Shulou(Shulou.com)05/31 Report--

­

­[abstract] although Google has done a lot to improve the security of Android, its security performance is still not satisfactory, an important reason is that Android devices can not install update packages in time.

­Tencent Digital (Wen Xin) Android is the world's most popular mobile platform, with more than 1.4 billion people using Android smartphones or tablets every day, according to Digital Trends. Android is open source software for free use by device manufacturers, which is an important reason why it attracts so many users. But openness is a double-edged sword: one consequence is that many Android phones do not regularly update the latest security patches.

­the specter of malice has been hanging over Android for the past few years, and researchers have found some very high-profile security flaws, such as Stagefright. The frequent negative news makes it difficult for people to treat Android security comprehensively and objectively. Last week, the media disclosed FalseGuide malice, saying it could affect as many as 1.8 million Android users.

­if you only look at the media reports, people are understandably worried about the security of Android. But which media reports about Android security are exaggerated and which are objective and true? Is the Android platform really not secure?

­Adrian Ludwig (Adrian Ludwig), head of Google's Android team, told Digital Trends in a recent interview, "No, Android is not unsafe. I think we have cognitive problems, and our perception is different from the actual user danger. The encryption technology that we have been developing, sandboxie technology, and other technologies that make it more difficult for hackers to make use of security flaws work together perfectly. "

­there is no doubt that the latest version of Android is more secure than the previous version, but the problem is that many Android users have never felt it. Back in 2016, the Google Android security team confirmed in a blog post that about half of the Android devices were in use by the end of 2016 and had not installed an update package for at least 12 months.

"Google's latest version of Android can be considered secure," Maik Morgenstern, chief executive of AV-Test, an antivirus software evaluation agency, told Digital Trends. "however, especially in many older versions of Android, more and more defects have been found and many device manufacturers do not release update packs for their devices. At present, more than 800 security flaws have been found in the old version of Android."

­official Android version data as of April show that only 4.9% of Android devices are running the latest version of the Android operating system, Nougat 7.0 or 7.1, which is a disappointing figure. Android 6.0 Marshmallow accounts for 31.2% of Android devices, while 31% of Android devices run Android 4.4 KitKat. Most Android devices running older operating systems are never likely to be updated.

Joshua J. Drake, vice president of platform research and utilization at Zimperium, an Israeli mobile security company, told Digital Trends that "84 per cent of phones have not been updated, which means that most mobile devices are still at risk of being attacked."

­Drake discovered the Stagefright flaw in 2015. According to media reports at the time, the Stagefright flaw made it possible for hackers to control Android devices through malicious code lurking in audio or video files, affecting up to 95% of devices. Mr Drake told Digital Trends that less than 1 per cent of Android devices were currently affected by Stagefright defects.

­although the potential harm is frightening, the actual harm caused by Stagefright defects to Android users is not clear. "We found it for almost two years, but we don't know that any users have actually been attacked because of it," Ludwig said. "

­but Drucker disagrees. "We know that there are targeted attacks that exploit flaws in libstagefright and mediaserver. We know that it is difficult to prove widespread harm, and we respect Google's efforts to improve the security of its platform. However, because there are no corresponding sensors on the device, no one can understand the risk or threat status of the device-especially mobile devices."

­Digital Trends says the problem is that it is not easy for users to determine whether their devices have been attacked. After the Stagefright defect was discovered. Zimperium has established the "Zimperium Mobile Alliance" to enhance communication among researchers, mobile operators, mobile application developers and device manufacturers.

­Drake said, "researchers need to study monthly security updates and try to take advantage of these flaws to promote better bug fixes and improve security across the mobile domain."

­Google has taken some important steps to reduce security risks, releasing monthly updates. But the old version of Android was forgotten.

­it is not easy to solve the problem of Android fragmentation. It has been difficult for Google to persuade mobile operators and manufacturers to update their Android devices. This gives rivals a chance. At the 2014 Global developer Conference, Apple CEO Tim Cook referred to an article on ZDNet that "Android fragmentation makes devices a vulnerability hell." But is iOS really more secure? If it is safer, why?

­Drucker said, "there has always been the impression that iOS is safer than Android, but this may not be the case."

­because Android is open source software, it is easier for security researchers to find defects and advise vendors to develop patches. The closed nature of iOS makes it difficult for researchers to discover its internal "mysteries," Drucker said. Morgenstern agrees, but mentions an important difference between the two-making malware a greater threat to Android.

­Morgenstern explains, "Android users can easily install applications from any source, which makes malicious applications easy to infect hardware. Other platforms are much stricter in this respect, allowing users to install only applications from their closed app stores."

­Android is a big target. Having so many users and open source features makes Android an attractive target for cyber criminals. AV-Test collects up to 30,000 new Android malware samples every day, which is terrible data, but Android users who are concerned about security can take some measures-such as insisting on installing applications through Google Play, installing update packages in a timely manner, and installing third-party Android security applications-to significantly reduce the risk of attack.

­Drake and Morgenstern also warn users not to connect unknown networks and WiFi hotspots, at least without using suitable Android VPN (virtual private network) applications.

­Drake explained, "our data show that most attacks are networked in nature and do not distinguish between iOS, Android and other platforms. Once hackers quietly intercept and redirect device network traffic, the device may be subject to intrusive surveillance."

­Digital Trends said Android security is improving due to faster update package releases, device encryption, authorization requests, sandboxie, an application that isolates applications from each other, restricted resource access, and Play Store's automatic scanning of malicious items. But it is clear that there is room for improvement in Android security.

­asked about the importance of third-party research, Ludwig said, "We paid about $1 million (about 6.9 million yuan) to researchers last year." Although Google has its own research projects, Drag feels the need for more similar research projects.

­he said, "to improve the overall security of Android, it is necessary for Google to work more closely with security vendors. Apple and others have expanded their cooperation projects, but Google has scaled back their cooperation projects. Google's logic is that they can do all the work on their own, but unfortunately this will do harm to users and benefit hackers."

­ultimately, Android security issues may be related to the devices used by the user. If you use a phone you bought two or three years ago, run an old version of Android, and haven't been updated for months, you need to pay attention to the security of the device. By contrast, users of Google Pixel phones will receive the latest security updates in time, at least within the next two years after buying the phone.

­it is difficult to say when most Android devices will be able to use Nougat or later Android versions, and the slow release of update packages by some equipment manufacturers and operators will continue to be a problem.

­Morgenstern said, "unless all devices install update packages in time, users will still be at risk."

­Source: Digital Trends

­

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.