Google Gives Android Security Four Stars

Study Reveals Abuse of Mobile App Permissions

One of the current versions of common wisdom is that Android apps essentially are a cauldron of malware, waiting – like the plot of a sci-fi film – to be released and cause havoc (at least for 90 minutes). Apple’s security, on the other hand, is like a romantic comedy: Some complications arise and a few tears are shed, but there is little doubt that everyone will be happy at the end.

Google has pushed back on that assessment on two fronts. The first salvo came from Eric Schmidt, Google’s chief executive. At the Gartner Symposium/ITxpo last week, he responded to a question from Gartner analyst David Willis on that common wisdom. Schmidt’s answer, according to The Verge: “Not secure? It’s more secure than the iPhone.”

The other defensive voice about Android security heard this month came from Adrian Ludwig, Android’s chief of security. Speaking at the Virus Bulletin conference in Berlin, Ludwig said that only 0.001 percent of apps downloaded by Android users are harmful to devices or data. This, according to the InformationWeek story on the presentation, includes apps from Google Play and elsewhere. Ludwig’s comparison of Apple and Android’s security approaches sounds more like it comes from a biologist then a mobile device expert.

Some research validates the pro-Google position. A study done by the A*STAR Institute for Infocomm Research and Singapore Management University suggests that the approach taken by Android may have inherent advantages over Apple’s. The story at Phys Org describes Apple’s highly controlled model and Android’s approach, which simply is to ask users for permission for apps to access necessary onboard assets.

The bottom line is that the Google apps made requests that were more in line with positive security, according to the story:

The researchers found that 73% of iOS applications, especially advertising and analytical code, consistently accessed more SS-APIs than their counterparts on Android. Additionally, the SS-APIs invoked by iOS tended to be those providing access to sensitive resources such as user contacts.

Another important avenue to securing Android was described last week at Tom’s Guide. The story, by Marshall Honorof, discusses third-party Android security apps. The bad news, according to Kaspersky Lab, is that only about four in 10 Android owners use these apps. The story also describes the Android Device Manager, which is a service from the operating system vendor that is available in Android 2.2 and higher.

Judging whether Android is more or less secure than iOS or any other operating system misses the point and is of little interest to end users, as ReadWrite’s Matt Asay points out. The bottom line is that Google’s open approach potentially provides a tremendous amount of security, but relies on users to proactively use it.

Unfortunately, most users don’t use the security tools available to them. And we all know how that movie ends.