ACLU: Google is embarrassed by Android security, isn't protecting vulnerable users like Apple's iOSThe difference between encryption and security on iOS and Android isn't just a technical issue but a "digital security divide," according to the principal technologist for the American Civil Liberties Union. That's because Apple secures its devices while Google leaves Android open to data collection and surveillance.
Speaking at the EmTech conference hosted in Cambridge, Massachusetts by the MIT Technology Review, the ACLU's Chris Soghioan said that Apple's efforts to protect the privacy of its users, including end-to-end encryption of their communications, effectively separates the company's more affluent iOS users from the poor and disadvantaged forced to use Android.
Given that the cheapest brand new iPhone costs $650, while Android phones can be found for less than $100, Google's efforts to facilitate hardware production as cheaply as possible in order to subsidize it with an advertising business model supported by data collection effectively creates what a Soghioan described as a "digital security divide."
"The security people I know at Google are embarrassed by Android" - ACLU
"The phone used by the rich is encrypted by default and cannot be surveilled," Soghioan said, "and the phone used by most people in the global south and the poor and disadvantaged in America can be surveilled."
That's because "Apple sells luxury goods and Google gives away services for free in return for access to data," Soghioan said, highlighting that the difference wasn't purely technical but a corporate decision.
"Google has by far the best security team of any company in Silicon Valley," Soghioan said, but added, "the security people I know at Google are embarrassed by Android."
iOS Encryption, Android Surveillance
While Apple's chief executive Tim Cook has repeatedly taken a staunch position on the side of Apple's customers and their rights to privacy, resisting efforts by government agencies or marketing firms to spy on users or collect inappropriate or excessive personally identifiable data for any reason, Google hasn't.
Instead, Google has made tracking users and compiling data about their behaviors and activities a core part of its business model. That leaves encryption and privacy for Android an afterthought or even an obstacle.
At the same time, there's also clear evidence that Google has simply botched its broadly advertised efforts to add full disk encryption to its mobile platform. Android 5.0 Lollipop, released in 2014, was supposed to catch up to iOS in this area, but Android's encryption performance was so bad (due to Google's failure to support hardware accelerated encryption) that the company had to relax the feature's rollout, allowing even high end models like Samsung's Galaxy S6 and Google's own Nexus 6 to ship with encryption turned off.
Three quarters of Google's active users haven't even been able to install Android 5.0 over the last year. In contrast, iPhones have had full disk encryption activated by default since iOS 3 on iPhone 3GS in 2009.
Google Hangouts, the text and video chat service bundled with Android, also lacks end-to-end encryption like Apple's iMessages and FaceTime. Last year, the Electronic Frontier Foundation reported that Google Chat and Hangouts, like BlackBerry Messenger; Facebook's Messenger and WhatsApp; Microsoft's Skype; Secret; SnapChat and Yahoo Messenger all failed to provide end-to-end encryption, while Apple does. That hasn't changed.
Further, the "trivial to exploit" nature of the Android platform has enabled agencies, independent investigators and spies to buy off the shelf tools--like Gamma Group's FinSpy or Android RAT--that provide deep access to Android devices and essentially full control over listening to a user's conversations or even tapping the smartphone mic to listen to everything the user does.
A series of leaks regarding similar tools have consistently revealed that Apple's users have been protected from such surveillance tools unless their device is jailbroken, a process that deliberately switches off iOS security and which has become increasingly rare among the general population.
Surveillance of the poor using Android
Soghioan said this means "someone who uses a cheap Android device is a much easier target for law enforcement or intelligence agencies--which he argues are prone to abusing their surveillance powers," the MIT Technology Review noted.
Soghioan cited the FBI's snooping on Martin Luther King's phone calls in the 1960s, and noted that U.S. and overseas activists of today and tomorrow could be even easier targets.
"The next civil rights movement will use the technology against which surveillance works best," he said, stating that protest movements 'don't typically start in society's upper socioeconomic echelons.'
Apple's affordable luxury
Progress on removing this "digital security divide" have been made mostly on Apple's side, where even as new iPhones keep reaching far higher Average Selling Prices than the industry at large, the company has also worked to facilitate refurbished sales, while an independent, vibrant second hand market has long existed.
Apple's iPhone Upgrade Program, along with increasingly popular leasing programs operated by carriers, help to make expensive technology affordable to a broader market, and recycle working phones to the second hand channel.
The security features of iOS 9, including full disk encryption, continue to work on iPhone 4s, a phone from 2011 that has long been sold for less than $50 by a variety of discount retailers.
Another change that has dramatically affected the affordability of iPhones is Apple's expansion of carrier support beyond AT&T and Verizon to a wide variety of small and regional carriers that offer more affordable, or more flexible, service plans.
In contrast, Google has focused on making Android "affordable" in overseas markets by partnering to hardware makers who add their own spyware and user tracking, or who load Android with additional software that exposes even more vulnerabilities.
Samsung, HTC and Motorola, as well as prominent software vendors in China (including search giant Baidu) have all made headlines for exacerbating the "embarrassing" security profile of Android, even on high end devices such as Samsung's Galaxy S6 Edge.