What everyone is saying about mobile OS security is wrong
Ryan Carboni
ryacko at gmail.com
Sat Mar 17 21:04:13 PDT 2018
http://www.zdnet.com/article/google-android-security-report-2017-we-read-it-so-you-dont-have-to-and-here-are-the-takeaways/
Google Play has given Google more control over security. Like Apple's App
Store, one central app distribution point gives Google more security
control. Google noted that Android devices that only download apps from
Google Play are nine times less likely to get a PHA than devices from other
sources. Google Play Protect protects almost two billion devices.
But is the above precisely correct?
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf
While all Android devices benefit from protections built into the platform,
Android devices with Google Play services have an additional layer of
defense to keep them safe. Google protects these devices right out of the
box with Google Play Protect, our built-in device, data, and apps security
scanning technology.
No it is not, Google Play apps are scanned using a cloud anti-virus program.
What else is special about Google Play?
https://www.theguardian.com/technology/2014/jan/23/how-google-controls-androids-open-source
Manufacturers can be refused a licence if they do not meet Google's
requirements. Google does not charge for a GMS licence, but any company
producing an Android device will need a certificate from an authorised
testing facility in order to apply for the licence. That often incurs fees.
One source told the Guardian that the fee varies and is negotiated on a
case-by-case basis, with one example costing $40,000 for a batch of at
least 30,000 devices. A separate source said that in another deal, a
testing facility quoted $75,000 to test 100,000 devices.
And rather recently, Joseph Cox said in tweets within hours of each other
that the US government shutdown a phone maker that could only sell secure
Blackberries to drug dealers and that a judge signed a warrant for any
Google location enabled apps. For some reason, the Tor Project recieves
more free PR than any business providing a phone remotely resembling
anything that is desired by civil libertarians.
You people don't notice anything. At all. You people never accomplish
anything useful you want, ever.
It is extremely trivial for Google to make Android more secure, create an
app anti-virus API, require security updates within one month of the issue
being discovered for Google Play access, etc.
And the question about whether devices should be rooted or not by the user
is pretty simple. An unrooted device is a production environment designed
to be secure by hundreds of people, and the occasional bug bounty. A rooted
device is a development environment whose security is owed to anyone with
physical access to it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3369 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20180317/2948cdd9/attachment.txt>
More information about the cypherpunks
mailing list