Android’s Slow But Steady Security Progress
When Sean Sullivan, F-Secure Security Advisor, discusses Android privacy and security issues with journalists, invariably he runs into a problem when it comes to pinpointing settings.
“There are a plurality of Android experiences,” he told me, referring to the many versions of the operating system still in use. “So you can’t just say ‘Do this’ and “Do that’ and have it work for everyone.”
This “plurality” of experiences has created security issues for the world’s most popular computing platform and helped make it the target of 99 percent of all mobile malware.
The good news is that the OS continues to make security improvements with each new iteration and the just-announced version of Android 8.0 AKA “Oreo” is no exception. The bad news is that only a minority of Android users benefit from these updates.
The F-Secure State of Cyber Security Report 2017 found that most Android users were using versions of Android that are no longer being updated by Google.
This is still true:
https://twitter.com/5ean5ullivan/status/899926382037393408
“Google is not a hardware company,” Sean explains. “So they can make demands on manufacturers to be an official Android vendors but they don’t have the control Apple does. Android phones have two layers — the Google and the Android layer. Google has been making efforts to move Google updates to Play so they can update it more frequently and directly.”
Android is also open source, which requires flexibility. “You have to work with your consortium you have or they go away.”
Apple pushes its updates directly to consumers, which is very effective. F-Secure Freedome telemetry finds that most users generally install a new version of its software within a month.
When Google pushes out a new update, manufacturers pick it up and add their own touches in the same way Dell adds drivers to its PC before pushing them out to their customers directly or through carriers like AT&T or Sprint.
So even when you get an update, you may not see all the features.
“My son’s phone shows Google Protect, Google’s antivirus for mobile apps, in his user interface in Marshmallow [Android 6.0] but in Nougat [Android 7.0] I have to dig into Google Security settings to see if my apps have been scanned,” he explains.
These muddled update pipeline is improved a bit in Oreo, Sean says, by making it easier for manufacturers and carriers to perform updates.
“With Project Treble, Oreo is trying to create ‘a modular base for Android,’ which in theory makes it easier to work with device components unique to a particular manufacturer — for example, a fingerprint scanner.”
And that’s not the only improvement. Oreo also takes on one of Android’s biggest security issues: sideloading, downloading apps from some place other than the Play store.
“When users are used to downloading from a variety of sources, you might be creating a security issue, especially with the way older versions of Android asked users for approvals,” he says. “After you sideloaded just one app, your phone now accepts apps from all ‘unknown sources’ without any further approvals.”
What kind of software do people go looking for?
People go searching for apps to watch videos and could end up being tricked into installing malware often in the guise of an Adobe Flash update.
Oreo adds a “speed bump,” as Sean calls it, to prevent users from opening their devices to all unknown sources.
https://twitter.com/5ean5ullivan/status/900654114744520704
“It’s a good feature for people like me – a Security Advisor at a cyber security company. Sometimes I’d forget to turn it back to default to be alerted when I’m installing from an untrusted source. Now I won’t have to.”
If you’re looking to read further into Oreo’s security, Sean recommends this post:
https://twitter.com/5ean5ullivan/status/902897550390423553
Sean advises that Android users protect themselves by sticking to official app stores, checking reviews, using official apps to watch videos and running security software on all devices.
And always do your best to keep your apps updated.
“In Play, check your settings to make sure auto-updates are enabled, at least over Wi-Fi,” Sean says. “And it doesn’t hurt to double check them yourself to make sure updates are being done. I prefer to be proactive because I frequently find things that can be updated that haven’t been updated.”
When can you expect to Oreo on your phone?
“Even though Oreo was released in the fall, you should still expect to see Nougat on most new phones being launched for Christmas,” Sean said. “It’s just not enough lead time.”
Developers have been working on new models all year and don’t have time to integrate the updates. But as soon as you get a new model, an update is likely to come soon.
Hopefully by 2018, most Android users will be using the more secure versions of the OS and Android’s slow but steady security progress will continue.
Categories