Google has made a bold statement that its current Android offerings are as safe as other mobile operating systems.
Without mentioning names, it has placed shot over Apple’s bow that iOS is the new target for cybercriminals.
Of course, Google is referring to Android 8.x Oreo and not earlier versions. Fragmentation – the continued use of old versions of the OS is its greatest shortcoming.
There are more than two billion devices in the wild. About half of these (smartphones, tablets, set-top-boxes, etc.) are running versions 2-4. They will never be upgraded because their makers are under no obligation to do so.
The rest are running 5.x Lollipop (25.1%) 6.x Marshmallow (28.6%), 7.x Nougat (26.3%), or later and the majority are yet to install the latest security updates.
What can Google do?
Frankly nothing can be done for the older versions – these remain a security hazard. Probably little for 5.x/6.x users, and a little more for 7.x users.
It has tried the big stick approach demanding makers process operating system (OS) version and security updates, but that has not worked.
It has attacked the issue from the other end, and from August 2018 many new API (application programming interfaces) may not work on earlier versions. From November 2018 all apps will require a 64-bit version as well as an older 32-bit one. And from November 2019 new apps and updates must use the latest APIs to get into Google Play.
It has also had serious discussions with smartphone makers, but there is no way Samsung, the world’s largest Android maker, will abandon its TouchWiz/Grace UI and Galaxy apps ecosystem. For starters its UI and apps paper over the cracks in the Pure Android experience. Similarly, one of China’s largest makers OPPO will not change from its Colour OS as that is what its market wants.
Having used Pure Android the best I can say is that I could learn to live with it but coming back to Samsung’s Grace OS is like going home.
It has also had discussions with Telco carriers that often heavily customise Android to lock it to their services. Carriers don’t release OS upgrades until fully tested – a.k.a. Modified – for their networks.
So, Android 7.x is a little safer, and 8.x is safe?
No OS is safe while cybercriminals continue to make so much money from mobile and desktop devices.
For example, CVE details 1371 vulnerabilities for Apple’s iOS – 548 of these discovered in the past two years. It is far easier to update iOS on a handful of Apple’s own products. Already 65% are using iOS 11.x, but the remaining 35% are a big security risk. iOS 10 is still on 28% of devices, and the rest are on earlier versions because the device cannot handle iOS 11.x.
Android has 1639 CVE vulnerabilities, and 496 of these apply to 7.x or later.
Regardless both Apple and Google need to protect their OS.
Back to Google. Its 55-page Android Security Report 2017 published March 2018 is interesting, if a little dry, reading.
One of the most telling statements is that like Apple’s iOS; Android has expanded into wearables, TVs, set-top-boxes, Internet of Things, cars and so much more. The two billion devices now pall in comparison with the explosion of Android devices over the next few years.
Later Android versions have reporting that enables Google to identify potentially harmful applications (PHA) and where they are coming from.
Exploit pricing is up
Google says ‘exploit pricing’ – what cybercriminals pay to access vulnerability exploit kits on the dark web – is correlated to attacker’s cost.
Pricing includes time, people, expertise, product knowledge, product accessibility, specialised equipment, and money to develop an exploit. Growth in exploit pricing and difficulty demonstrates that Android has achieved a strength of protection that now leads the industry.
It is a group effort
While Apple has complete control of its devices and ecosystem, Android is open. There are more than 60,000 different device models currently in use.
In 2017 Google Play Protect reviewed about 23 million new apps, up 65% from 2016.
Google says protection is a joint responsibility. It has collaborated closely with device manufacturers, system on a chip (SoC) vendors, telecom carriers, researchers and academics to strengthen the security chain.
As a comparison, Intel has been affected by Spectre and Meltdown vulnerabilities in many of its x68 CPUs. But Intel alone cannot fix it as Windows is also an open system. Patches must be rolled out by thousands of motherboard makers, system assemblers and more.
Google Play is nine times safer
Apps downloaded from Google Play are nine times less likely to have a PHA than download apps from other sources.
Google Play Protect on later Android versions is the most widely deployed mobile threat protection service in the world. This does not rely on manufacturers or carriers over-the-air (OTA) firmware updates. It allows Google to roll out security updates independent of hardware/firmware updates.
All devices with Google Play Protect have a set of endpoint and mobile threat protection services that protect against common threats, including network attacks, app exploits, potentially harmful applications (PHAs), and physical attacks, such as device theft.
Platform security now baked in
In 2017, Google expanded platform-level security in 7.x Oreo by making devices easier to update via Project Treble. This gave apps a way to verify Android devices, reducing privilege, and mitigating sophisticated attacking techniques. The result was that more than 30% of Android devices received OTA security updates.
Also, 7.x and 8.x have data encryption (if enabled), cryptographic key storage, kernel self-protection, sandboxing, SELinux, Userspace hardening, secure lock screens, and verified boot.
Google says 83% of Oreo devices have a secured lock screen/fingerprint enabled compared to 75% of Nougat and 53% of Marshmallow.
Google ups the ante with security rewards program
As Android security has matured, it has become more difficult and expensive for attackers to find high severity exploits. This is where open source shines. As a global, open source project, it has a community of defenders collaboratively locating the deeper vulnerabilities and developing mitigations.
This community may be orders of magnitude larger and more effective than a closed source project (e.g. Apple iOS). Its defenders come from thousands of device manufacturers, SOC vendors, carriers, academic institutions, independent security researchers, and the worldwide Linux community.
While Google offers one of the highest reward programs for uncovering vulnerabilities the quantum of claims has dropped considerably. In 2017 not one vulnerability was found for ‘core’ Android platform security exploits.
On device protection
A range of on-device protections were introduced in 2017 including: safe browsing, locking out unknown APIs, PHA scanning, and find my device.
Play protect has blocked more than 10 million harmful app installs since October 2017.
Google says buy a Pixel!
It says at the 2017 Mobile Pwn2Own competition, no exploits successfully compromised Google Pixel devices.
None of the exploits affected a device running unmodified Android source code from the Android Open Source Project (AOSP).
We have extracted the most relevant parts of the 55-page report. If we had any doubts about Android security at the beginning, they were assuaged by the end.
Maybe distilling the report wore us down but three things stand out about Android security.
- Buy an Android 8.x phone or at worst 7.x (preferably with a guaranteed upgrade). Android just keeps getting better and more secure.
- Buy from one of the top makers – Samsung, LG, Sony, Lenovo (Moto), Huawei, BBK (includes OPPO, vivo and Oneplus), ZTE, Xiaomi, TCL (Alcatel and Blackberry), HTC (including Google Nexus) and of course Google if you want any semblance of manufacturer commitment to security. There are around 1,300 Android smartphone makers all up with about 85-90% of the global smartphone market!
- Only download from Google Play and do not root Android to load app from elsewhere.