Are you paranoid, Android?
As part of this series exploring the range of secure communications available, I’ve already covered the shambles that is SMS, and examined the not unsubstantial delta between how Apple markets its iMessage service, and the way independent experts describe it. So next up under the spotlight is, of course, Google’s Android.
And what a contrast it is between the two mobile operating systems. While Apple is obsessively secretive about their systems, processes and technology, Android couldn’t be more open – since by definition it is an open-source operating system.
Android has three times the market share of Apple and collaborates with a cornucopia of hardware and software developers and producers. The Google system offers a freedom and customizability that attracts millions of software and app developers, and by bringing all this together and spreading their costs, they can offer amazing technology at prices that would make an iPhone user blush. As Hiroshi Lockheimer, Google's head of Android puts it, "We make Android, it's publicly available, it's open-source, it's free, no one's paying us for Android." But what does all this mean for privacy and protection? When it comes to Android and security, the words of the old song spring to mind: “freedom's just another word for nothing left to lose.”
There doesn’t seem any point pulling punches; let’s start with the biggie. Four out of every five Android devices are vulnerable to hackers because of a flaw inherited from Linux. That’s right – one single flaw exposes 80% of Android devices, allowing hackers to access unencrypted traffic and degrade encrypted traffic to spy on unsuspecting users. The findings were presented by security researchers from the University of California, Riverside and the United States Army Research Laboratory, in what you might have thought they would be headline news. But unfortunately, whilst certainly shocking, the news isn’t really surprising. It’s fair to say that this is far from an isolated incident for Android.
Take for example the vulnerabilities around Android phones equipped with a Qualcomm chip that were recently discovered. Already given the catchy moniker “Quadrooter”, the collections of flaws affects over 900 million phones and tablets, and could allow an attacker to take complete control the device. Could it be worse? Lockheimer has found a somewhat comical silver lining: “The heterogeneous nature of Android does have benefits from a security perspective. If every single Android device was the same, that would mean the same exploit would work on all 1.4 billion devices. But the fact that they're different actually helps, sort of."
So with all this out in the open, if you’ll pardon the pun, at least the bugs will get fixed right? Well not necessarily, no, because Android is notoriously hard to patch.
The reality is that with headlines such as “Android's 6 biggest security flaws 2016” running, it’s less a case of reading between the lines, and more of seeing the writing on the wall. The bright side is that, even on an Android phone, the Cellcrypt and Seecrypt apps can protect your communications with end-to-end encryption across voice, messaging, conference calling and file sharing.
And besides, if you’re business is losing out because non-secure communications, perhaps there’s an alternate revenue stream? Google is paying users for flaw hunting on their Android software, and with so many out there, maybe that’ll make up the difference?
Harvey Boulter, Chairman, Communication Security Group