Android Security – Swiss cheese pt. V.

Reply to this post

RFM AvatarSmall






Leaks look dated but still push Google towards proprietary Android.

  • Even if Google could quickly fix the vulnerabilities in Android that are being exploited by state sponsored hacking, it would be around 4 years before the majority of Google Android users were protected.
  • WikiLeaks has released 8,000 pages of documents that supposedly reveal all the tricks and hacks used by UK and US security services to turn ordinary consumer electronics products into surveillance devices.
  • iPhones, Android smartphones and Samsung TVs appear to be most specifically targeted but I have a feeling that this data is not comprehensive and may actually be considerably dated.
  • This is for two reasons:
    • First: there is no evidence in the leaked documents that any of the Android exploits apply to any version later than 4.4 (KitKat) meaning that 65.5% of Android devices may be unaffected by any of these revelations.
    • This leads me to think that these documents might in fact be very dated as I find it very hard to believe that vulnerabilities in Android suddenly went to zero with the release of version 5.0 (Lollipop) in 2014.
    • Whether these exploits were already known and have already been patched or whether these are new vulnerabilities is unclear at this time.
    • Second: Experts that have looked at the leaked iPhone vulnerabilities have stated that almost all of the leaked vulnerabilities are known and have in all likelihood already been patched.
    • Consequently, it seems likely that anyone running iOS10+ is already immune to these exploits.
    • Again, I find it difficult to believe that the occurrence of vulnerabilities has ceased and that these leaks could relate to pretty old data.
  • Mobile security firm Check Point is of the opinion that this leak may be snapshot of exploits used in early 2016, but I think the Android data indicates a much earlier point in time.
  • To make matters more difficult, assuming there are new exploits in this leak, no code has been released meaning that Google will have to search through millions of lines of code to find the exploits referred to before they can be patched.
  • Furthermore, even when Google has found these vulnerabilities and fixed them, it will then take around 4 years for these fixes to make into the hands of all Google Android device users.
  • This is for two reasons:
    • First: Most Android devices are not updatable.
    • Android is a commoditised, brutally competitive market meaning that in the mid-range, every cent of cost matters.
    • Making a device updateable means that extra resources have to be added to the device which are never reflected in the price.
    • Consequently, the vast majority of Android devices are not updateable to later versions of Android as there is no incentive for the device maker to add this capability.
    • Second: Google has no control over the update process for any of the devices that run its services.
    • It can update Google Mobile Services (GMS) from Google Play but lower level system updates (Android) are controlled by either the maker of the device or the mobile operator.
    • Google has no power compel these entities to update their devices and only has control of updates for its own, Pixel and Nexus devices.
  • It seems possible that this data leak represents some of the oldest and least relevant tools used by state sponsored hackers which is going to put even greater pressure on Apple, Google, Samsung to ensure that their software is watertight.
  • I think that this represents yet another reason for Google to take Android proprietary as having complete control over the code will enable it to quickly fix and distribute any vulnerabilities it identifies.
  • It will also enable Google take greater control of the user experience resulting in a more consistent, fun and easy to use experience for its ecosystem users.
  • I continue to hope to see signs of this at Google i/o in May this year.
  • I still think that Google is more than fairly valued and prefer Microsoft, Baidu and Tencent with Apple for long-term, income based investors.

One thought on “Android Security – Swiss cheese pt. V.

  1. Google may want to use this as an excuse to take greater control but those customers who are interested in greater security will already be using a high end Android phone or iPhone. So it is unlikely there is any money in it and there will be a great deal of pushback from manufacturers with support from their governments. Not really worth Google trying to sort it out until customers not having the latest version of android interferes with Google’s Machine Learning requirements.

Comments are closed.