Look, we told you about these droids

Look, we told you about these droids

Summary: Android can present security risks, says the FBI and the US Department of Homeland Security. But that's been true for years, and core industry attitude problems still need fixing.

TOPICS: Security, Android, Google

"Android." Thud. "Android." Thud. "Android." Thud. That's the sound of my face going straight down into my desk this week as news emerged that US government authorities had issued a warning: Millions of Android users are vulnerable to security threats, including many of their own law enforcement officers and other officials. Yeah, look, thanks for joining us, guys. Various sections of the security community have been saying this very same thing for years.

In October 2011, AVG's chief technology officer Yuval Ben-Itzhak told me that they were already seeing advanced Android trojans that could record and save conversations, uploading them to a server later. Even before that, in March 2011, the DroidDream trojan managed to compromise more than 250,000 unpatched Android smartphones.

"The hackers will always be where users are," Ben-Itzhak said. "If everyone now is using Android on their phones and downloading the popular games and the popular apps, then surprise, surprise! The hackers will be there."

As the US warning (PDF) reminds us, Android is now the world's most popular mobile operating system and "continues to be a primary target for malware attacks due to its market share and open-source architecture ... The growing use of mobile devices by federal, state, and local authorities makes it more important than ever to keep mobile OS patched and up to date."

Patching is probably a good idea, yes, but we can't blame the FBI and DHS for having to keep reminding people of this. Maybe it needs to be tattooed on their foreheads.

Who we can blame, though, is the uncoordinated troika that comprises the Android industry: Google, the device manufacturers, and the telcos.

Handset manufacturers naturally want to differentiate their devices with unique applications and their own idiosyncratic ideas of what a slick smartphone user interface should look like. That's steadily becoming their only path for product differentiation, given that hardware capabilities are likely to plateau.

Telcos naturally want to fill the devices they sell with bloatware designed to channel traffic back to their content services. That's steadily becoming their only path for increasing revenue, given that the per-user revenue for raw communications services is declining.

Both of these players need to coordinate the development and testing of security patches with Google before those patches can be released. But neither of them have traditionally worked to the rapid development cycles needed to counter the new security threat landscape.

Consumer electronics used to be a sell-and-forget industry, bar the occasional repair service. Telcos used to supply hardware that lasted for decades. But reprogrammable network devices that form part of a living, evolving network under constant attack? They ain't in Kansas anymore, folks! And both would rather be selling the next shiny bright model to achieve the next quarterly results.

Not upgrading old devices to more recent versions of Android is one thing — older devices might lack the hardware grunt for a more demanding operating system. But security patching is quite another.

The personal computer industry learned long ago that consumers don't always follow their ideal planned-obsolescence cycle. Businesses upgrade when it makes business sense for them, not because vendors have a new product to flog. Operating systems stay in use far longer than expected, and need to be supported. Just look at Windows XP.

The Android industry needs to learn the same lesson. All three participants in the troika are involved in selling a network device into what we now know is a hostile environment. Quite frankly, if they're not working hard to be part of the solution to all those cyberthreats, then they're part of the problem.

Topics: Security, Android, Google


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Interesting...

    So far the only malware that has actually been installed was actually installed by the users themselves... However, use AOSP code and you can easily find any back doors or flaws that might exist in the code (Remember the Red Hat backdoor?) so now it's a security risk. Yeah okay, thanks but, I'll take my chances.

    Seriously, MS had rumors of back doors for the NSA and we'll never know how true that is because people aren't allow access to the full code.

    For the record, I'm not saying this is accurate but, it certainly does make you wonder why they singled out Android as though other platforms aren't capable of this type of issue.
    • @slickjim

      May be because there are hell lot of android users out there? May be because not all the android owners knows how to root their devices and flash it with another Android OS? May be many users may unknowingly download a malware which works through a bug which was fixed long time back but not updated in the user's device?
      • @spicycheeks

        Android vulnerabilities, including running unsupported Android versions and Android OEMs/carriers being very late to patch, are a ticking time bomb. But, users do not *unknowingly* enable Android to install apps from unknown sources.

        The default in Android is to disallow the installation of apps from unknown sources.
        Rabid Howler Monkey
    • @slickjim

      And regarding the NSA... This is the digital world. If you use any email service, any cloud service, heck even an weather forecast app, you *might* be watched. Android *may* not have a back door for NSA. But definitely Google will have a back door. Apple will have one. MS will have one.
    • @slickjim

      well Fed and States have access to Source Code for Windows, which is part of the antitrust deal.
      Ram U
    • Because android has thousands of malware apps

      and security holes out the wazoo. And millions of users have been infected with them, downloaded right from Google's own store. Stealing personal information, racking up charges to for pay services, ransom ware, etc etc etc. Stack that against completely false rumors about backdoors spread by occupiers and the like and the factual track record of Windows Phone apps and it's curated store where the code for every app is automatically vetted. Yeah it's easy to see why. Want your foreign competitors to know everything about what your company is doing and when? Ok then go ahead and allow android phones and tablets access to your corporate network.
      Johnny Vegas
  • insecure business model

    We, the consumers, are to blame.

    We want free stuff, so we accept advertising-driven products, which by their nature are insecure. They are constantly phoning home. And we don't know what their conversations are about.

    As I Unix guy, I was always aghast at the insecurity of the Windows world. The smartphone world is much much more careless/promiscuous. And the risks are higher as we integrate more of our lives into these little things (GPS, photos, social networks, email, payments).

    I don't know how to retrofit any reasonable security on this, and I don't know if consumers would care.

    Heck, desktop systems (especially Windows) are trying to imitate this aspect of smarphones!
    • What world do you live in? In the US the carriers

      charge outrageous prices for smartphones and services. Far more than you'd pay if you were buying the devices and services separately. There's no reason why smartphones shouldn't have the same margins as DVD players or other standard consumer electronics. The carrier subsidy is what's holding smartphone margins up. Just like student loans have jacked tuition up to astounding levels that far out pace inflation. If carriers were prevented from selling consumer hardware and consumer hardware sellers were prevented from selling network access services we'd see smartphone prices cut in half and carriers have to provide good service.
      Johnny Vegas
  • Pointless article

    • Thank you so much

      It's well-reasoned, intelligent comments like this that make a writer's life worthwhile. Thank you. I particularly appreciate the effort you put into it.