Google admits Android wasn’t designed to be safe

Android malware (Juniper Networks)

In the wake of numerous reports that all point to the same conclusion – that malware infestation is running amok on Android – the Internet giant made an unusually open statement through the mouth of its Android lead, Sundar Pichai, who finally admitted that Android wasn’t built for security.

“If I had a company dedicated to malware, I would also be targetting Android”, Pichai allegedly said to a stunned audience at Mobile World Congress in Barcelona, Spain. When your own platform lead starts making such frank statements about Android security, it’s high time you considered taking these security reports at face value…

Here’s a machine-translated quote from the original in French, via FrAndroid:

We cannot guarantee that Android is designed to be safe as the platform was designed to give more freedom.

When people talk about 90 percet of malware on Android, they must of course take into account the fact that it’s the most used operating system in the world.

If I had a company dedicated to malware, I would also be targetting Android.

Actually, Android accounts for an unbelievable 98 percent of all new mobile threat detections, Kaspersky Lab said yesterday.

As Daring Fireball‘s John Gruber noted, Google has indeed become the new Microsoft.

The old Windows line of defense: Android is so popular of course it has all the malware. For some reason, though, that’s the only sort of software where Android leads iOS in third-party developer support.

For the sake of completeness, Google Chairman was ridiculed last October during a question-and-answer session at the Gartner Symposium over his stubborn insistence that Android is more secure than the iPhone.

Android’s susceptibility to malware is often ridiculed by the Apple camp and even Apple’s own executives aren’t immune to this. For example, Apple’s own marketing head, Phil Schiller, last March tweeted out a link pointing to a mobile security report criticizing Android’s lack of security.

While Android’s popularity does make it an attractive target for malware creators, there’s no denying the fact that, at its core, Android is less secure than iOS or Windows Phone for that matter. If it were the other way round, Android – not iOS – would dominate in large scale enterprise deployments.

Android robot (image 001)

Part of it is purely technical.

Because most Android devices ship with a combination of open source and proprietary software, complexity increases which in turn introduces numerous attack vectors.

Another facet to this debate is Google’s proclaimed openness: the company doesn’t screen app submissions so malware disguised as innocent-looking apps easily sneaks its way into Google’s Play store.

To its credit, Google removes malware as soon as it’s been discovered and written about, though the damage by then will have already been done. This is in stark contrast to Apple, which curates the App Store content to ensure that only high-quality, malware-free apps make it into the store.

Which isn’t saying Apple’s devices are immune to security vulnerabilities.


They are not.

A nasty SSL bug discovered last week made all iOS devices and Macs vulnerable to man-in-the-middle attacks. A few days later, Apple issued a crytical security patch via OS X Mavericks 10.9.2, iOS 7.0.6/6.1.6 and Apple TV 6.0.2 software updates.

Responding to the security scare, 13.3 percent of active iOS devices in the wild were spotted running iOS 7.0.6 just 48 hours after its release, ad network Chitika noted. Two days later, the adoption figure has risen to 26 percent of total iOS-based North American web traffic, a cool thirteen percentage point increase.

Another example: a new iOS security flaw makes it possible for attackers to covertly log every touch a user makes, including keyboard and Touch ID presses.

Apple yesterday added new features to its suite of enterprise deployment tools, making it easier to manage fleets of devices remotely, deliver configuration profiles wirelessly and more. The company has also issued a refreshed version of the iOS Security white paper [PDF download] which offers new details on how iOS 7 and hardware features such as Touch ID, A7 and Secure Enclave boost iOS security.