How Secure Is Android, Really?

Dear Lifehacker, I keep hearing conflicting arguments on the state of Android security. Eric Schmidt says it's more secure than the iPhone, but people laughed at him. Plus, I keep hearing about the threat of Android malware. Who's right? Is Android safe? Should I install security software like I do on Windows? Sincerely, Locked Down Droid Dear Locked Down Droid, The Android security debate isn't going to go away anytime soon. There are smart people on all sides of it, but at its core are a few important things every Android owner should know. Let's cut through the fog, shall we?

The Short Version: Android Is Secure...Users Aren't

Let's get this out of the way. Android as an operating system is very secure. It has multiple layers of protection to keep malware at bay, and it requires your specific permission to do almost anything that could lead to your data or the system being compromised. However, Android is an open system that trusts you the user and its community of developers to do the right thing. If you want to, you can give away a lot of permissions, and even access to deeper parts of the system if you've rooted your phone. Android tries to protect you from yourself, but if you nudge it, it lets you have the final say on what to install (and from where, like unknown sources and beyond the regularly-patrolled walls of Google Play) and who to give permissions to. As with every security discussion, those things open you up to malware not because they're bad, but because users are the weak link. So when people talk about Android security, it's not that Android is inherently insecure, we are. Android gives us a lot of power, and with great power comes great responsibility.

The Long Version: How Android Security Works

Android was designed with security as one of its cornerstone principles. Without comparing it to any other platform, it does a really good job of making sure processes don't collect too much information (or use too many resources) without permission, no one app or process gets access to the system level without adequate privileges, and that the user is generally always aware of what's happening behind the scenes. Earlier this month, Steven Max Patterson argued in a piece at Quartz that Android is almost impenetrable to malware. Hyperbole aside, he based the assertion on a presentation that Android Security chief Adrian Ludwig made, where Ludwig revealed that "less than an estimated 0.001% of app installations on Android are able to evade the systems multilayered defenses and cause harm to users." Put simply, Android has multiple layers of defense to protect itself against malware incursions, and since Google started paying attention to what users install on their devices, they've seen very little malware appear. As an example of this, Ludwig presented the graph above (and below, both included in the full slide deck). Just to get installed, an app has to get through Google Play or an unknown sources warning (if it's enabled on your phone), and a user who confirms the installation. Past that, it has to get past Google's "Verify Apps" security feature, which checks an APK against its own database of malware before it can be installed (more on this later). Then, the app is sandboxed and restricted to the permissions granted to it, and Android's own security checks again whenever the app runs.

Ludwig goes on to note that even though security researchers and even the Department of Homeland Security have noted upticks in Android malware (PDF), no one besides Google has the tools to view actual install data, and they're just not seeing malware manifest in large numbers. Says Patterson: The problem Google wants to solve is that most independent security researchers dont have access to a platform such as Googles to measure how many times a malware app has been installed. They are analogous to human disease researchers without a CDC to measure the size of a disease outbreak and coordinate a response. Security researchers are very good at finding and fixing malware, but in the absence of reliable data that indicate how frequently a malware app has been installed, the threat level can become exaggerated. Reports that reach publication are often extremely exaggerated. To emphasize this point, Ludwig revealed in his analysis that some of the most publicized recent malware discoveries are installed in less than one per million installations. Now, of course Google's data is going to say they don't see malware in the wild. Google has skin in this game, and they're going to pick and choose the best possible data they can collect to paint Android in the best possible light. That doesn't necessarily make the data false or questionable, but it does mean you should take it with a healthy grain of salt. Unfortunately, they're also the only ones that could really provide that data for us. Google collects this information every time you install an app as long as you use the "Verify and Install" option that appears on your phone when you install (some users may see "Verify and Install" as well as "Package Installer" depending on their device), or if you install via Google Play directly. If you're not using it, here's why you should: The new security mechanisms appeared about a year ago when new versions of Android started shipping with Verify Apps. Verify Apps intervenes when an app is downloaded, compares it to a large database of malware information curated by Google and warns the user
4

if the app is potentially harmful. Verify Apps is also distributed to older Android versions by including it in updates to the Google Play app that is used to download apps from Googles app store. Checking and blocking apps is enabled by default requiring a user to choose to disable it in order to circumvent its protection. So it would seem that all's well on the Android front. If you use your phone in the usual way, install from trusted sources (even if you're sideloading), and use your head when you install apps, the odds you'll get malware on your Android device are exceptionally slim. The case is data-driven, and it's convincing to be sure. However, it's not a complete picture.

There's a little in-between-the-lines reading left out of the Quartz piece that's equally important to note. A couple of caveats not mentioned but easily gleaned:

Google can't count malware it doesn't see. All of the data here is based on app installs that Google gets data on through "Verify Apps," available with Google Play in Android 2.3+. If you don't use Verify and Install when sideloading, or you get your apps from another source like the Amazon Appstore (or you're sideloading from a third party), you don't get included, or protected. That's a big caveatit essentially means "Of the malware Google can see, it's not seeing much of it." To boot, there's an open and fairly significant issue with Verify Apps that affects a lot of phones. Google has fixed it, but the fix needs to be rolled out by carriers and OEMs to users, which is a whole other part of the security problem that's unresolved. Google's been busy making Android modular specifically to get around this problem, and with luck we'll see improvements in Android 4.4 Kit Kat.

Android has defenses...to protect itself, not your data. This is probably the biggest gaping hole left unaddressed by both the presentation and the ensuing commentary. It's one thing if an app is potentially harmful because it compromises Android in some way, but if the app isn't interested in control over your device or isn't a rootkit, that multi-layered defense only protects you up to the point where you install it. If the malware is designed to capture your data, location, usage, contact list, email addresses, or other data on your device, none of that is addressed (and frankly, it's not well addressed by security companies either. It really is a "watch what you install" kind of thing.) Lack of installs doesn't equal a lack of malware. The fact that Google doesn't see a ton of malware installs through its own sources is great newsbut that doesn't mean the malware isn't out there in the wild, and it doesn't mean that the threat of it isn't real. It means that the myth of infected handsets everywhere is definitely oversold by security companies, but it shouldn't make anyone more comfortable installing "AngryBirdsPremiumLulz.apk" from a shady website, thinking Android's defenses will protect them. Many of Android's defenses are bypassed with a few taps, or by users. For many Android users, the first thing we do is turn off the "unauthorized sources" warning so we can sideload APKs we've backed up, or install from web sites or other sources. Want the Grooveshark Android app? Turn it off. Plan to sideload an app you had on your old phone that's no longer available? Turn it off. Have your phone rooted, or have a completely new ROM installed? Google may not count you either. That's just expert usersnovice users who aren't paying attention to permissions or authorized sources are a whole other problemone with serious, real-world consequences. In any case, that's five of those seven layers of defense bypassed directly.

A lot has changed in the mobile security world since Chris DiBona famously called out mobile antivirus companies as "charlatans and scammers," pushing scareware and "playing on your fears to try to sell you BS protection software," back in 2011. While he's still right that conversations about mobile security often devolve into fear, uncertainty, and doubt without discussing real-world impact, it's much harder to dismiss the issue than it was back then.

So How Do You Protect Yourself?

Related

How Can I Tell If an Android App Is Malware?

Dear Lifehacker, I remember reading about some sketchy wallpaper apps, along with other concerns about security in Android's somewhat Wild-West Read At the end of the day, the real reason it's difficult to dismiss mobile malware is because the user isand always has beenthe weak link in the security chain. Android isn't alone in thisevery platform, mobile or desktop, has the same problem. It doesn't matter if your garden is walled or open, if a user clicks install, it's all over. That's why it's so important to learn to tell if an Android app is malware before you install it. Related

Why Does This Android App Need So Many Permissions?

Dear Lifehacker, I read your article about Chrome permissions last week, but I want to know about Android app permissions. It seems like every app Read
7

Turn on your BS sensors, and take a look at app store reviews. Reviews are often a terrible indicator of app quality, but taken as an overall sentiment, you'll be able to see quickly whether an app does what it's supposed to do, or there's a trending complaint about strange behavior or dodgy permissions. Similarly, pay attention to the permissions an app requests before you install it. Don't just tap through itask yourself if the access requested is reasonable for the features provided. Check the developer's other apps, and look around the web for reviews from sources you trust.Worst case, if you have an old Android phone that works, try it there first to test it out before you put it on your daily driver with all of your data. Finally, seriously consider installing a mobile security tool. There was a time when it was hard to recommend one, but even then most tools offer additional features that are worthwhile. In addition to active scanning, the best options also block known malware from third party sources and sideloads (a nice extra layer of protection for those of us who get our apps from more than Google Play), help you locate or remotely wipe a lost device, can back up your data automatically, and more. Also, long gone are the days where Android antivirus meant a slow phone and a dying batterythe best apps won't slow you or your phone down at all. Related

Do Android Antivirus Apps Actually Do Anything?

If you've been watching tech news headlines over the past week, you've likely heard that Android malware is growing at an alarming rate, up Read

Android Security Apps That Keep You Safe Without Killing Your Battery

If you've been thinking about installing a mobile security tool for your Android phone or tablet but you're worried about the impact it may Read Related

The Best (and Worst) Antivirus Apps for Android

With the growth of malware threats on Android, it definitely makes sense to use an antivirus app, but unfortunately, a new study reveals many Read
8

The mobile security debate right now is in roughly the same place as the desktop debate. It's fair to point out that the mobile threat has been overplayed and overhyped, and it's also fair to say that the vast majority of Android users who install apps from known, good sources, and don't get themselves into trouble will never encounter malware. Just like on the desktop, an intelligent user, good downloading and installing habits, and common sense should be your first line of defense. Beyond that, we'd suggest a good Android security tool to cover everything else, scan for malware whenever you want to, and benefit from the extra features and protection they offer.
Photos by payalnic, psd graphics, psd graphics, psd graphics, Family O'Ab, senzo senso, and Uncalno Tekno.

Discuss 28 participants bangishotyouAlan Henry 14 At the end of the day this article covers all the main points a lot of uninformed people seem to miss and then cry "ANDROID HAZ MALWARE OMG" over. 1. Android is secure. 2. Malware is on every platform. EVERY PLATFORM. 3. Most issues are caused by the users (NOT the platform). 4. Malware exists (on every platform), but regarding Android it tends to be overblown/hyped to generate page clicks. 5. Don't be stupid (installing anything and everything from anywhere and everywhere) and this is something that largely shouldn't even be a concern to you/likely won't affect you. Good article, Alan. Very informative and hopefully it can get the people crying wolf to rethink their positions and maybe use that thing in their heads a little bit more before going "ANDROID MALWARE DOOOOOOOM". Which is seriously annoying at this point. 10/16/13 8:23am

FlowerGirlPhysicistbangishotyou 11 Well, you know if all users were smart, some of you IT guys would be out of jobs. ;) In all seriousness though, yeah, people need to stop looking for a secure platform and worry about secure behaviors. Because the first without the second will get you nowhere. 10/16/13 8:32am

bangishotyouFlowerGirlPhysicist
9

2 Lol. Luckily that'll never happen. But yeah, no point in a secure platform if the users are still doing things they shouldn't be. To put it in a real world example. The company I work for has insane locks on our various entrances. Ranging from the front door requiring someone to buzz you in to both side entrances requiring both a fingerprint scan and PIN code entry to gain you access to the building/unlock the heavy steel door. Great security. The issue though that I face regularly is that way too many people DO NOT fully close the door when they enter/exit the building through the side entrances. Meaning all that security is rendered null and void because the door hasn't actually closed completely and thus the locks/protection haven't been fully engaged. 10/16/13 8:43am

FlowerGirlPhysicist and 24 others... 2 participants SypothAlan Henry 1 While nothing is completely secure Android certainly is more secure than iPhone simply due to it's Linux base and how Linux makes malicious software nearly impossible to install and run unless you simply install it blindly. The best security for any digital device is and always will be you the user, what you know, and how to avoid paranoia related and regular mistakes made by Most. If I had a dollar for every security problem I've removed from a friends or family members computer that was completely avoidable I would be a rich man. First of all that nifty RFI and NFC capability is the biggest security hole in your phone, most people will leave it wide open and many people will use it to take data off your phone. Best to set it up so that those communication means are not always on and you have to activate them for them to transmit, it's not as hard as it sounds you can set it up so that a single button authorizes it for a set period of time, just don't make that time longer than 1 minute. Also don't install apps just because you can or think it's neat and cool or funky and hip, rather install only the ones you are going to functionally use, people use smart phones and tablets for allot of stupid things most of which are just fads that die quickly, malware programers are aware of this and will hide things inside of some of these apps, so be careful if you decide to do go with the flow and get a program that is completely useless outside of acting and/or looking like a fool for fun. Now, this doesn't just apply to Android either, this applies to everything you use and do on every operating system. If you see a pop up or an ad that says you have such and such vulnerabilities or viruses etc on your computer never and I repeat and emphasize NEVER click on them, same with "Are you sure you want to leave this page" boxes, just click on the X to close the box or close the tab/browser entirely even if you have to go into the running programs to terminate it from there.

10

Personally I like Android better than Windows mobile and iOS but that isn't because I'm a "fandroid" but rather that I love it's flexibility, versatility, and ease of use more than the other two. Windows mobile has the first two down but iOS offers none of that. The ONE Android device I own(a small tablet) the only reason I got it was because I planned on using it as a mobile productivity tool, so it literally has had no games silly apps or apps that don't allow me to do something that isn't proactive or constructive to aid me when I am doing something. iOS would never serve the needs I have fro such a device as it is constrictive, limiting, and demands I conform to what Apple says I can and cannot do/say/thing/feel/want. Windows mobile is just a mess and I hate the interface which gets in the way more often than not when I am trying to do something. Either way what you use is up to you, like it or hate it, but in the end the biggest threat to the security and the strongest protection lies in you the user. 10/17/13 12:32am

Tim TringleSypoth Linux is based on Unix. iOS is a version of OSX. OSX is derived from NextStep, OpenBSD and FreeBSD. You should try to remember that when attempting to make Android seem more secure due to its Linux / Unix origins. It is something both systems share the benefit of. 10/17/13 6:52am

SypothTim Tringle I am well aware of OSX/Unix and Linux/Unix relationship however last I used Unix it did not require root access to install a program, Apple is only Unix because it lost lawsuit after lawsuit for selling Linux in the very first version of OSX or did you not know that? The security of Android also does not rely simply on it's core processes either but has added layers of security as google so does love keeping your data to themselves rather than letting others steal it and use it as they wish, much like Facebook. Now I also made my entire post out to show that the user and their habits as the biggest vulnerability to any device despite their OS, or did you not get past the first part because you are an iOS fanboy and just had to rant at me about an easily known fact? 10/17/13 10:51pm 10 participants petethickett33Alan Henry 2 So as a new android user, what would you guys recommend for me? I don't plan on rooting, or loading anything on my phone that isn't straight from the play store. EXCEPT I did have to turn off the trusted sources thing briefly to get lotus traveller installed for work. This article was great at making me feel good about the OS itself, but for me, what should I install, if anything, to keep myself protected? 10/16/13 8:15am
11

bangishotyoupetethickett33 4 Honestly, as a power/heavy user, I don't think you need to install anything. Just make sure "Unknown sources" isn't selected in your security settings and make sure "Verify apps" is selected in the same settings and you honestly should be good. Especially if you're solely downloading from the Play Store. Just as a precaution though, read reviews if you aren't sure about an app. They're usually pretty informative and people will quickly call out the ones that are malware or fake (meaning copies of other apps but by unscrupulous developers). If you really aren't sure though, I'd recommend Lookout. It seems to be the go to from a security standpoint for most people. I personally don't use it, but I'm a smart user and know what I'm doing. (I wouldn't even be considered your typical Android user. I root and use ADB and all that stuff the average person doesn't need or know about.) 10/16/13 8:29am

ksurlpetethickett33 1 for the most part, it's a good rule of thumb to stick to the play store if you're unsure. if you do want to try some new app out that isn't on the store, make sure to see others commenting it works without issues. 10/16/13 8:33am

Hendrich Attila and 6 others... 3 participants dccoronaAlan Henry 2 I notice lots of apps asking for permissions they don't need...I think there's some devs with the mentality that "lets ask for it in case we need it some day". What I want to see is the ability for me to block permissions on a per-permission basis but still download the app. If it truly does use it, it can fail to run until I give it permission. 10/16/13 10:28am

AlexanderPrimedccorona 1 Permissions can be added or removed with each new update, so it's not likely that a developer has requested one "just in case". More likely, the developer discovered they needed the permission for some feature while testing, but the code that uses it was removed and the permission request remains present but is never used.
12

Depending on which permission we're talking about, there's also the chance that it actually is used, and is somehow vital to the app's functioning, but in a subtle way that might take some conversation with the developer to figure out. If they're particularly responsive, they might be willing to try implementing the feature differently to eliminate some permission requests. 10/16/13 11:03am

ChromoZoneXdccorona 1 Take a look at App Ops. 10/16/13 11:33am

bangishotyou 4 participants Common-taterAlan Henry The bottom line is, Android is Linux. Despite the myth that Linux is impervious to viruses, the Linux kernel and all of its supporting software and drivers have had their armor pierced on numerous occasions. Being open-source also makes it no safer, despite the myth to the contrary. It's software, written by humans, who make mistakes, and/or don't take into account how their software might can when something unexpected is done to it. Linux has been a prime target for hacking since it runs the world's servers. Linux now runs the world's phones. You better believe it's still high on the hit list of things to find holes in. This doesn't mean iOS or Windows Phone are any safer. I'd rank Apple lowest in terms of security. They've always had a pretty poor track record of maintaining security. Microsoft keeps on top of vulnerabilities pretty well, despite the bad rap they get, but they still get poked at just like everybody else. The same rules apply to your phone as your desktop computer. Be smart on what you install or the sites you browse. Keep your software up to date. And keep a password on your phone so that someone can't do something to it if they find it laying around, or you lose it. 10/16/13 12:45pm

19B4Common-tater FreeBSD. Wait, never mind. Anything that allows the user to install or execute instructions is vulnerable - something I kept in mind when I eventually collected 4 laptops, 3 desktops, and two Android phones. To be fair, I need one of the laptops for work, one for compiling, and the other two to test distros on. #ramble 10/16/13 1:47pm
13

doodledeveloperCommon-tater 1 Open-Source has a clear advantage security wise - peer review. I write something, you get to read it & tell me how sh*t it is (by pointing out what I hadn't thought of), and we both work to make the product better. That is extremely limited in closed-source applications. Opensource can patch & release daily (and many projects do just that), whereas the turnaround for closed-source is much, much longer. Is Linux impervious to viruses? No, clearly not. But I've never seen one that's done any damage beyond the user permissions of the user that's infecting the system. That's why it's severely frowned upon to constantly work as root etc. GUID escalations are pretty trivial within Windows - though Win 7 has got better at locking this down with UAC, and I can't in honesty comment on Win 8 as I've not used it. 10/17/13 12:52am

Tim Tringle and one other...

AlexanderPrimeAlan Henry 1 On any modern system, you should not need invasive malware protection of any kind installed. The basics that come with the platform will be more than sufficient if you observe the following:

Don't go around installing random shit you don't need from untrusted sources. That's it.

On Android especially, if you need to have Package B installed in order to keep yourself safe from Package A, just get rid of them both. You'll be doing yourself (and probably your battery) a huge favor. 10/16/13 10:56am

DragonPhyreAlan Henry 1 Best part about Cyanogen is that I don't have to let any app have ANY permissions by default. Every app is locked down and can't do ANYTHING until I specifically let it. Sleep Sound App? You don't need Internet, contact list, or MMS access.

14

Timer app? Yeah, you don't need Internet or SMS access either. But phone wake you can have. That is handy. And dozens of others. I know that devs make money on the ads... but if there are micropayments in the app, or if I already paid for an app, then piss off with the ads. 10/21/13 1:55pm 1 participant mrd1Alan Henry 1 I received that choice: package installer or verify and install. I chose package install, then selected to always use that option. :-( I tried to clear the defaults from package installer.. no such luck. Any idea how to go back to the choice again? 10/16/13 8:15am

LisaB79mrd1 Probably by going to System Settings > Security and then check "Verify Apps" 10/17/13 5:02am 3 participants WajdJTAlan Henry 2 Actually, with a recent update, they introduced an optional feature called App Ops which does kinda the same as privacy gaurd by cyanogen mod. If activated for an app, it returns blank data to the app. 10/16/13 9:16am

bangishotyouWajdJT 1 Just remember that App Ops is kind of "hidden". Your average user won't be aware of it, much less know how to get to it. So it's great to mention, but pointing out something without telling others how to use it or access it kind of defeats the purpose. We gotta think of the noobs and all. 10/16/13 1:19pm

WajdJTbangishotyou 1

15

On second thought, I agree with you. However, I think it's still a feature in development since it might cause apps to crash. They'll probably tell users about it after they complete it. Just my 2 cents. 10/17/13 1:09pm

bangishotyou

ChromoZoneXAlan Henry 3 This is a great article Alan. It is quite possibly one of the better articles on Android I've read in a while! :D 10/16/13 11:34am

doodledeveloperAlan Henry 3 I've long been a proponent of the mantra "security is a myth." Make a choice: - A totally secure system. - A system that has users. You can only pick one. 10/17/13 12:45am

NovemberGoldAlan Henry It really comes down to this. If you don't root your phone and don't side load, Android is very secure. It is actually more secure than an iPhone. If you choose to root your device and sideload apps, then you should know what you are doing. I do both of these and have never gotten malware. Why? Because I am knowledgeable enough to make good choices or I gain that knowledge through xda-developers.com or another Anroid developers site. If you don't know what you are doing, then don't do it. 10/18/13 7:16am

FaslaneAlan Henry Somewhat off topic kinda but has anyone actually had a virus or malware on an Android Phone? I see all these utilities like Avast, Lockout and now even Malware Bytes for Android but have tried them all and never encountered an issue of any kind. some of these apps have
16

other features in addition to protection which is handy, but curious if anyone has actually ever been infected.....thoughts? 10/17/13 10:03am

2 repliesAlan Henry 2 One of the most rational, well thought out, unbiased and well written articles I've seen on the subject. And unfortunately, one that few flamers (or lazy browsers) will read past the title. :-{ 10/16/13 4:31pm

Tim RainesAlan Henry The iPhone is more secure than Android in the same way your house would be more secure than your current one if you rebuilt it with no windows and no doors. It would be "safer", but even YOU couldn't get in. 10/17/13 9:50am

MoreGhostsLessStuffAlan Henry Insecurity of any platform = PEBKAC. Humans are the weakest link. An educated human goes a long way to protect themselves from malware. 10/16/13 1:53pm

17