Google Android chief: Android may be open, but it is not less secure

Google Android chief: Android may be open, but it is not less secure

Summary: Contrary to reports, Google's head of Android development Sundar Pichai did not say that the OS is not focused on security -- rather, he meant the opposite.

SHARE:
TOPICS: Google, Apps, Security
38
would-and-should-microsoft-enable-android-apps-on-windows

Does 'open' mean 'lack of security'?

According to Google, no. Instead, an open platform is the best path to take in order to make a platform as impermeable to threats as possible.

On Thursday, FrAndroid reported that Google's head of the Android division, Sundar Pichai, responded in a very candid way when asked about the operating system's security at Mobile World Congress in Barcelona, Spain.

The publication said that Pichai's comments were as below:

"We cannot guarantee that Android is designed to be safe, the format was designed to give more freedom. When people talk about 90 percent of malware for Android, they must of course take into account the fact that it is the most popular operating system in the world. If I had a company dedicated to malware, I would also be addressing my attacks on Android."

Naturally, responding in such a self-critical fashion would have raised a few eyebrows. However, Google has provided a full transcript of the executive's commentary -- one which sheds a very different light on the issue.

Instead of Android not being geared towards security, Pichai actually said that the open nature of the platform gives the OS better scope in threat protection -- as many minds, developers and security experts can pitch in and both fix problems and shore up defenses.

The transcript provided is below:

"Sorry, the premise of the question is because Android is open, it has more security issues? Respectfully, I'm not sure that's a correct premise of the question. Open platforms historically undergo a lot of scrutiny, but there are a lot of advantages to having an open source platform from a security standpoint. I would argue that it's the best way for a platform to be secure, because every researcher in the world can inspect it, every developer in the world can inspect it, and I think that contributes a lot to Android security."

Read this

Android-targeting botnet creators jump on Tor source code

Android-targeting botnet creators jump on Tor source code

In order to avoid detection, botnet creators are exploiting surveillance-fighting tactics -- and now, this approach is being used in the mobile realm.

However, like any piece of software, security flaws and problems exist. The Google executive went on to say that older versions of the operating system shipped with devices can have security vulnerabilities present that are patched in updated variations, and this can mean devices are not secure.

"We go to great lengths--the depth of work in Android to make it secure; the depth of work done by Google Play...Google Play automatically scans and verifies thousands of applications for malware," Pichai's response reads. "We track data on this. It's state of the art in terms of what we do. What you see across the ecosystem...people will ship good phones and keep them updated...you will have some phones that will not be updated. That's where we see issues. Not Android at a fundamental level."

Contrary to saying that Android was not designed to be secure, the Android chief's final comment says it all:

"As long as you're on a phone and able to update, Android is very very secure. It's designed to be very very secure. I would go as far to say -- open systems are far more secure. We do this on the browser side. Chrome is very secure. The fact that some things are open, by any stretch of the imagination, does not make it any less secure."

Although Pichai admitted that Android is a top target for cyberattackers, he also made the point that the operating system with the largest marketshare is likely to be. However, this doesn't mean that because a user is on the Android platform they are then fundamentally more compromised.

Topics: Google, Apps, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments
Log in or register to join the discussion
  • Oh well

    If Android is "secure" then why is the platform full of malware. iOS is popular, WP is getting popular and these platforms has zero malware.

    Only fools will believe Pichai's story
    Owl:Net
    • A Security Expert, ;)

      You are not.

      Great article Charlie.
      RickLively
    • A few reasons:

      1) the development SDK that apps use is not secure at all: Java.
      2) it only takes about a half hour to get an app on Google Play now. There is no human mitigation unlike WP and iOS.
      3) when the source code is open, it's just as easy for malware writers to write malicious code and target unprotected devices. Closed source code requires malware writers to analyze processes and memory heap space, and try to reverse engineer compiled components at a lower level, requiring several additional steps. It's a proven fact that closed source code targeting requires more work than does open. It's like reading the Encyclopedia Britannica vs. trying to read it with a Rosetta stone.
      Joe_Raby
      • malware

        Any android malware is not dependant on finding OS level flaws and exploiting them, to do anything "good". Its about an app choosing to abuse user-granted valid privileges. This would occur either:

        1. because a user has chosen to allow unknown sources and install an apk file from somewhere, and further ignores the permission approval upon installation.

        2. An application in google play chooses to abuse its user approved permissions in a bad way. This would be quickly detected, booted and auto-removed from the user device. For example using its background email permission or SMS to send spam.

        The only reason iOS is considered more secure is not because of "less security bugs" in the OS, or a "better OS design", but because they: 1. don't allow installation of application packages and 2. more closely inspect app submissions.

        If I was google, i would put the "allow unknown sources" into the developer options, and not allow the system to bring you to that setting if you click an apk file.

        At the same time, I have personally never heard of anyone ever having any problem with any android malware.
        drwong
    • Only fools would believe your comment.

      Ah, but that's where you're wrong, Owl:net, Android is not full of malware. IOS has malware; however, it is mainly distributed in unsafe app stores that are used when a user jailbreaks. Also, please remember the time those researchers created a malicious app and were able to successfully submit it to the App store. Android malware in the Play Store is also very rare. It is mainly prevalent in pirated apps that people have no business installing in the first place. The majority of malware on Android is recorded in third world countries and places like China where software pirating is more prevalent. Android itself is very secure, just as Windows Phone and iOS are. No OS is invulnerable completely to attacks, but Android is no less secure than any other. The only way to receive malware on Android is by loading hacked apps, or apps that contain malware. That really just makes it the users fault for not being willing enough to do it legally and buy apps from the Play Store.

      I'm sure this won't break through those fanboy Apple glasses of yours, but at least you've heard truth.
      Chad_S
      • Android play store

        I agree with most of malware comes from un reliable sources but play store has more malware than other app stores for other plat forms.

        http://www.zdnet.com/riskiq-claims-malicious-android-apps-up-by-almost-400-percent-on-google-play-7000026512/

        http://www.zdnet.com/android-app-malware-rates-jump-40-percent-7000019093/

        http://www.zdnet.com/android-accounts-for-most-mobile-malware-says-f-secure-7000012261/


        You can't just ignore every other article on android malware issue.
        Mac_Win
        • Wow

          You reached almost a year back with two of those articles. Android has changed since then; my own devices have gone through upgrades since then. The most recent one was based on a company, RiskIQ, that sells security software for mobile devices. I wonder why they found Android insecure? Couldn't be because they wanted to sell you their products/services, could it?
          benched42
        • can someone please point me to any real world stories

          from users that have obtained malware from the play store, and the ill suffered effects. I have never heard it, just ambiguous "malware up 400%", and "android is the target of 1000's of malwares", etc. So what, if that malware can never get installed.
          drwong
          • Here you go. Question is, will you continue to make excuses?

            Feb 2014
            report with examples of malicious apps in the play store
            http://www.computerworld.com/s/article/9246455/Malware_infected_Android_apps_spike_in_the_Google_Play_store

            Feb 2014
            App that sends premium SMS texts to users phone bill, also from the Google play store
            http://thehackernews.com/2014/02/android-Malware-subscription-premium-SMS-Services.html

            Feb 2014
            up to 1.2 million people may have been exposed to pay text Trojan app... again Google play download.
            http://news.softpedia.com/news/SMS-Malware-Served-on-Google-Play-Installed-by-up-to-1-2-Million-Users-426988.shtml

            Here are 4 of the google play apps that were discovered two weeks ago .
            http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/



            This took me all of 5 minutes to find with a sloppy web search which you could have easily done yourself.


            Dec 2013:
            Here is an android botnet, just in case you wanted to know about that too.
            http://www.zdnet.com/android-botnet-poses-as-google-app-pilfers-email-and-sms-7000024495/
            Emacho
          • Yeah,

            It was a "sloppy web search".

            Link 1 - Nice story relating back to the RiskIQ report. RiskIQ sells mobile phone security software. Who knew? Someone may want to boost sales.

            Link 2 - Another nice story relating back to a Panda Security report. Guess what? Panda also sells mobile phone security software.

            Link 3 - This story relates to the same report as Link 2.

            Link 4 - So, someone has to side-load an app sent to them in an SMS message and you're saying it's in the Play Store?
            benched42
          • Yet you disprove nothing.

            You make zero sense. So what if Pandasoft sells security software. The stories give some specific examples of malicious apps in the Play Store, what they do and that Google does remove malicious apps that they have previously approved..

            You offer nothing to disprove the information that was given. It isn't that hard to find examples of malware finding its way into the Google App store as I have shown.

            The facts are
            1) specific examples of malware in the play store were given from just a couple weeks ago
            2) details about what those apps can do to users
            3) Google removes malicious apps from the app store

            There is other supporting information as well.


            Yet you want to disbelieve all that, because this information comes from security software companies?

            Either you can disprove the examples given or you are using FUD to convince yourself and others that there is no problem


            The choice is yours, but the facts remain.


            p.s. My fifth link (that you reference as the fourth) was just an example of more problems facing Android, not limited to the play store. You can rationalize those problems all you want, but that doesn't mean they don't exist.

            Think about that. A freaking botnet on mobile phones is spreading through SMS phising.
            Emacho
          • Bad apps in the store is not nice

            But that's the cost of more freedom. Almost all malware are apps that the user must choose to agree and even agreeing with the terms of the offense.
            While "distracted" users should be protected I believe the amount of people downloading those apps are terrible small. But yes for some users an ios device would be better.
            For some reason and without wanting to fall in the error of making stupid stereotypes I believe many of that less informerd people don't have the money to buy an iPhone.
            Mobile platforms are inherently safe - I still have to give much credit to security companies reports.
            Google store is indeed very open, more open is the apps you can install in a traditional pc - nobody is going to blame windows or linux if a user installs an application saying "we will steal all the pics from your device"
            AleMartin
          • What do you mean the Google store is more open?

            Google not properly vetting applications they allow in the app store isn't the fault of users in any way. Google is responsible for what is or isn't allowed on the store, not users.

            For that matter, the permissions on android apps are out of hand in the power they grant, the frequency apps needlessly request them and how little an average user may actually understand what they are granting. Again, this isn't the fault of the users. It is the culture Android has built around their app store (much like Android itself)

            Yes is Microsoft or Apple do the same for their app stores, they are responsible.
            Emacho
      • re: only fools believe your comment

        Truth is in the eye of the beholder.

        If you're going to talk about OS's then you make a good case that security on an android device can be just as good give or take as iOS. There comes a point though where to make these arguments it comes down to splitting hairs over details in how the argument is presented. Security can be bad for someone with an android phone if they travel or access resources from China. I don't think that should be dismissed in such an argument when everyone is on the internet. Sales are a different matter though when talking about demographics.

        Now, having said that, I think people also need to understand that there's a difference between talking about OS's and platforms. In the case of phones today I think you very much have to consider the software ecosystem and how software is deployed as part of the security argument if you're talking about a platform. In this case there's really not much of an argument to be made which platform is more secure as iOS's walled garden approach wins out.

        I think the problem here is just that too many people like to take more extreme opposing viewpoints on the whole open/closed argument when the best solutions are really more in the middle.

        Lastly, for what it's worth, the whole open argument didn't exactly help Apple all that much in the case of the recent SSL issue. That code was open and, yet, no one caught it. The idea behind open sounds great on paper but there are a lot of assumptions made with it to support security. Nobody talks about how the "bad guys" also have access to the same code and this can get ugly if the "good guys" don't even look at it or are capable enough to catch it. Right now nobody really knows how many times the "bad guys" have benefited from open source.

        Fanboys don't have anything to do with this argument. It's pretty simple actually. To add to this I actually am a supporter of open source but I'm not blind to the things that it seems some others are in twisting arguments by bringing up third world countries into a security argument. Last I checked most of the cyber attacks originate from those very locations.
        Jim68
    • so you believe him, then.

      EOM
      GrabBoyd
    • Malware needs to be expanded to include IN-APP-PURCHASING MALWARE

      It depends on your definition of MALWARE.
      Most malware doesn't even depend on OS vulnerabilities.
      If MALWARE sends premium SMS, it hasn't exploited OS vulnerability, it has exploited USER vulnerability.
      then again, we have the legalised MALWARE in the form of IN-APP-PURCHASING which do exactly the same thing as a TROJAN except it is LEGITIMATE and pronounced safe by the control agents.
      While many consider iOS free of MALWARE, try and explain that to the parents who lost money thru in-app-purchases.
      iOS is NUMBER 1 for money lost while fanboys cheer Apple for vetting apps raking in over 70% of appstore revenue thru in-app-ripoffs.
      Yet the double standard Malware fingers are pointed at apps that send premium SMS and IAP apps get a free pass and $billions.
      warboat
  • Google Chrome or Android - you are missing a golden opportunity.

    Google is missing a golden opportunity by not releasing a downloadable version of Chrome OS or Android to run on old XP computers. Many of these are not upgradeable to Windows 7 or 8. So why is Google wasting this opportunity?
    GoForTheBest
    • What's wrong with Ubuntu?

      Why not just use Ubuntu of Linux mint? Android is for mobile operating systems, and Chrome OS is [already installable on desktop computers](http://chromeos.hexxeh.net/).
      Ajedi32
  • Except the 90% figure is closer to 98%-99%

    It is an easy target by design.
    Bruizer
  • Grow Up.....

    Typical of the mama duck syndrome among proprietary software users. And the FUD tactics of their masters. Really.....if I want to play games, I use Windows. As in vgames......most of the boxen I own ? I wipe windows immediately after purchase and install a Nix system. When I don't it means I want to game a bit. As for phones, well, yes, if you are a luser you will download phone apps without checking permissions. You will let the Mama Duck take you under her wing. You will always be vulnerable its probably a reflection of your life that you let others take care of you and figure that they have your best interests at heart. Atm, I do real work on Slackware, though I may switch between Debian Mint, Debian, Slack or a few others. OS's that don't do anything I don't tell them. The excuse that " I don't have time to be an IT expert" is BS. It doesn't take that much time. What should simply be part of an intelligent persons lifestyle is considered a burden? Get real. Android lets me do what I want. Then again I have a clue about 'what I want' and how far I will go to get it. Open source has ALWAYS BEEN MORE SECURE since it assumes its users have brains. Great article, Mac and MS lusers be damned.
    jhbeirut