  3) Devices themselves that contain or allow rogue FW to run, some which may have been placed there by the manufacturer for dubious purposes
  4) Devices that have been hacked before the user received them to run co-opted firmware.
  Their metric is essentially based on field reports, not design-in security. I've worked in a few places where we have eternal debates about "testing out bugs" versus "designing out bugs". Both are really necessary, but this article seems focused on the former.
  Google continues with a very software centric mindset, and trusts its OEMs. To me that's the biggest mistake, particularly given who a few of them are.
3. Re:How can this possibly be true? by thebullshitpatrol · 2018-03-16 04:42 · Score: 4, Insightful
  
  not to mention the fact that submitting to the appstore requires 10x more effort because there are actual standards, code review, and testing to enforce.
4. Re:How can this possibly be true? by whoever57 · 2018-03-16 05:21 · Score: 2
  
  .. it's that Google doesn't particularly care about any security issues which can't be traced directly to shortcomings in Google's own software
  How long did Google provide updates for Nexus phones? Nowhere near long enough.
  
  --
  The real "Libtards" are the Libertarians!
5. Re:How can this possibly be true? by AmiMoJo · 2018-03-16 07:00 · Score: 2
  
  Android devices get updates pretty much forever because they come via Play Services. Doesn't really matter if the vendor doesn't update the kernel.
  Google fixed the lack of vendor today's by making it not matter.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:How can this possibly be true? by thegarbz · 2018-03-16 07:28 · Score: 3, Insightful
  
  But is Android safe from Google? Spyware is spyware.
  So? I don't need it to be safe from Google. They have shown to be trustworthy with my data. Google has yet to ransomware me, max out my credit card, steal my identity or do anything else with the ludicrous amount of data they have on me other than serve me ads.
7. Re:How can this possibly be true? by thegarbz · 2018-03-16 07:29 · Score: 2
  
  not to mention the fact that submitting to the appstore requires 10x more effort because there are actual standards, code review, and testing to enforce.
  Lol that's a good one. You use that in your stand-up routine often? No sorry I jest. There are standards. The standard is that Apple will only accept software that doesn't immediately threaten their bottom line, whereas Google seems comfortable to let those slip through.
8. Re:How can this possibly be true? by ArmoredDragon · 2018-03-16 08:39 · Score: 2
  
  Or you can just not log in to a Google account, then it doesn't send anything to Google. For apps you'll need fdroid and/or Amazon (which is mostly crap since Amazon's whitelisted security model means few developers update their apps.) If you try to run a Google app and it asks you to login, you can either delete or disable the app (it never runs, just sits there on your phone's storage with all user data and updates deleted, and you have to go through several menus just to find an icon for it) and get an alternative.
  Some apps aren't entirely dormant though, for example some other apps require Google maps installed to work, and all they do is hook into its API. Either way, the Google apps don't send stuff to Google without an active account. Apps from fdroid and Amazon don't rely on any Google apps being present, so they'd never be used at all.
  If you suffer from paranoid-schizophrenia and/or autism, then use AOSP is your only option, and it's usually buggy because dinners. Also, your choice of newer phones is very limited, with the best phones being Google branded phones, and absolutely no phones with Verizon or AT&T branding (my only guess for this is that they can treat you as a captive audience by preventing you from removing spammy carrier apps, blocking certain apps from being installed, and disabling some of Android's built in features.)
9. Re:How can this possibly be true? by Teckla · 2018-03-16 11:39 · Score: 2
  
  I'm most concerned about security updates. I thought even the mighty Google only pushed out 3 years of security updates, and that 3 years starts from when the product first appears on their web site for sale. If you're even a little conservative about new tech (like me) and wait 6-12 months before pulling the trigger on a new product, that means only 2 to 2.5 years of security updates, not to mention regular updates, which you'd only get for 1 to 1.5 years.
  I guess at the moment I'm a little spoiled by iPhone, since I can buy a new one every 2.5 years or so, and pass on the old phone to my kid to use for 2.5 years. That's a 5 year life span for each phone. Once I take (price of phone / years of service), iPhone comes out way cheaper than anything I can buy in the Android ecosystem, for my use case at least. Granted, I'm a stickler about only using tech that's still getting security updates. I'm sure lots of people don't worry about security as much as I do.
10. Re: How can this possibly be true? by thegarbz · 2018-03-17 22:01 · Score: 2
  
  Trust is not a universal term that can be applied to everything. I qualified it by saying "with my data", the data being the subject in question. But then "trust" is nothing more than a belief in an outcome. I find google very "trustworthy" even in the case you apply it. I'm certain that they will continue to exhibit the behaviour of trying to shiftily ex-filtrate my data as much as possible.
  That's the thing about trust. You can "trust" bad behaviours as well as good behaviours. I trust the bad behaviour of Google will continue to collect my data as per normal based on past actions. I trust the good behaviour of Google to protect my data (it's their equivalent of the coca-cola recipe) and not sell it directly to third parties because it is their way of making money through services.
  I can't say the same thing about Microsoft. I can't trust them with my data. I have no idea what they will do with it. I have no faith they won't sell it unobfuscated to 3rd parties. Managing my data is not their core business.
Where are the permissions logs? by javaman235 · 2018-03-16 04:10 · Score: 3, Interesting

Why can't I find a simple view in Android of what apps have accessed permissions and when? (mic, camera, GPS etc) Also, apps request such general permissions... Access to drive I grant for apps that need to save files to drive, but does that mean it can upload my photos to weird app developer?
Android needs more transparency on these things to build trust.

--
-The art of programming is the pursuit of absolute simplicity.
1. Re:Where are the permissions logs? by BronsCon · 2018-03-16 04:21 · Score: 2
  
  Honest question: Where can I find this in iOS?
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
2. Re:Where are the permissions logs? by Anonymous Coward · 2018-03-16 04:30 · Score: 2, Informative
  
  Honest question: Where can I find this in iOS?
  1) Open the Settings App.
  2) Scroll to the app you wish to check.
  3) You now see a list of permissions, such as "Location", "Notifications", Background App Refresh", ... You can turn each one on or off.
  You can also see all apps which might use a permission in one list:
  1) Open the Settings App.
  2) Choose "Privacy"
  3) Select the permission you wish to control.
  You now see a list of apps that requested the permission. You can enable or disable each app.
  I have mixed feelings about iOS in general, but this is one thing that iOS does exactly right.
3. Re:Where are the permissions logs? by orient · 2018-03-16 04:31 · Score: 3, Informative
  
  DTEK by BlackBerry does exactly this. Plus it can alert you when an app tries to access a certain resource (microphone, camera). Plus it can allow/deny access to each resource individually, unlike Google's all-or-nothing approach. Even if you grant all permissions when you install an app, when the app tries to actually access any resource (camera, microphone, address book, local files etc.) you get a prompt to allow or deny access to each of the resources requested. And, yes, it comes installed on the Android BlackBerry phones. I don't have another Android phone, so I can't tell of it's only available for BB phones or not.
  
  --
  Laudele lor desigur m-ar mahni peste masura.
4. Re:Where are the permissions logs? by BronsCon · 2018-03-16 06:11 · Score: 2
  
  That's the same thing Android has (Settings -> Apps, or long-press on an app and choose App Info) and you can enable and disable permissions there, as well. It's also not what was being asked for.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
5. Re:Where are the permissions logs? by thegarbz · 2018-03-16 07:32 · Score: 2
  
  Why can't I find a simple view in Android of what apps have accessed permissions and when?
  For the same reason the Subway queue is so long: people are overwhelmed with choice.
  Look you sound like you want to run a full blown Linux complete with terminal on your phone. But really this level of detail should not be exposed to the average user. The only thing you'll get is frothing at the mouth and outrage as people miss-read, miss-interpret and otherwise try to draw huge conspiracies from things they don't understand.
  There's a reason these devices are so popular, and simplicity is a key component of that.
Re:The worst problem with Android: No updates. by wangmaster · 2018-03-16 04:39 · Score: 2

Android does not usually allow updates. So, to get the latest version, it is necessary to buy a new cell phone. In my opinion, that's extremely abusive.
Technically, that's not an android problem. It's a problem with crappy manufacturers. Android itself absolutely allows updates. I get them at least once a month on my Pixel devices.
PoisonJuice is now as safe as the competition by OrangeTide · 2018-03-16 08:25 · Score: 2

We bought the competition and shuttered their business. So now PoisonJuice® is the only juice-like beverage, which also makes it the best, safest and most natural.

--
“Common sense is not so common.” — Voltaire
Sure... by XSportSeeker · 2018-03-16 21:10 · Score: 2

While that might be half true, it's also true that the vast majority of the entire Android market doesn't have, and might not ever have access to this latest Android version that is supposedly as secure as the competition. So the point is moot.
In fact, the only way to get that version of Android anytime soon would be by getting a Pixel phone. Because that's the only device that has the latest core/vanilla Android version. Other than that, perhaps a few Android One and Go devices. And that, for the global Android market, must be way bellow 1% of users. I'm not sure if it's even 0.01% of the global market.
Beyond that, Google cannot guarantee anything, because they really don't know. Most of the security and privacy breaches in the platform's history remains unpatched for a metric ton of Android devices, a whole ton of problems that emerged in recent years regarding spyware, telemetry, smartphone brands harvesting personally identifiable information surreptiously (thanks OnePlus), and a bunch of other safety problems came from Android skins/forks that Google has no way to completely control. And no, even Project Treble and other initiatives will be enough - they'll help, but they won't be enough.
And then the deathknell of supposed safety: as long as you can sideload apks into an Android device, it can never be considered as secure as a walled garden closed off system as iOS. Of course, lots of Android users (including myself) gladly accepts the risk for the openness, but that alone is enough for Android to never be as "safe" a platform as iOS. It's about the paradigm, not the OS.