Android and security don’t exactly go hand-in-hand with each other. In fact, from my view, the majority of mobile security concerns stem from an Android device, which results it seeming like the bane of mobile security. A recent report from a security company reveals the top twelve most unsecure phones all run Android, including the Samsung Galaxy Mini, HTC Desire and the Sony Ericsson Xperia X10. The iPhone, on the other hand, only comes in at number 13.
There’s a number of reasons why this is the case, from malicious apps invading the unwalled garden to a very laggy update schedule amongst Android phones. We’re going to explore these reasons in today’s article.
Apps and Permissions
I’m sure you know the story by now; iPhones, iPads and iPods live inside a walled garden in which Apple strictly dictates what is on the device and what can’t be. Apps can only be officially downloaded through the App Store, and Apple needs to review each app to make sure it obeys their stringent rules. If your app calls on Private APIs or doesn’t work as advertised – or for one of many other reasons – Apple will reject it and it won’t make its way onto the App Store.
Some, like me, prefer this experience because it means that only working, largely unmalicious apps are sold in the store. When an iPhone user downloads an app, he can be confident that it’s not a massive, or even minor, risk. (That’s not to say iOS is a 100% secure OS, but Apple patches problems fairly fast, as we’ll look at in the next section).
However, when we look at Android, the story’s different. There are far fewer restrictions on what types of apps can run on the phone, meaning software can manipulate much more of your phone, both cosmetically and functionally.
If you go ahead and download an app from the Android Market, you’re presented with a tab that explains the various permissions a specific app is granted when you download it. This is a good practice for Android, because users can easily see what level of data is going to be visible to the app, but it poses the risk of becoming another EULA. And pretty much everyone has to admit that, at least once (if not always), they’ve skipped reading the terms and conditions in favour of immediately hitting the Accept button. Even though information is there in the Android Market, not everyone is always going to check it.
This particular app requests changing settings, taking photos/videos, accessing your GPS information, and more.
Slow Update Rollout
If we look back at the original report, we can see some information about user adoption. The report says around 38% of users are on iOS 5, after six weeks of availability, and 59% of users are yet to upgrade from iOS 4. The way I see it, getting over a third of millions of users to upgrade is pretty good in six weeks, and within a few months, i’m sure more will have upgraded from iOS 4. However, when we look at the Android data, the report claims 56% of Android users are using significantly outdated OSs that lack major security fixes.
The problem is that it can take months and months for an Android update to reach a user, and even then, it might not actually even get to you. Currently, Android 2.2 Froyo is the most popular version of Android in use, even when Google’s onto 4.0 Ice Cream Sandwich now (and 2.3 Gingerbread has been available for months). With phone makers needing to reskin each Android update, the process of releasing tweaks and improvements is elongated to such a time that there’s already a new release.
Primarily because of the permissions an app can be granted, and because of the very laggy update schedule, Android is an unsecure platform. However, that isn’t to say improvements can’t be made. With Ice Cream Sandwich and recent Android phones, Google is slowly shifting to a slightly securer fort that’s a little less open, but, in turn, a little more secure.
Would you prefer a less restricted, open ecosystem for Android, or a more closed, secure one? Share your opinion in the comments.