Android Security – Swiss cheese

Reply to this post

1.27bn vulnerable devices that Google is unable to fix.

• The latest malware announced at the RSA conference further highlights how serious the Android update problem is.
• Mobile security company Skycure has found a new form of malware known as “accessibility clickjacking” that affects all Android devices that run Android versions 2.2 to 4.4.
• As of February 1^st 2016 this amounted to 64.7% of all Google Android devices or 568m devices.
• Taking all Android devices into account, RFM estimates that there are a total of 1.27bn devices in the hands of users that are vulnerable to this malware.
• The malware works by tricking the user, via an infected game, into giving permission to have his key strokes logged in an app which shares that data with the hacker in question.
• In the normal scheme of things, a vulnerability is found, communicated to system owners who then have a patch ready for when the vulnerability is announced.
• Users can then patch their systems and within a few weeks the issue has been put to bed.
• However, with Android this is not the case as there are two issues that prevent devices from being updated.
  • First. Most Android devices are not updatable.
  • Android is a commoditised, brutally competitive market meaning that in the mid-range every cent of cost matters.
  • Making a device updateable means that extra resources have to be added to the device which are never reflected in the price.
  • Consequently, the vast majority of Android devices are not updateable to later versions of Android as there is no incentive for the device maker to add this capability.
  • Second. Google has no control over the update process for any of the devices that run its services.
  • It can update Google Mobile Services (GMS) from Google Play but lower level system updates (Android) are controlled by either the maker of the device or the mobile operator.
  • The two exceptions are Xiaomi and Cyanogen both of whom have retained the ability to update devices running their software.
  • This is provided that the devices themselves are updateable as per the first issue above.
• The net result is that there is very little prospect for owners of these devices ever to be free from this problem or any of the others that have emerged for Android without buying a new device.
• This is far beyond the means of most Android users meaning that they will constantly be exposed to any new threat that emerges with little prospect of it being fixed.
• This is just another reason why usage of Android devices is likely to continue trailing that of iOS and why these devices are likely to yield a much lower return for the ecosystems that run upon them.
• For example RFM estimates that Google can earn $31.6 per user per year from an iOS device whereas its own Android devices can only generate $14.0 per user per year on average.
• Part of this is due to the differences in demographics between the two ecosystems but I am certain that most of it is due to the fact that Android devices are more difficult to use, less secure and as a result generate much less traffic.
• Consequently, I think that Google has to take control of Android because in its current state, it is very unsecure where very little is likely to change.
• I continue to believe that this may happen in 2017 as Oracle has provided Google with the perfect excuse to do so (see here).
• This would result in a series of proprietary ecosystems based on an Android kernel of which GMS, Cyanogen and MIUI would be three.
• Google still has another good year ahead of it thanks to the underlying growth of Android users, but the medium term urgently requires for this problem to be fixed.
• I prefer Samsung and Microsoft to Google in the long-term, although the immediate term for Google continues to look good with absolute user numbers still growing very nicely.