How secure is Android? And should we be worried? [Q&A]
In the past malware developers and hackers have tended to concentrate on Windows. But as mobile has taken off and there's been a shift in the type of systems people use they've diversified their efforts into other systems.
In particular Android, as the most popular mobile OS, has become a prime target. We spoke to Huan Ren, chief architect at Android security and performance specialist 360 Security to get his view of the mobile security landscape.
BN: How does the Android threat landscape differ from other operating systems? Are premium SMS threats still a major problem for example?
HR: There's no absolutely safe operating system on the market. Android in particular has from day one been the go-to platform for a couple of reasons. Android makes up nearly a third of the global smartphone market. At the same time, Android's open platform supports many different variants of the Android ROM running on different types of devices, and hundreds of different app stores around the world. It's no surprise under these conditions that hackers target Android -- the low hanging fruit. With a far higher volume of threats to account for, compared to other operating systems, Android also tends to be home to the more creative types of hacks, whether it’s an SMS Trojan, or even an adware scheme.
BN: Does the fact that Android is often customized by hardware OEMs make it more difficult to keep it secure?
HR: There are pros and cons to Android's open platform. The open platform has encouraged Android to flourish, it provides developers and OEMs the convenience of adopting a single operating system, and users with choices between phones. However it's far more difficult to provide robust security services in an incredibly fragmented market when it's not only Google's responsibility to provide support to users. For instance, Google will push a vulnerability patch through a new OS version but historically the OEMs are slow to react and deliver the patch to the end user. In a real world analogy, this explains why Lollipop has been delivered to under 0.1 percent of Android users.
BN: People tend to point to the operating system when breaches occur, but how much of the security risk comes from poorly designed apps?
HR: You're definitely onto something. The Google team is known to be on top of Android security vulnerabilities. For example, Google rolled out Security Enhanced Linux (SELinux) with Jelly Bean. Google also updated SMS broadcast requirements, which secures SMS messages that are delivered to mobile apps. Of course this is just the tip of the iceberg. Google offers encryption protocols including MD5, AES, and HTTPS, along with regular security patches. The consequence of providing an open platform is a loss of control over its own platform and security standards. If security isn't a prerogative for an app developer they may decide to store users' information in plain text format for the sake of developing a fast, minimum, viable product. Of course this opens the app up to vulnerabilities and hackers wouldn't need to sweat to steal any stored information about the app's users.
BN: Are we at the stage where it's essential for Android users to have some sort of anti-malware app installed on their device?
HR: Many Android users end up installing malware because they're downloading untrustworthy apps or apps from third-party Android markets with questionable policies. Or users may unwittingly download malicious apps from forums and even other devices. Surprisingly, not many Android users are cognizant of the threats that lurk on Android, so we'd argue that it's essential for Android users to have one additional anti-malware app installed on their device. Fortunately, these days, security apps are simple to use and free-to-download. Think of an Android security app like the antivirus software you’ve installed onto your PC. Because Android security apps have varying degrees of quality, you might have more than one antivirus product installed in the case that one product failed to catch a virus. You can check AV-TEST's monthly list of top security apps, which includes 360 Security's antivirus engine by Qihoo 360.
BN: In response to Google's recent pulling of support for WebView you recommended users switch to using Chrome. Is the Chrome browser significantly more secure and why?
HR: Ideally you'd want to be using Chrome or Firefox if you want to avoid these WebView vulnerabilities. The reason isn't because of how secure Chrome is. Google explained that it's dealing with five million lines of outdated code, not to mention thousands of commits developers are submitting regularly, making it more difficult to deliver patches to WebView, particularly when WebView until recently came packaged in firmware. That means to get the latest WebView version delivered to end-users Google had to first send it to OEMs and carriers to distribute the patch. Once that happens it's out of Google's hands and it's a waiting game before the OEM and carrier gets around to delivering the patch. So to cut to the chase Google decided to deliver WebView patches directly and instantly to users by way of the Google Play store. Because Chrome and Firefox can be downloaded from the Play store, to receive the latest WebView patch all you need to do is update your browser version when a new one is available.
BN: Is the user always the weakest link in keeping any system secure?
HR: I'm sure, based on my previous response, that you'll get the inkling that Android users aren't taking enough precautionary measures to safeguard their mobile security. Oftentimes it's what apps you download, sites you browse, or links you click that causes you to have that nasty bug hiding away in your phone. Of course, not everything is in the users' control. For instance, there are plenty of situations where a trusted developer's app is hacked and user data is stolen. But more often it's the users’ actions that cause their device to contract malware. Luckily, there are measures that users can take to safeguard themselves to minimize the chance that this happens.
BN: Finally, what everyday steps should people take to protect their Android devices?
HR: We'd recommend that you update your apps and operating system regularly to ensure that you're receiving the latest patches. This will minimize the chances that a hacker could take advantage of your device. At the same time, security apps are a great aid in not only detecting any new threats, but also removing them. And of course, users should pay more attentions to how they're engaging with the content on their device. That means avoiding suspicious links, apps, mobile sites, and unfamiliar Wi-Fi networks.
Image Credit: Palto / Shutterstock