Google Security Engineer Claims Android Is Now As Secure As the iPhone (vice.com) 173
An anonymous reader quotes a report from Motherboard: It's a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees -- but of course he would. "For almost all threat models," Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, "they are nearly identical in terms of their platform-level capabilities." In a short interview after a talk at a security conference in Manhattan on Tuesday the talk, Ludwig said that, "for sure," there's no doubt that a Google Pixel and an iPhone are pretty much equal when it comes to security. Android, he added, will soon be better though. "In the long term, the open ecosystem of Android is going to put it in a much better place," he said, without mentioning that Android has already been around for more than eight years at this point. During his talk at the O'Reilly Security Conference Ludwig said that Android's built-in security product called "Safety Net" scans 400 million devices per day and checks a stunning 6 billions apps per day. The result of these security checks, coupled with the exploit mitigation measures baked into Android, mean that a really small number of Android devices has malware or, as Google calls it, "Potentially Harmful Applications" or PHAs, according to Ludwig. In fact, Ludwig said showing a graph, less than 1% of Android smartphone contain malware.
Exploding heads (Score:2)
Re:Exploding heads (Score:5, Insightful)
its a lie.
androids are mostly abandoned by vendors. no updates.
total BS. until they fix that, android as a whole will continue to suck.
Re: (Score:2)
Note they carefully slide from android into pixel vs iphone discussions.
Re:Exploding heads (Score:5, Informative)
If vendors either keep their devices updated for at least 4-5 years, or at the minimum, offer a method of unlocking the bootloader so the people at Cyanogenmod or other ROM shops can put a well maintained install on the device, then I'd be inclined to believe this. However, other than Nexus phones, and possibly HTC devices [1], usually the fact that the bootloader is locked makes the device only patchable by the device maker or the cellular carrier, whichever is worse.
I would say that a Nexus or a Pixel phone is probably as close to ideal as one can get. Here, Android can be argued to be as secure as iOS. Perhaps more secure with xPrivacy because an app that requests every permission under the sun can be granted it... and still be kept well away from sensitive stuff.
[1]: HTC is OK... at least one can unlock the bootloader then run Sunshine to S-Off the device. Better than other makers which blow e-Fuses for just rooting the device.
Re: (Score:3)
Android changed this year. SafetyNet does make the android eco-system more secure. However, it does not make an individual phone any more secure for the end-user.
SafetyNet is a bit like tripwire. It does a verification of running root-level processes and sends a signed device checksum off to Google. If your device is rooted / has malware / etc. then it won't pass this check. There are no indicators to the end-user that something bad has happened to their phone except that any apps that use SafetyNet wi
Re: (Score:2)
Play store works fine on my rooted device. Android Pay doesn't though. The responses to reviews of the app from root users claim they are working on a fix.
SafetyNet is only there to reassure apps that the device is secure. Before it was available apps had to do their own thing so compatibility for things like banking apps was spotty.
Re: (Score:2)
Re: (Score:2)
My feelings exactly. While it's possible to, in theory, put together a combination of hardware and software that's somewhat secure for Android (nowhere near what Apple's custom engineering have managed), you're usually getting an unsupported, unpatched vendor-specific hack of last year's version on the cheapest hardware they can assemble.
With Apple you're getting supported, updated software on hardware where they've made a good effort to make it secure. And I'm saying that as a long-term Android user (sig
Re: (Score:2)
And that is exactly the problem. The human race is at this time not able to produce secure complex software in one step. It is a long, incremental process, and at each new discovery it becomes a race between the attackers and the defenders and in the typical case, that process is not finished when the hardware is decommissioned. Without timely updates (and that means next day for a published vulnerability, and not too much longer for others), the outcome of that race is already determined in advance. These
Re: (Score:2)
Re: (Score:2)
I got a security update for my 3 year old 2 generation behind phone yesterday. I think I'll be okay.
Google, what are you smoking? (Score:2)
Let's pick on Android's media player. Previous commentary [slashdot.org] from Jean-Baptiste Kempf, VideoLAN President and Lead VLC Developer:
Re: (Score:3, Informative)
"Engineer" is talking about Google Pixel, period. Headline is hyperbole.
Re: (Score:2)
How can anybody know the security of the Google Pixel? It has only been out for a few weeks, there is no track record for long term support, and limited experience with hardware / software flaws. Of course you can claim that it is "as secure", but we do not have to believe it.
Re: (Score:3)
Well, you do have the specs to work off of, and you can audit Android 7.1 which it's running. Not that hard really.
Re: (Score:2)
Re: (Score:2)
Then Android sure as hell can't claim to have the highest marketshare in the industry. It wouldn't even compete with Windows.
Which is it?
Re: Exploding heads (Score:2)
Well, one way to think of it is that there are plenty of devices within the ecosystem, which means that you get all of the benefits of a majority platform in terms of third party developer support, but if you want the only true Android UX, you go with Nexus/Pixel.
Re: (Score:2)
Any reasonably fast device running Android 6.0 or higher must enable encryption by default.
https://nakedsecurity.sophos.c... [sophos.com]
I don't know how many devices that is, but I'd guess... a lot? Before Nougat was released, Marshmallow had around a 20% market share of Android versions:
https://www.statista.com/stati... [statista.com]
Re: (Score:2)
Any reasonably fast device running Android 6.0 or higher must enable encryption by default.
Or what, the Google police turn up and redirect all of their search engine results to Gizoogle [gizoogle.net]? I'm running a relatively recent Android 6.01 phone (recent phone, older OS, as you get with Android) and it sure ain't got any encryption enabled anywhere.
Re: (Score:1)
Don't hold the Note 7 so close to your head.
Re: (Score:2)
Really, bro? (mind blown)
Re:Exploding heads (Score:5, Funny)
Don't hold the Note 7 so close to your head.
With apologies to Johnny Cash, I present Phone of Fire:
My phone is a burnin' thing
And its tone is a fiery ring
Lured by the size and power
I bought a phone of fire
My phone turned into a burnin' ring of fire
burned my car up
As the flames went higher
And it burns, burns, burns
The phone of fire, the phone of fire
A smartphone is really sweet
With no data cap, for it to meet
I fell for it like a child
Oh, but the fire it went wild
My phone turned into a burnin' ring of fire
burned my car up
As the flames went higher
And it burns, burns, burns
The phone of fire, the phone of fire
Re: (Score:2)
I think you should release it as a ringtone!
Fragmenttion makes this Fiction (Score:5, Interesting)
Security is always a moving target. While it's possible your leading edge phone is as secure as the leading iphone, what matters to security is how many people are running an older OS. Androids are always going to be running non-updatable OS just because of the bussiness model. So in terms of numbers of exploitable phones, swaths of the andorid ecosystem will be less secure than Apple ecosystem.
Re: (Score:2)
Security is always a moving target. While it's possible your leading edge phone is as secure as the leading iphone, what matters to security is how many people are running an older OS. Androids are always going to be running non-updatable OS just because of the bussiness model. So in terms of numbers of exploitable phones, swaths of the andorid ecosystem will be less secure than Apple ecosystem.
The thing is that the overwhelming majority of iOS users is usually at the latest OS version after a while and most of the rest are at the second oldest, after that the usage percentage drops off a cliff:
https://david-smith.org/iosver... [david-smith.org]
For Android users the picture is different, only about a third of users is at the latest version with the rest being at older versions:
http://www.droid-life.com/tag/... [droid-life.com]
This is to be expected since Android is open source, it gets used by a whole slew of manufacturers an
Re: (Score:3)
Either way, you're only as secure as the weakest link, and with both iOS and Android, the hardware continues to be a weak link. The Pixel may be as secure as the iPhone (and I have no reason to doubt that claim), but it's a drop in the bucket. What about the rest of the Andeoid market?
Even iPhones from a few years ago (e.g. iPhone 5c) that support the latest version of iOS are less secure than more recent models simply because they lack key hardware features (e.g. Secure Enclave). How much more true is that
Re: Exploding heads (Score:2)
Re: (Score:2)
I'll believe that... (Score:5, Insightful)
when Google defends a lawsuit to open up a phone due to -reasons-.
Re:I'll believe that... (Score:4, Funny)
Re: I'll believe that... (Score:4, Funny)
Re: (Score:1)
But your phone doesn't have an Altivec Unit OR a Secure Enclave.
SCSI!!
RISC!!
Re: (Score:1, Insightful)
You do know that prior to the lawsuit, Apple was doing everything they could to help the FBI open that phone, including giving them a complete copy of all the information they had on their cloud servers?
It was only when it became clear that they might have to write (gasp) new software that actually worked that they decided not to continue, and that's what caused the lawsuit.
And then it became moot when the FBI was able to break into the phone without Apple's help anyway.
So, uh, yeah. Good luck keeping your
The reality is otherwise (Score:3)
You do know that Apple was doing everything REQUIRED BY LAW to help, but in the end were unable to because Apple also designed the systems so even they could not get at data that the user did not want them to?
So, um, yeah. Believe what you like but in real life data you choose to keep on your phone stays private - if you have an iPhone.
Androids of course are rooted all the time so police can get anything they like from them easily.
Re: (Score:1)
but in the end were unable to because Apple also designed the systems so even they could not get at data that the user did not want them to?
Pretty much every security expert agrees that Apple COULD have gotten into that iPhone, had they wanted to. They refused because it would have involved them writing software, and as I'm sure anyone who's used any Apple software recently knows, they kind of suck at it.
There was no technical reason they couldn't and they already demonstrated that as far as they were concerned they had no ethical concerns about handing private data to the government: the only reason they refused was due to typical Apple arroga
Nope (Score:2)
Pretty much every security expert agrees that Apple COULD have gotten into that iPhone, had they wanted to.
In fact pretty much no security expert says that, including myself. Stop being an idiot... but then you are AC, so I guess THAT'S hopeless.
Re: (Score:2)
Androids of course are rooted all the time so police can get anything they like from them easily.
No, it doesn't work like that.
Android supports full device encryption, and it is the default on newer devices. Similarly to the iPhone, if the device is encrypted you can't root it or access the user's data without the password. Android supports long alphanumeric passwords. It supports secure storage for the encryption key, just like the iPhone.
If you do have the password, because you are the legitimate owner, you can root the device and improve your security even further. Custom hosts file, AdBlock on mobi
Re: (Score:2)
That's because he's rooting for Apple.
Re: (Score:2)
Rooting is fine and dandy once you have a booted and unlocked phone. Guess which part FBI was hassling Apple about.
Re: (Score:2)
Even if they did, it'd be all but meaningless. It really doesn't how good the security is on vanilla Android, running on Google-designed hardware, and unmolested by custom carrier garbage; when those are a tiny fraction of Android phones. Maybe Google will defend the integrity of the Pixel the same way Apple defended the iPhone. But last I heard, the largest seller by far of Android handsets was still Samsung: Crap hardware, with their own crap modifications to the Android software, plus even more crap
Re: (Score:2)
the largest seller by far of Android handsets was still Samsung: Crap hardware, with their own crap modifications to the Android software, plus even more crap added by the carriers.
Oh come on, they're great value if you're stuck in Liberty City for a few days armed with nothing more than a satchel full of Note 7s.
A new measure of security- (Score:4, Funny)
That son (Score:1)
Less than 1% have malware (Score:5, Insightful)
"Less than 1% of Android phones have malware". Less than 140 million Android phones have malware.
Re: (Score:1)
You think there's 14 billion Android phones out there?
Re: (Score:2)
Technically, all he's saying is that's not more than 14 billion Android devices....
Re: (Score:1)
This also applies to the original "less than 1%" comment, or at least the reporting of it. Taking the "Ludwig said showing a graph, less than 1% of Android smartphone contain malware" part, this does not say what he calculates as the 100% figure. Quick scan of the linked article also does not reveal this information. Does the figure include all Android smartphones ever sold? Does it only include the 400 million they scan daily? How does the scanner work? Which versions of Android include the scanner? How ma
Re: (Score:2)
wrong. (Score:5, Insightful)
if you are really paranoid, you should probably use an iPhone, and not Android
wrong! if you are really paranoid, you shouldn't carry around something that could easily be described as the most sophisticated surveillance device that man has ever created.
Re: (Score:2)
Or have one with a removable battery and remove it on certain occasion and random other times. Anybody trusting their phone has a problem with perceiving reality.
Re: (Score:2)
You don't need a removable battery. All you need is a mylar bag. That works with any kind of phone, especially since they come in pretty much any size you can imagine up to big enough for a car. (Well, that's more than a mylar bag. But you can get a foil bag for a whole car, that you drive into. It's for long-term storage and includes dessication.)
Re: (Score:2)
That is at best very risky and at worst a total fail. These bags do not offer good EM-shielding, as shielding linearly depends on the thickness of the metal and type of metal. Aluminum is not very good.
Even if that seems to shield your phone, it could still pump out more RF from time to time to get a ping though and receive a (bad, but good enough) signal for cell-tower triangulation and can detect the strength of other RF signals, and, one thing you completely forget, it can still record sound, acceleratio
Re: (Score:2)
My physics is actually sound, but I also do understand a bit about processing signals generated by sensors in the real world. Sure, you could call it "measuring the direction of the static, prevalent acceleration field" and measuring "other acceleration" and if you know how it is being moved, you usually can separate the two to at least some degree. What gravity primarily gives you is the _orientation_ of the phone. This gives you some indication what the person is doing.
Apple Security Engineer Disagrees (Score:1)
Subjective Comparison (Score:3, Interesting)
Eh, it's not so much that Android is great, but that security is very, very hard. The iPhone has had some very serious exploits in the last 18 months, same as Android. But Android's update model leaves many in the dust and unpatched.
My work has de-authed iPhones from their work network until updates were applied multiple times this year. It's a serious concern. I can only imagine how long we would be de-authed for a 3-year old Android phone waiting for a security patch.
I have an Android (Nexus) personal phone and a work iPhone, and based upon critical advisories of active exploits I would say that they are roughly the same. But my 3+ year old iPhone is still getting security updates pretty regularly. I went to Nexus for that feature, but still only get them for 2-3 years max.
Maybe true if you actually get updates (Score:5, Interesting)
I had a Google Nexus 6P as my previous device (it's still on my desk in fact) and while I loved the device, updates where not as promised. Despite it being a Nexus, I was still beholden to my Telco for updates and they dragged their feet like mad. In fact, when I last turned off the Nexus 6P, the Nougat update was still not available (unless you manually enrol in the beta program, which I did, but then I had all kinds of issues with the Telco's LTE). So even on a damn Nexus, updates are hardly assured.
I fully realise older iPhones stop getting updates, too - but we're talking about a Nexus 6P here - the thing hasn't even been available for a year in Australia yet and Google and Telstra have already washed their hands of it. I also realise Google may / may not be responsible for the issues with Telstra's LTE on the Nexus 6P - but rest assured, if the iPhone has an issue, Telstra sits up and takes notice. When I first got my Nexus 6P, I spent the first 2 months locked to 3G because LTE wasn't supported at all on. (Source, in case you think I am making this up: https://crowdsupport.telstra.c... [telstra.com.au]).
Re: (Score:2, Troll)
Re: (Score:1)
All Android devices can get updates via the Play store.
Re: (Score:2)
Re: (Score:2)
Yes, you can get OS updates. Most of the US can be updated that way, it's really just the kernel and drivers that can't be. Due to the way Android works with SELinux that's enough to mitigate any problems we have seen so far. That's why we are not seeing vast Android botnets.
Re: (Score:2)
False.
There are already Android botnets, specially in China where US Google Play is not available and local Android stores don't properly check applications for malware.
Also, in the three past years alone the Linux kernel itself has already seen at least three high profile local vulnerabilities which allow to get root even on fully restricted SeLinux ena
Re: (Score:3)
Google Play is available in China. If a phone doesn't have Play, it's not an Android phone. The rule is that to use the Android branding, it must have Play.
Re: (Score:2)
Secure against who? (Score:5, Insightful)
Doesn't the Google stuff on your Android steal your data anyways?
Re:Secure against who? (Score:5, Informative)
Location sniffing, local Wifi SSIDs sniffing, it assigns a unique ID to each phone used to track for adverts (and the id is still sent even if you opt out of user specific ads). And their new Privacy Policy lets them link all the shit up, since they control large DNS servers, and content delivery networks, analytics, advertising etc. every site you visit it tagged by Google, and given the ID means they can tag it to a phone, to any Google account (e.g. Google Play, and Google Play Credit Card details).
So yeh.
Oh and the "do you want to backup" thing, that uploads all your keys to their servers.
"OK Google" on every device cannot be uninstalled.
And that's even before you get to Microsoft's "Office" bundle installed on several phones, that does a shit load of surveillance stuff, and AT&T's compulsary spyware.
Being secure, I don't think that means what they think it means.
Re: (Score:3)
Location sniffing, local Wifi SSIDs sniffing
Location services -> off
every site you visit it tagged by Google
Gonna need to see some evidence of that.
"OK Google" on every device cannot be uninstalled.
It's part of the Google Launcher (or Pixel Launcher on Pixel phones). It can be uninstalled or disabled easily, just install a different launcher and go into Settings -> Apps -> Google Launcher -> Disable. You can disable other Google services there too, or just install a ROM that doesn't even have them by default.
Re: (Score:2)
Location sniffing, local Wifi SSIDs sniffing
Location services -> off
I was under the impression that Google changed the way that location tracking worked so that all location data comes through the Play APIs and you have to enable location services to use Play. I could be very wrong about this, though. I have an old Nexus 4 that I use for my OBD-II reader but I haven't used an Android device in years.
Re: (Score:2)
There are three settings:
Off
On, GPS only
On, also uses wifi and cell networks by querying Google's database
The third one obviously sends some data to Google.
Re: (Score:2)
There are three settings:
Off On, GPS only On, also uses wifi and cell networks by querying Google's database
The third one obviously sends some data to Google.
Yeah but look at the API docs [android.com]. I am pretty sure they moved the location services inside of the Google Play APIs making it impossible to get location services without Play. In fact, I just looked it up and verified that. You literally cannot use location services now without it submitting the data to Google.
Re: (Score:2)
No. It steals information. Ignoring the difference doesn't help the argument.
Google Security Engineer Claims... (Score:2)
And, by implication if it is now as secure as the iPhone, then until recently it wasn't?
Has nobody told him of Dirty COW? (Score:4, Insightful)
Until all the Android phones still in the wild (regardless of age) get patched for the Dirty COW vulnerability, how can anyone reasonably say they're "as secure as" anything other than Goatse guy's rectum?
Re:Has nobody told him of Dirty COW? (Score:5, Interesting)
If your development process doesn't even try to catch the low-hanging fruit, then I find it really hard to take any claims that you make about security seriously. The DRAMMER attack, for example, was only possible because Google implemented a really stupid API in Android (allowing untrusted code to explicitly map uncached memory, which is a bad idea for so many reasons, rather than providing cache flushing APIs for DMA). The API review process for Android is a joke and there's no evidence that they'll ever fix that. Part of it is the internal culture at Google: they have very good refactoring tools that they regularly run on large codebases, so have little incentive to get APIs right the first time.
Re: (Score:2)
This is a frustrating time for cellphones because every cellphone OS is crap. iOS is locked down. Android has an unnecessary translation layer instead of native applications; most Android apps of any complexity have to be recompiled for each architecture so that turned out to be fairly meaningless. Ubuntu was not really a good basis for a phone OS and that's gone now.
It's all shit. Where's my decent fucking phone?
Re: (Score:2)
Sure, they've improved a lot of mitigations, though PIE on 32-bit platforms is largely a waste of time as they end up with only 8 bits of entropy in their ASLR implementation, which is why it was trivial to bypass for StageFright (a JavaScript program could try the attack 128 times in a tiny fraction of a second and have a 50% chance of succeeding before the user has even finished reading the headline). The SELinux stuff is also an improvement, though iOS has been using the MAC framework for sandbox enforc
Improving Android security (Score:1)
Sounds like the best way to start improving Android security will be to pick a new director of security.
The US gov is happy (Score:2)
NSA Can Access More Phone Data Than Ever (Oct 20, 2016)
http://abcnews.go.com/US/nsa-p... [go.com]
"...the percentage of available records has shot up from 30 percent to virtually 100. Rather than one internal, incomplete database, the NSA can now query any of several complete ones."
Security? More like obsolescence protection. (Score:4, Informative)
Android's built-in obsolescence enforcement product called "Safety Net"
Safety Net is simply a part of the Obsolescence Enforcement Suite, which automatically makes devices incompatible, even if a certain platform would work with third-party ROMs or lets the user have their way. Your device can literally be told to "stop working" with it.
In the long term, the open ecosystem of Android is going to put it in a much better place
With SafetyNet, it's not open.
Pixel EoL vs iPhone EoL (Score:2, Interesting)
Security engineer at Google love to ignore the full life cycle of a phone.
My mom got an iPhone 5 in December of 2012 and it still can be updated to the latest iOS 10. If she had gotten a Nexus 4 offered by Google at the same time, the latest version of Android that Google would officially offer her is Android v5 (Lollipop). Is Adrian Ludwig willing to make a claim that an up to date Nexus 4 is more secure than an up to date iPhone 5?
When claiming a Pixel will be just as secure as an iPhone, the engineer s
Re: (Score:2)
My mom got an iPhone 5 in December of 2012 and it still can be updated to the latest iOS 10. If she had gotten a Nexus 4 offered by Google at the same time, the latest version of Android that Google would officially offer her is Android v5 (Lollipop).
That's not necessarily bad for Android. A more mature codebase receiving security updates isn't necessarily worse than a newer codebase. The problem is not that it's only running Android 5, it's that it's running Android 5 and not getting updates for known vulnerabilities. Remember the thing a year ago when Google said that they couldn't do security back ports, because they don't track which things fix security holes in their revision control system? Not exactly a company I'd place trust in.
And (Score:2)
Seriously, Thanks Google, but we've been told that Android phones don't have asecurity problem in the first place, so how can they be as safe as iPhones now if they never had a problem?
It's secure, as long as you don't use it (Score:2)
As long as it's off it's as secure as an iPhone. Once you turn it on, though, all bets are off.
Re: (Score:2)
Unless you have a phone with a detachable battery, how do you even know it's really off?
It gets worse. Ever had your Android phone self-reset? They allow that, unfortunately. Well, how is the user with an encrypted phone to know whether it's a real self-reset or a simulated reset to capture your password?
Bullshit... (Score:5, Insightful)
There a whole mix of stuff being talked about there, and one is not equal the other.
For instance, Google Pixel cannot be generalized to the overall Android experience, not by far. It's probably not even the 0.0001% of Android devices.
The reality of Android as a whole is that it's extremely fragmented, and the absolute majority of it is not on Nougat, let alone being the same as Google Pixel.
As device encryption remains an optional step for most of these devices, most of them are not using it, so threat models be damned.
Not to mention how the vast majority of Android devices uses all sorts of custom versions coming from all sorts of companies in all possible states of vulnerabilities and expected update dates. Even Windows is better than that. Android pretty much represents one of the worst possible fragmentation scenarios.
You have all sorts of cheap generic tablets that I'm almost certain comes from factory with included malware, vulnerabilities, rootkits and backdoors installed. This is serious. I tested a cheap generic tablet just a few months ago (Multilaser was the brand on top of it if I'm not mistaken, but you can find the exact same tablet with several other brand names) that had very suspicious stuff pre-installed. It was impossible to uninstall it, so I rooted the damn thing to do it. And then the device factory reseted itself when I managed to remove the offending apps, everytime.
In general, there's still far more chances of you finding an Android phone/tablet that is either completely open or easy to crack because it has an outdated system or has not been properly locked by it's owner, in comparison with iPhone in general.
And sure, Android has the advantage of being an open os versus the extremely closed iOS - the standard defense for open source software which I do understand. But hoping that this will somehow count as a huge security advantage for the future of Android is quite frankly naive and kinda stupid in itself, specially for cases like Android vs iOS.
The open nature of Android might allow for better scrutiny of it in some stances, but much more, it allows for all sorts of shady companies to make their own Android versions however they feel like doing it... and as more shady businesses adopt that strategy to spy and take advantage of less knowledgeable costumers, the more difficult it gets for a conscious community to take note of it.
As long as Apple keeps getting as much money as they do from regular users to the loyal fanbase, they can just spend that much more money to close security holes and whatnot. One company developing both software and hardware while keeping a stance on security and privacy also makes it much more reliable. Things would have to change quite drastically for Android to ever be as secure and private as iOS. It's just the reality of it.
You only have to think about it a bit more. Apple will always be able to push updates faster, they will always be able to implement security functions for most of their userbase in a timely manner (excluding those with devices that are too old), they are always better able to convince more users to buy their latest devices. Community wise, you will always have more reach... if one knowledgeable costumers finds a security hole, it'll affect almost the entire userbase, so it just makes far more sense for Apple to fix it.
In grand scheme of security and privacy stuff, again for this particular case, the open source argument is minor in comparison to the whole.
And I'm talking all this while being an Android user, not wanting to touch an iPhone with a 10 foot pole. It is what it is.
See, this doesn't mean that I'm switching to iOS anytime soon. But to say Android as a whole is anywhere near as secure as iPhones is just delusional.
Why does it matter? (Score:1)
In order to use just about any Android app, you have to give it permission to root around in all your personal information, the personal information of all your friends and relatives, your tax records, your religion, whether your teenage kids are virgins and what brand of cat food the old lady down the street has to have for breakfast because the drug company just doubled the price of her meds.
Google just doesn't want anybody else getting hold of all that lovely data.
Re: (Score:2)
Thanks for that. There must be a Google troll wandering around moderating, since we both got reduced to zero so quickly.
Imagine me pointing at you and stating, "What he said!"
Security professionals voted otherwise (Score:2)
Re: (Score:2)
I think there is a supersecure version of Windows, but reserved for government use. Although I think it's the same actual version of Windows with optional processes deactivated.
A rising tide lifts all boats (Score:2)
I use an iPhone, because 1) having used both OSes I prefer iOS to Android; and 2) I prefer to opt out of being part of Google's business model as much as is practical. But I'm aware others can legitimately hold opposite opinions.
In any case, the bottom line is - it seems pretty obvious that the race to ever-more-secure phones benefits all of us, no matter what platform we choose.
That's like claiming... (Score:2)
... that their new movie is as good as "Manos Hands of Fate", or speaking English as good as "Günther Ã-ttinger".
Seriously, _all_ mobile operating systems are shit when it comes to security. Android has the theoretical advantage that you can root it and hypothetically install iptables. That's not a lot, but it can help you to make sure your device only tries to talk to your server and not other servers.
Fucking SAFETY NET???? (Score:2)
Safety net DOWNLOADS AND RUNS CODE.
https://koz.io/inside-safetyne... [koz.io]
Yea, it can catch those viruses. You know what's better than downloading and executing remote code to catch your malware? NOT HAVING A FUCKING VIRUS IN THE FIRST PLACE!
It's already been used to shut down many applications on rooted phones. Effectively, rooting your phone is a lot like jailbreaking now, and will become moreso soon- technically allowed, but you are in a little ghetto for doing it.
This is only security by certain definition
Until Google gets bored (Score:2)
Maybe right now, but give it two years and then let's check back in on that claim...
Yeah, really (Score:3)
Aside from the fact that millions of Android apps contain native code which is very hard to find malware in and now we have a wonderful Dirty Cow vulnerability [arstechnica.com] which affects almost 100% of Android devices, which means a new update or install from Google Play will automatically p0wn your device for good and will probably install an undetectable/unerasable rootkit.
I'd love to think that Android is secure but Google chose to use the Linux kernel which doesn't fare that well vs. microkernels like QNX. Call me crazy but I believe the QNX kernel would have been a much better choice for Android.
Re: (Score:3)
The only reason Dirty Cow is a problem for Android is that Android update sucks badly. Until update is fixed, the platform must be regarded as highly problematic.
Only took 10 years (Score:2)
9.5-ish or so, but makes for a more dramatic headline.
Google is doing it's best to piss off it's android partners lately, which can't be good for the long-term viability. Yeah, they all deserve to be slapped for the half-assed job they do supporting their phones, but Google knew that full well going in.
But... if the Android OEMs do not update (Score:2)
Bullshit (Score:2)
Android will never be as secure as iPhone for one simple reason, namely that Android does not have a bureau certifying and censoring all apps. And that's exactly the reason why Android is and always will be infinitely better than iPhone.
1st of April already? (Score:2)
Re: (Score:2)
You mean my year old Nexus 5 that google stopped releasing updates for months ago is as secure as a year old iphone?
It is: both have an equal amount of confidence, though the exact nature of their self-doubts differ slightly. Windows phones, on the other hand, suffer a severe persecution complex and fear of rejection (which admittedly is well founded).