Open source software security

Goodbye Android, Hello iPhone

21 November 2011

I'm getting an iPhone today after years of loyal Android OS use. Why you may ask? Well the Android security model finally got to me after a McAffee report noted a massive jump in Android malware that made it the most targeted mobile platform. Given that the iOS market share is far larger than that of Android this trend made no sense. Examining most malware trends shows that the vast majority targets the platform with the highest availability. This is to say that malware writers target victims so they can get the most compromises, rather than targeting the most vulnerable platform. What this means for IOS users is that despite being part of a much larger target pool, they're still less likely to suffer from malware infections. There is really only one conclusion you can draw from this trend: iOS is more secure.

What is Secure?

Making blanket statements about "more" or "less" secure makes me apprehensive. Firstly, it's very difficult to quantify what "secure" means. In this scenario I'll call "secure" the likelihood of having the platform infected by malware. Secondly, such statement are often conflated with evaluation of quality. Let me state immediately that I believe Google's Android platform is a smart, secure, strong mobile operating system. Sadly, the problem isn't Android, it's the cell phone carriers.

At issue is the update policy differences between iOS and Android. With iOS, updates are controlled by the end user. Whenever Apple releases a update, all you have to do is plug your phone into a computer with iTunes, and you can download and install the updates to your device. With an Android based smart phone you have to get updates from your cell carrier. This means that you have to wait until your cellular company gets the Android update, tests it with all their custom apps and modifications, and decides to release it. This can create a massive lag time between Google's release of a security fix or update and the time when it lands on your phone.

At the time of this writing (September) my Android phone is running version 2.2.2, but Android 2.2.3 has been out since July. Android 2.3.4 has been available since May, and Android 3 has been available since February! What this means is that I'm running an out of date version of the Android operating system which means I'm vulnerable to any number of serious software security flaws.

Conclusion

Relying on your carrier to package and push operating system updates is silly. It extends vulnerability windows and ensures that exploits remain viable in the wild for longer periods of time. While the Android delivery model may have made it easier to get carriers to offer Android based phones, in the long run it is going to be a detriment to the platform. Until Google does something to allow end users to manage their own updates, as a security professional, I can't condone using the Android platform.