Wednesday, August 2, 2023

How to pick a more secure Android device

The problem with many Android devices is that when there's a security update in the Android OS, it typically doesn't go directly from Google (who makes Android) to you.  Instead, it goes from Google to the device manufacturer who then releases it to you.  This is different from Apple, where your iDevice gets automated updates directly from the Apple Mother Ship.

This lag opens the door to the Bad Guys.  I've posted before about "Zero Day" vulnerabilities, where there is a known vulnerability without a released update.  Android devices suffer from this (as do all devices), but the Google-Manufacturer-You release chain brings a new concept: the "N-Day" vulnerability:

zero-day vulnerability is a software flaw known before a vendor becomes aware or fixes it, allowing it to be exploited in attacks before a patch is available. However, an n-day vulnerability is one that is publicly known with or without a patch.

For example, if a bug is known in Android before Google, it is called a zero-day. However, once Google learns about it, it becomes an n-day, with the n reflecting the number of days since it became publicly known.

Google warns that attackers can use n-days to attack unpatched devices for months, using known exploitation methods or devising their own, despite a patch already being made available by Google or another vendor.

So the key issue when choosing a more secure Android phone is how to minimize the value of N.  The faster the turnaround at the device manufacturer, the less your risk.

There are two strategies you can choose here:

  1. Buy a Google branded Android device.  I don't know if N=0 in this case but it's hard to see how any manufacturer could turn a patch around faster than the company that created the patch.
  2. Buy a device from a manufacturer that participates in the "Android One" program.  N will not be zero here but the program tries to streamline the patching/update process.

Or you could buy an iDevice, but now the discussion has lurched into the theological.

8 comments:

The Lab Manager said...

I've been using Androids for no other reason than I don't have enough White privilege in my bank account for an overpriced Apple product.

I don't do any financial stuff on my phone unless I just have to and I make sure that I don't as far as I can recall. I'm on my 4th phone I think since my first flip phone in 2007.

Old NFO said...

I went with iPhones because of that issue AND the issue of getting android anything to work overseas...

Richard said...

Just don't do any financial or other sensitive stuff on your phone.

Tim Covington said...

This is why, despite their being slightly behind Samsung, I prefer Google Pixel phones. I will add that these security updates may take even longer if you buy your phone from your carrier. The update then goes from Google, to the manufacturer, to the carrier, and then to you.

matism said...

This is why I use a flip phone. And do not text nor use internet.
It also has a removal battery, which prevents Fedpigs from using their backdoors when I do not want them to do so.

lee n. field said...

"Android One". So, who's stuff is on that list? (Yeah, I'll get around to googleing it soon.)

Peteforester said...

I HATE Google phones! My WIFE HATES Google phones! 'Nuff said on that.

I use a Samsung X-Cover Pro smartphone. Not the fastest thing on the market, but reliable, big-enough-but-not-too-big screen, good battery life, and, AND... a removable battery!!!

Minimizing what you do on your phone and minimizing the apps and other crap you load onto it is the best way to avoid being hacked! As for me, if someone wants to know who I've called, big deal. If they want to know that I looked up the oil filter availability for the John Deere, big deal again... "Social media?" Nope. I don't do that. You phone is like your house, folks. The more windows you install, the more chance there is of you being seen running around nude!

jabrwok said...

Are there any alternatives to iPhones and Androids? If so, are they any good?