Comparing ads to reality is sometimes very funny
This week at Gartner Symposium/ITxpo, Google Chairman Eric Schmidt was asked a question about Android security. Rather than answer directly, he said “Not secure? It’s more secure than the iPhone.” Perhaps unsurprisingly this drew laughter from the crowd – but he was being laughed AT, not WITH. Because it comes after a report showed >1 million Android apps had malware.
The report from F-Secure showed that in 2012 Android accounted for 79% of malware and malicious attacks, up from 66% in 2011. While there is certainly some impact of the platform market share, the actual numbers are way out of proportion. Here is the breakdown:
None of this aligns with Schmidt’s defense of security, in which he tried to conflate the platform numbers with security. Certainly the Linux kernel at the heart of the platform allows for the potential of security, but as with so many things the open-ness of the platform also means it is open for easy attacks through malware and other channels.
So nice try, Schmidt … but try to remember that having huge numbers doesn’t automatically attach all other positive attributes.
Hmm…let’s think why this may be. Is it because Android is less secure or is it because there are many more handsets? I think it’s a little more of the latter. In the PC world, Windows has more vulnerabilities simply because it’s far more common out there than Mac OS X and Linux. Right now, there’s far more Android phones out there than iOS. While iOS is still selling very well, market share is currently firmly in the Android camp.(http://www.zdnet.com/apple-ios-gains-on-google-android-in-mobile-os-race-7000021611/) Ergo, there are more attacks.
So what is the truth? Somewhere in the middle. Android is probably less secure than iOS mostly because it’s easy to circumvent the security…and we like it that way partially. For example, I can install apps from the play store, Amazon, FDroid and a couple other stores. Most of these take advantage from installing from “untrusted” sources. That makes it inherently easier to install things that may cause issues. That isn’t an issue on iOS thanks to the vetting Apple does…however you have more freedom on Android than iOS as you can chose to install from many different stores. It’s a trade off. You want more freedom? You have the ability to shoot yourself in the foot by downloading an APK (an Android app file) from Joe’s website. The freedom gives you great power…but with that comes responsibility.
The good thing is you can keep that setting turned off. If you don’t know what you are doing, then you probably should ONLY use the Play Store.
So I am not saying your post is bull….it’s not. However there are reasons it seems this way. Android can’t make this 100 percent better because in doing so, they will be forced to lock the OS down further than it is today and give up a little bit of the freedom that makes it so popular.
Thanks for the in-depth comment, Joel. I have a few issues:
– First, you cannot conflate popularity with the technical elements of malware, etc. Why? Because there is a difference between an OS and smartphone units. So Unix is very secure regardless of market share, as is Linus and Mac OS X. Android COULD be as secure as iOS, but it isn’t due to non-kernel layers in the OS that apps can easily exploit. That is where these reports come from – actual apps and exposed vulnerabilities.
– As for Windows, be careful again – you are equating vulnerabilities to popularity. Wrong! It has more vulnerabilities because it is inherently less secure. You probably remember the most secure user version of Windows (I know I do) – WinNT 3.51. To get to the next version and add the Win95 look, security was compromised. The merging of Pro and Consumer OS versions gave us a prettier and more ‘consumer/game friendly’ element, but a lowering of security. OS X, like the NeXT OS it came from, was built from the ground up on a server-based technology … and is more secure.
– Also, I think you are a little confused – because Android either IS or IS NOT less secure. And honestly, it isn’t a matter of serious debate at this point. Last quarter 96% of malicious attacks in smartphones happened against Android devices … and guess what? These apps mostly come from Google Play! These are ‘approved’ apps – hundreds of thousands of them – that are full up with malware.
I understand that you trade a bit of security for freedom – but that is different form downloading a flashlight app and having it steal your Facebook credentials, your credit card info and your contact list!
Ok, Schmidt’s statement is funny.
But I have a problem not thinking that F-Secure, which sells an android security application, but does not sell one for iOS, may be exaggerating the insecurity of Android.
I read their most recent report. Every single new malware for Android exists in third party App Stores, not google’s play store, all outside of the US.
The reality is that I am sure that the majority of Android users never install apps outside the play store (or amazon’s app store), and that apps like F-Secure’s are unnecessary for almost every android phone or tablet. And that report from F-Secure doesn’t answer the important question: what percentage of devices have actually suffered malware?
So, if it turns out, as I believe it does, that only a small percentage of phones overall are actually being infected, how useful is it to know that 79% of a very small number is an Android device? Perhaps the best lesson is do not root or jailbreak, do not allow third party app installs, and don’t install anything without understanding why the app requires the permissions it’s asking for.
If F-Secure’s report was an isolated event, I would agree – but it is not. It is just the most recent one – every security-related article, from those with ‘specific interests’ like McAfee and Sophos and Symantec and F-Secure as well as general security researchers … all have come out with variations on the exact same theme. And most of them DO point to the added danger of third-party app stores – but they also point to Google-play apps as well. And Google itself has had to pull apps multiple times – including a load of them this past March – after discovering rampant malware … or rather after it was discovered for them, and they were pressured for a while in the press to pull them.
Apple has pulled apps as well. It still doesn’t answer the question of numbers. If only one person in 1 million is getting a malware infected phone, and 79% of those are Android, that’s a lot of worry over very little risk, and F-Secure has no incentive to tell us that.
See http://www.esecurityplanet.com/mobile-security/android-malware-separating-reality-from-hype.html
Key quote: “By putting Android malware in context, it should become clear that despite the absolute numbers of malware apps detected in the wild, reasonably configured Android devices are actually at low risk of infection.
“Whereas platforms like Windows XP and Vista put the onus on enterprises and users to take active steps to increase their security against malware, the situation is quite the reverse with Android, where the default state is among the most secure and users must take active steps to reduce their security.”
What’s silly about what Schmidt says is that iOS is no less secure in a default state – and is probably more – and does not allow these third party app stores, or – worse – sideloading – which is what causes almost every Android infection. Which isn’t that many.
Totally agree – and I think that is the key point. Whereas with Windows you are at risk from the second you choose ‘connect to network’ by simply existing … if you got a phone and installed NOTHING, you would largely be safe. And for iOS even more so.
The one thing where I worry about Google is how their business model is based on exposing user data (not necessarily personal data, just usage) to third parties for profit. That is is a model that is inherently insecure and filled with APIs for cross-app data collection. We already know Google has a history of actively hacking other OS and browsers to mine personal data, and of disregarding user settings to enforce their own needs … so there is a very real concern that in the decision making process between user privacy and profit … well, y’know.