Why Google should be doing much more to secure Android

It’s fair to say that it hasn’t been the best time of late for Android security, nor for the billion plus Android users worldwide.

Stagefright, a critical vulnerability that allows hackers to execute malicious code on any Android device via text message, has now been fixed. However, this process was heavily delayed and followed a wholly unsuccessful first attempt to patch.

There have also been follow-up reports of a flaw that allows malicious apps to break out of the Android security sandbox, a key part of the Android defence that isolates passwords and other sensitive data.

It’s not just Google and its security teams that are taking a hit either. The security of the operating system and the overarching ecosystem are both under the microscope and it’s vital that Android restores credibility and trust as soon as possible.

>See also: Google becomes the latest victim to hacker group Lizard Squad in Vietnam cyber attack

To understand what kind of security issues Google needs to address, first you need to look at the mobile malware landscape as a whole. Mobile malware was actually far slower to emerge than many had expected.

Just as Apple computers were virtually immune to attack a few years ago, due to the dominance of Windows PCs, mobile only recently became a major target for hackers, having become an essential part of everyday life.

Hackers are opportunists, only going where there’s a potential payoff, which is why there’s a growing chorus of high-profile vulnerabilities being exploited and other types of attacks in both the business and the consumer mobile markets today – including crypto-ransomware, banking trojans, SMS stealers and spyware.

Until now, mobile anti-virus had simply been a lower priority relative to other mobile security concerns, but in truth this wave of threats was always going to come.

With the greatest numbers of users, devices, applications and data, Android was simply the most obvious target for hackers, and at the greatest risk due to the openness of its platform.

With 24,000 device types and 1,300 brands in market, Google has built and encouraged a wild OS model, compared to Apple’s walled garden approach at the other end of the spectrum.

This has been tremendously successful, allowing Android to lead the market and accrue the most users and devices, but with that also comes the responsibility to take the lead on device OS platform security. 

Of course Android isn’t alone in having to defend against unprecedented mobile malware threats, nor in there being a drastic need to improve its security. The truth is, every device, user, model and OS is a target for hackers today. iOS was rocked by a text message vulnerability of its own recently and is by no means immune to attack.

Although Google might not soon have the kind of control that Apple has over iOS, the industry is no doubt taking note of Microsoft. Its increasingly contained approach to mobile application approval and security is somewhere in the middle between iOS and Android in terms of the wild-verses-walled garden approach.

Windows 10 technical and security reviews reinforce how Microsoft is working with third-party infrastructure and application vendors to provide a more secure mobile platform and app experience.  

Improving OS security is far more than an obligation for Google – it could also be a unique opportunity. With cyber security an issue of growing importance to the consumer, providing a secure OS experience could be an incredibly important competitive differentiator, especially with the smartphone wars showing little sign of slowing down.

>See also: Google accused of discrimination by black, female engineer

Indeed, Google clearly recognises the state of the cyber security industry today, and its responsibility to provide a secure OS. This is evidenced by recent improved practices in terms of responsiveness to vulnerabilities and update frequencies, not to mention taking the lead in bug bounty programmes.

Hackers that find vulnerabilities in Google’s software can receive thousands of pounds, which in theory makes its services more secure, as well as discouraging would-be hackers from exploiting these vulnerabilities for financial gain.

The time for getting tough on mobile malware is now. With Android 6.0 (Marshmallow) soon to be released, we can only hope that the latest iteration of Android is not as soft and sweet a target as its name suggests.

 

Sourced from Eric Aarrestad, HEAT Software

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Android
Applications