Android security progress

In a somewhat “click-bait”-y title1 on Motherboard, Lorenzo Franceschi-Bicchierai quotes the Director of Security for Android:

“For almost all threat models,” Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, “they are nearly identical in terms of their platform-level capabilities.”

In a short interview after a talk at a security conference in Manhattan on Tuesday the talk, Ludwig said that, “for sure,” there’s no doubt that a Google Pixel and an iPhone are pretty much equal when it comes to security. Android, he added, will soon be better though.

“In the long term, the open ecosystem of Android is going to put it in a much better place,” he said, without mentioning that Android has already been around for more than eight years at this point.

There’s no doubt that Google is getting better at handling security.  My Nexus 5, while no longer receiving OS updates, still gets monthly security updates.

However, the business model of Android really fails consumers.  Carriers and manufacturers are not motivated to maintain the toolchain to support updates.2  There are many people who never receive updates at all.  I’m sure Google pays the likes of Qualcomm big money to get support.

The story gets worse as Android begins to take a foothold in IoT devices.  While smartphones are highly personal devices that are at least managed with some sort of effort by users, IoT devices are abandonware by many manufacturers.

In the end, security is always a moving target and what matters to security is how many people are running an older OS.

In fact, Ludwig said showing a graph, less than 1% of Android smartphone contain malware.

Uh, 1% is likely greater than 14 Million active devices.3

Fragmentation is a problem.  Android, by its own success has a difficult job ahead.

  1. Seriously, this is a horrible title. 
  2. Qualcomm, for instance, has no need to keep SOC and LTE antennae drivers up to date. 
  3. Google stated that there were 1.4 Billion active devices  back in Sept 2015.  So it’s probably getting close to 2 Billion active devices.