Flabbergastingly insecure: Google's Android is the new Flash
Several years ago, Steve Jobs called out Adobe Flash as a trainwreck of security and performance problems, garnering him contempt from industry players deeply invested in the software platform. Today, Google's Android platform is getting same brutal appraisal, but it's coming from Android's own fans.
Google's Flash in the Android pan
Today, virtually everyone agrees that Flash is a petulant boil on the web. Wired recently referred to Flash as "that insecure, ubiquitous resource hog everyone hates to need," in an article detailing both Mozilla's efforts to disable Flash in its browser and Facebook's security chief Alex Stamos calling for Adobe to give Flash a kill date.
Even Google— once a staunch proponent of Flash back in 2010 when hoped to wield the closed source web middleware as a distinguishing feature of Android tablets compared to Apple's Flash-free iPad— has made great efforts to distance itself from the persistent headache that is Flash.
Google's new opinion of Flash came only after a very painful experience of working to deeply integrate Adobe Flash into Android and its web browser. Rather than proving that Apple was wrong about Flash being unsuitable for mobile devices, Google provided clear evidence that its years of engineering efforts expended on baking Flash into Android was a fool's errand.
Hundreds of millions of Android devices gained a supposed advantage in being able to play back some Flash content, but at the painful cost of suffering grievous software flaws, including massive security holes such as the serious malware vector for the "Fake ID" exploit discovered by Bluebox Security last year.
Despite earning so much contempt, Flash remains ubiquitous. If you surf the Web with Flash warnings turned on, a startlingly high percentage of websites insist on trying to load the Flash Player plugin, even when there's no obvious reason; no videos to playback, no weblet games and no over-the-top navigation animations. Flash on the web is like High Fructose Corn Syrup in America: broadly frowned upon, but awfully difficult to avoid.
Hence, the increasing volume of a chorus of security experts and platform vendors calling for Adobe to simply call it quits on Flash.
Android is a lot like Flash
The same engineers and product managers at Google who thought shoehorning Flash into Android was a good idea also created the rest of Android. Somewhat ironically, Google even brands Android with a robot logo usually portrayed in the sick color of a sinus infection discharge.
The lack of thought put into every aspect of Android clearly shows: the platform is now the world's largest toxic malware sinkhole, a dubious achievement given that Microsoft garnered so much outrage for building a platform of garbage so terrible that a Windows PC was guaranteed to be automatically deluged with malware and viruses simply by being plugged into the Internet.
Android recently surpassed Windows not only in unit shipment "popularity," but also in its rampant insecurity as a platform. What started with a series of massive vulnerabilities— exacerbated by Flash but not entirely the fault of Flash by any means— has now gotten to the point where virtually any Android device can be taken over by a single malicious text message, thanks to the latest flaw to be discovered: Stagefright.
Vulnerabilities exist for other platforms too, for everything from RedHat Linux to Apple's own iOS and OS X. The primary difference is that serious enterprise software vendors— like Apple— work diligently to patch and distribute their fixes to every possible user. For years, Apple has been patching potentially exploitable flaws for iPhones, iPads and Macs originally sold three to four years ago, and in some cases many more years prior to that. That's helped to secure Apple users from exploits in most cases before malicious code could even be written to take advantage of discovered flaws.
Other mobile platforms can't claim that: Symbian, webOS, BlackBerry, Windows Mobile and in particular Android have all done a terrible job in distributing new software patches to existing phone users. The same hardware vendors who previously maintained a dismal record in distributing security update patches for their phones before Android have continued to shirk their responsibility to quickly work to patch vulnerabilities under Android.
Even when Google makes efforts to patch a known flaw in Android, hardware vendors seem to have little interest in promptly rolling out the patches to their existing users, in large part due to the complexities in tweaking patches to work across the tens of thousands of slightly different Android models now in use. On top of that, mobile carriers often erect their own impediments to complicate the distribution of Android patches, because each carrier also tweaks the legions of hardware models they carry with their own customizations.
Lorenzo Franceschi-Bicchierai, a self described Android fan, recently wrote a piece for Vice Motherboard that lamented the sloppy state of security that exists for Android, noting that "Android users are basically at the mercy of their carriers and phone manufacturers when it comes to getting updates or new operating system versions."
He cited a deleted tweet by security researcher Nicholas Weaver which stated, "Imagine if Windows patches had to pass through Dell and your ISP before they came to you? And neither cared? That is called Android."
Android security problems are worse than Flash
Really, the security problems on Android are worse than Adobe's incessantly-updated garbage-ware known as Flash. It's a pain to keep your browser's Flash Player up-to-date, but at least it's possible if you don't mind installing new software updates over and over, seemingly every time you are forced to use it.
With Android, basic security isn't even a possibility unless you are a savvy enough engineer to maintain your own code base and regularly compile a new kernel yourself. Even then there's a problem: in many cases, Google doesn't care about your problems any more than the carriers and their hardware partners do.
For example, Google's Android WebView, tainted by the company's efforts to deeply integrate Flash, remains unfixed for hundreds of millions of users despite the fact that a 60 percent majority of Android users were affected by it back in January when the code was publicly reported to be riddled with serious flaws.
While Google's adoption figures for newer versions of Android software continues to slowly increase, six months after the issue was widely reported, nearly half of the entire Android installed base actively using Google Play continues to remain vulnerable to the serious flaws in WebView that Google simply refuses to fix.
Imagine if there were long list of severe flaws in Flash, affecting the majority of its users, which Adobe shrugged off fixing because it hoped those users would just eventually buy newer computers. That would be outrageous anywhere else but in Android-land, where it's just business as usual.
Android's security issues a result of Google's design
Android isn't just poorly maintained by a series of partners who don't care about their users. Google has regularly taken positions that put Android users at high risk by design, carelessly hoping that nothing would go wrong. This is evident in Android's core policies, often made in ideological contempt for Apple— of which Google's breathtakingly stupid embracing of Flash for mobile devices is just one example.
Google has regularly taken positions that put Android users at high risk by design, carelessly hoping that nothing would go wrong
At the very core of Android's ideological open-source freedom concept is the notion that devices don't need any sort of security policy blocking executable software from being casually installed via a URL link, NFC or most recently, Google's latest "Eddystone" attempt to compete with Apple using an iBeacon-rivaling new protocol that lets random BTLE devices send URLs to mobile devices. It's almost as if Google wants Android to be insecure.
From the very start, Google championed the idea of being able to load software from virtually anywhere as an example of Android's "freedom," but the reality is that "open app stores" are just as insane from a security point of view as hardwiring Flash into the browser. The primary reason why virtually all mobile malware in existence is written for Android is the simple fact that it is astoundingly easy to distribute malware leveraging the permissive security policies that let most Android devices install software from anywhere, in some cases without the user ever being aware that software is even being installed.
Last year, Google's Android chief Sundar Pichai stated, "If I had a company dedicated to malware, I would also send my attacks to Android," suggesting that his platform's malware problem was mostly due to Android's broad use, drawing parallels with Microsoft's notoriously malware-riddled Windows platform.
If Android and Windows were the only global platforms with around a billion users, that idea might be believable. For years, Apple's relatively small Mac market share among PCs kept alive the notion that as soon as Macs reached a certain proportion of PCs, they too would be overcome with rampant malware issues.
However, Apple's iOS is now poised to soon pass Windows in unit shipments. And while a greater number of generic mobile devices have some version of Android on them, Apple's ability to keep most of its users on a modern version of iOS less than a year old means that a greater number of devices run iOS 8 than run a year or two old version of Android. Apple has hundreds of millions of iOS users, and tens of millions of Mac users; it just doesn't have the massive malware problem of Android and Windows.
That indicates pretty clearly that malware isn't just an unavoidable byproduct of popularity. Like other predators, malware authors seek out vulnerable populations, not just crowds. Apple's security policies that keep iOS vulnerabilities patched, iOS users up to date and iOS apps secured hasn't stopped the media from writing deceptive scare pieces implying that iOS is just as bad as Android, but it has made it virtually impossible to commercially benefit from writing malware for iOS.
On the other hand, there's lots of money to made in scamming and spying on Android and Windows users. Software to spy on Android and Windows users is openly sold on the Internet, but similar tools for iOS aren't available— even to law enforcement— unless the spy victim has their phone jailbroken.
That indicates that while iOS is clearly a valuable target to malicious hackers, the platform is protected enough to by Apple to make it effectively too expensive to continuously target and retarget as past exploit vectors are eliminated or blocked.
Google has repeatedly left the majority of its users unprotected against known problems, making it easy to exploit those users and profit from doing so. That makes the hundreds of millions of iOS users like a swiftly moving school of fish in the eyes of hungry predators, while Android users are more like a herd of caribou where more than half of the population are lame and unable to evade even the laziest of attackers. iOS is a frustrating target, while Android is an easy kill.
Android's demographic becoming even less valuable for Google to secure
Complicating the current malware situation for Android is the reality that iOS already represents the demographic cream of the market. Apple's users shop the most, buy the most apps, browse the most and are worth more to advertisers. As Android's malware issue continues to raise hackles among even the platform's most ardent fans, that value proportion will increasingly favor iOS as the remaining valuable users defect to the only secure platform left.
That in turn will leave Google with even less valuable users to maintain and support. That migration isn't just conceptual. Apple's latest iPhone 6 has attracted record numbers of new users from Android, while Samsung, Android's largest licensee, has experienced a massive drop in revenues over a series of quarters. Few other Android vendors are even breaking even, let alone earning sustainable profits.
And yet, the same sources who consistently reported that Apple was fated to eventually inherit a malware crisis due to volume shipments are now fretting that Apple is on the brink of disaster, and that next year's iPhone will have a hard time attracting users, even though there is zero evidence supporting this idea.
It's almost as if pundits and ideologues think that making excuses for Android will erase its problems, while inventing new catastrophes of doom for Apple will sink its success, if only they can repeat themselves enough to make their ideas come true.
That's a strategy that hasn't worked out for them for the last decade.