How to pick a more secure Android device

The problem with many Android devices is that when there's a security update in the Android OS, it typically doesn't go directly from Google (who makes Android) to you.  Instead, it goes from Google to the device manufacturer who then releases it to you.  This is different from Apple, where your iDevice gets automated updates directly from the Apple Mother Ship.

This lag opens the door to the Bad Guys.  I've posted before about "Zero Day" vulnerabilities, where there is a known vulnerability without a released update.  Android devices suffer from this (as do all devices), but the Google-Manufacturer-You release chain brings a new concept: the "N-Day" vulnerability:

A zero-day vulnerability is a software flaw known before a vendor becomes aware or fixes it, allowing it to be exploited in attacks before a patch is available. However, an n-day vulnerability is one that is publicly known with or without a patch.

For example, if a bug is known in Android before Google, it is called a zero-day. However, once Google learns about it, it becomes an n-day, with the n reflecting the number of days since it became publicly known.

Google warns that attackers can use n-days to attack unpatched devices for months, using known exploitation methods or devising their own, despite a patch already being made available by Google or another vendor.

So the key issue when choosing a more secure Android phone is how to minimize the value of N.  The faster the turnaround at the device manufacturer, the less your risk.

There are two strategies you can choose here:

1. Buy a Google branded Android device.  I don't know if N=0 in this case but it's hard to see how any manufacturer could turn a patch around faster than the company that created the patch.
2. Buy a device from a manufacturer that participates in the "Android One" program.  N will not be zero here but the program tries to streamline the patching/update process.
   

Or you could buy an iDevice, but now the discussion has lurched into the theological.

More Android security problems

TL;DR: all photos that were cropped on Google Pixel Android phones from 2018 until this month didn't actually delete the cropped data which can be recovered.  If the cropping was done for purpose of privacy or redaction, then the photos (which very well may have been shared on social media) are not secure at all.

Details: security is a subtle thing - one day you can be secure and the next day not.  This problem came from a change in the Android OS.  The way one of the OS functions worked in Android 9 changed with Android 10.  But the implications of this were subtle and app developers didn't realize the implications, so the Markup app that functioned securely under Android 9 suddenly functioned insecurely under Android 10.  We've actually seen this before (note: this is one of my favorite posts here).

So what do you do if you have one of these phones, and pictures that you've cropped?  Well, the new Android updates fixes the bug, so you don't need to worry about new pictures that you've cropped.

But every one of your pix that you cropped between 2018 and this month can expose cropped data.  You'll have to decide if this is a problem for any particular picture.  If it is, you should display the picture in full screen mode and then take a screenshot - and then delete the original picture.

If you have a Samsung cell phone there's a critical security bug you need to pay attention to

There's a very nasty security bug, and you need to change your phone's settings:

Google security analysts have warned Android device users that several zero-day vulnerabilities in some Samsung chipsets could allow an attacker to completely hijack and remote-control their handsets knowing just the phone number.

Between late 2022 and early this year, Google's Project Zero found and reported 18 of these bugs in Samsung's Exynos cellular modem firmware, according to Tim Willis, who heads the bug-hunting team.

Four of the 18 zero-day flaws can allow internet-to-baseband remote code execution. The baseband, or modem, portion of a device typically has privileged low-level access to all the hardware, and so exploiting bugs within its code can give an intruder full control over the phone or device. Technical details of these holes have been withheld for now to protect users of vulnerable gear.

It's actually normal to withhold details until there's a fix.  The researchers contact the manufacturer and give them details so they can create a fix.  Releasing details before the fix is ready will just help the Bad Guys develop an attack.

So if you have one of these things, here's what you need to do:

According to Google, the following devices use potentially vulnerable Exynos modems: Samsung's S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 products; Vivo mobile devices including the S16, S15, S6, X70, X60 and X30 series; the Pixel 6 and Pixel 7 series of devices from Google; and vehicles that use the Exynos Auto T5123 chipset.

Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update. Until the other manufacturers plug the holes, Willis suggests turning off Wi-Fi calling and Voice-over-LTE (VoLTE) to protect against baseband remote code execution, if you're using a vulnerable device powered by Samsung's silicon.

I don't use Android so can't really help with how to turn off WiFi calling and VoLTE, but it should be in the Settings.

Android: no malware problem?

That's what the head Android security d00d says:

[Lead Android engineer Adrian Ludwig] said that while impressive software security exploits surface often enough, their use in actual attacks is small: “I don't trust humanity any more than you do, but the scale of exploitation is small … in the meantime it feels like we may have a chance at wining the exploitation battle in mobile.”

In illustrating the low exploitation figures, he said of two "beautiful" exploits in wild, one was leveraged less than eight times per one million devices, and the other once per million, even though 99 and 82 percent of Android users, respectively, were at risk at the time of disclosure – and that's according to stats from BlueBox.

I'm not sure that I believe that the data sources he's relying on are comprehensive, but this is pretty interesting.

Android users, your apps are spying on your location

Lots of apps:

University researchers have developed a smartphone app to show users how often their mobile software tracks their movements.

The team from Rutgers University said that the their Android tool uses a real-time monitoring system to show exactly when an application pulls locational information and transmits it. The results, they say, were eye-opening for many users.

"Our results confirm that the Android platform’s location access disclosure method does not inform participants effectively," the team wrote. "Almost all participants pointed out that their location was accessed by several apps they would have not expected to access their location."

It's really a promiscuous use of location tracking by all sorts of apps that have no business messing with it.  Given the generally terrible security that you find in most apps, and the desire of the NSA/GCHQ/EIEIO to slurp all of that up, this is bad juju.

And yes, "bad juju" is a technical security term, similar to FUBAR.

To prove their point, the Rutgers team offered results of a campus experiment which placed users with the tracking notification software against Android users without the tool. Results of the test, they say, showed that the users with the alert tool were better informed about application tracking behaviors and were more likely to understand how individual apps were handling their data.

That the additional tools are needed to properly understand what applications are doing is an indictment of the way Android handles locational tracking, say the researchers.

They will release their app to the Google Play store in two months so you can   spy on the spys.  Quis custodiet, and all that.  Because it's good to protect your metadata.

Wonder how many apps will release an update in the next 2 months, turning off location tracking.  Bet the number is greater than zero.

Tech rumble: Windows 8 vs. iOS vs. Android

This actually sums up the battle pretty well:

It's absolutely true, as my former colleague Tom Dale argues, that Apple remains weak in web services and Google continues to stumble in user experience. The problem, as he articulates, is that "Google is getting better at design faster than Apple is getting better at web services," but both are making progress. If Microsoft steps back to focus solely on Windows 8, rather than seamlessly weaving into it web services and winning hardware design, then Microsoft stands to be the jack of all trades, and master of none. That's not a winning strategy in mobile. Not yet, anyway.
Hastings continues:

The challenge for [Microsoft] is: okay, what’s the profit stream, if the marketshare is different than it has been in the past? The big profit streams are from very high-share products — Office and Windows. So to the degree that the eventual revenue is not the same split as in the past, then there’s a threat to the profit stream.

Exactly... and guess what? Microsoft's primary revenue streams absolutely will be different from those it enjoyed in the past. As I've argued recently, Microsoft's Office suite is no longer the primary means of creating valuable business data/content. That's revenue stream number one in jeopardy. It's also the case that in mobile, the big market going forward, no one buys operating systems. Apple makes it part of the iPhone/iPad experience for free, and Android, of course, is open source. That's Microsoft's second big revenue stream eviscerated.

Android has come a long way in the past 12 months.  I ditched an older Android 2.2 because it was clunky; #1 Son is in love with his Galaxy III.  Apple has fumbled very badly with their epic fail mapping app - this is one of the most valuable apps for a smart phone, and Apple's simply doesn't inspire confidence.

And I had a bit of an out of body experience in the last few days.  I was driving around with #1 Son who was playing MP3s.  Suddenly the music cut out and a voice said In one quarter mile, turn right.  Woah - directions that talk to us? 

Of course, this is ten year old technology.  You just don't get it on your iPhone.  Android FTW.

As to Microsoft, it doesn't appear that any of their corporate customers are remotely interested in Windows 8.  That's the Windows and Office profit streams that are divorced from the core technology stream.  Maybe they'll pull it off.  Maybe.

This is actually turning into a very interesting horse race.

iOS vs. Android security comparison

I've been pretty harsh the last week or so to Apple, and so I thought I'd step back and look at the broader picture.  Which has better security, iOS or Android?  There are a few different aspects of security that I'll go through, in rough order of importance.

Security Patching

Apple is straight forward: they release a security update, and your phone or iTunes downloads it.  It's straight from the factory to you, which is the Right Way to do things.  Apple seems to release iOS security fixes every 3 months or so which is a little slow for my taste, but is probably OK for now.

Android has a much more convoluted patch release process.  Google creates the patch, but rather than sending it to you, they give it to the handset manufacturer (Samsung, HTC, Motorola, etc).  The manufacturer packages it up (maybe with some other stuff) and releases it to the carrier (AT&T, Verizon, etc).  Some day, it may even show up in your phone.  This is clearly Broken.

It's even worse, because there's a fair amount of churn in the Android device market, with vendors entering and exiting all the time.  There are quite a few "orphan" Android phones that are non-upgradeable, with exploitable security flaws.

Advantage: Apple (by a lot).

Malware

Apple uses a "Walled Garden" app distribution model, meaning that app developers have to submit their app to Apple for testing and vetting.  Apple runs code scanners on apps to try to determine if the app is dangerous or malicious, and while there's only so much that code scanners will tell you, they're making an effort.  A number of developers complain about the "fascist" model of the iTunes app store, but the result is that there's not very much iOS malware.

Android uses a very different "Open Garden" approach.  Anyone can create an app, and get it up in the Android Marketplace.  Little (or maybe no) vetting is done, and so the Android Marketplace is filled with malware apps.  While it's very hard to get reliable counts, the minimum is several thousand malware apps available for download.  Android Security ProTip: the Android "Legend of Zelda" app is malware.

Advantage: Apple (by a lot)

App Sandbox

A sandbox is a restrictive execution environment that only allows a program to take particular actions.  Both iOS and Android have roughly comparable capabilities here.  Apple's is, as you'd expect, easier to understand.  Android's is - again, as you'd expect - more granular and flexible.  I don't see very much difference.

Note that if you jailbreak your device, you blow away the sandbox entirely - everything runs as root (with elevated privilege, meaning the programs can do anything without restriction.  From a security point of view, this is very bad juju.  It applies equally to iOS and Android.

Advantage: none.  It's a tie.

I'll do some more thinking, and put up another post if there's more, but overall, Apple seems to have a pretty big advantage in security.

Android and Blogaway - not ready for Prime Time as a mobile blogging platform

I moved away from the iPhone because the insane DRM became intrusive, and actually stopped me from blogging with the Blogpress app.  I annoyed me that I moved to Android on my shiny new Samsung Galaxy Android phone, using the Blogaway app.

Mistake.

It's simply not ready for blogging, and an abortive post last night illustrates why: not only was it filled with embarrassing misspellings, but the Blogaway ate half of the post, so that what was left was incoherent.  It's plenty easy enough for me to do incoherent all by myself; I don't need any help from the phone, thanks very much.

This experience no doubt was exacerbated by the fact that I was posting near the end of a 14+ hour drive from Austin to Atlanta, and was pretty tired out.  But this is actually worse for Android - rather than being an excuse for its crappy performance, this is the test case for use.  If someone can use the system tired, it's ready for Prime Time.  If they can't, then the crummy system will perform precisely how it did last night, and the user's confidence in the system as a robust blogging platform will plummet.

Here are the shortcomings that kill Android as a mobile blogging platform:


1. The soft keyboard

It blows chunks.  This isn't really surprising, because all soft keyboards blow chunks.  The keys are of necessity too small (we're talking about a 4 or 5 inch screen, of course they're too small), and all the tactile feedback mechanisms are wrong, because they don't address the killer problem soft keyboards have:

You hit the key next to the one that you want to, all the time.

The iPhone actually has a mechanism to deal with this.  While it's not exactly a real-time spell checker, it's close enough that we can pretend it is.  While this autocomplete can have sometimes hilarious or unfortunate unintended results, mostly it works pretty well.  To solve the "I hit the key next to the one I wanted because the keys are too damn small" problem, it's very close to an ideal solution.

Android doesn't have anything here.  Nothing that compares to the iPhone, nothing like a spell checker that highlights misspelled words.  Nothing.  The user is left to manually spell check his text, and manually edit it to fix it.  Which leads us to the next killer problem:

2. Text Editing

It blows chunks.  And quite frankly, there's no excuse for this, because the iPhone has decent enough text editing.  Everything has decent enough text editing, and has ever since vi replaced Teco as the editor of choice for power geeks everywhere.

It seems that Google hired the Teco engineering team to write the text editing routines.  Note to Google: this isn't a compliment.

And you have to edit all the damn time, because the soft keyboard blows chunks and Android leaves that as a problem for the user to fix.  Go ahead - try to make the cursor hop around to random spots in your text (exactly as you would when spell checking a blog post).  Which leads us to the final killer problem that makes Android a trifecta of fail:

3. Random commands that unexpectedly do things are bad, mkay?

Blogaway somehow managed to eat half of my post, while I was trying to edit the text to fix the misspellings.  I'm not quite sure how it did this, but this is my point - if the menu options aren't clear about what they're going to do, then the user is going to be surprised.  It's hard to see how any of the surprises will be pleasant ones.

One of the jokes people used to make about the Teco editor was that you could enter any command into it at all, and it would do something.  You could escape to command mode, type your name, and it would do something.  Power geeks used to compete for extra crazy 1337 cred by predicting what that would be in advance.

Note to Google and Blogaway: that isn't a compliment.

And so the trifecta: a horrible keyboard guaranteeing many "off by one" misspellings, lousy text editing capabilities, and an arcane and "exciting" menu system that can do all sorts of unexpected transforms on your post.

Fail.

The Android architecture may be better (I have no real opinion here), the Open Source aspect is attractive, but overall nobody's running the shop on how tired users will actually use the system.  And so Android takes the blame.  It's not ready.  The phone is OK, the email is acceptable* but the apps mostly stink and are only usable as toys.  Google needs to put some serious effort into the user experience.  They can start by firing the Teco team.

* But I see emails saying "I apologize for any misspellings, as this is sent from my Android phone" which translates to "My crappy phone can't spellcheck to save its life and has a keyboard that blows chunks, but IT makes me use it.  Please don't think that I'm an idiot."