Android Security – Swiss cheese pt. IV

Reply to this post

RFM AvatarSmall

 

 

 

 

 

Another horrible hack that Google is powerless to address. 

  • The worst part of this latest breach is that the hackers are targeting vulnerabilities in Android that have been well known for some time which no-one appears capable of fixing.
  • This only serves to reinforce my view that Google’s only way out of the nasty mess of Android fragmentation where virtually no phones can be properly updated remains to take Android fully proprietary.
  • 3m Google users appear to have had their accounts stolen which are now being used to generate $320,000 per month in fraudulent advertising scams.
  • The Gooligan exploit is a variant of Ghost Push which came to light in September 2015 some 14 months ago meaning that there has been plenty of time to issue a fix.
  • The problem with Android is not that it has any particular flaws that make it less safe than iOS or Windows but that none of the fixes for these problems ever make it onto the affected devices.
  • There remain two reasons for this:
    • First: The infrastructure for updating Android devices is horribly fragmented with each manufacturer or operator having control if its updates.
    • With all the different variations and add-ons, extensive testing is required to ensure that the variations and add-ons don’t break when the phone is updated.
    • Furthermore, because none of these players own the end relationship with the customer they have no incentive to improve it.
    • I think that this is Google’s most pressing problem (see here).
    • Second: Most Android handsets cannot be updated.
    • Android is a commoditised, brutally competitive market meaning that in the mid-range, every cent of cost matters.
    • Making a device updateable means that extra storage and memory must be added to the device which are never reflected in the price.
    • Hence, the vast majority of Android devices are not updateable to later versions of Android as there is no incentive for the device maker to add this capability.
  • The net result is that there is very little prospect for owners of these devices ever to be free from this problem or any of the others that have emerged for Android without buying a new device.
  • This is far beyond the means of most Android users meaning that they will constantly be exposed to any new threat that emerges with little prospect of it ever being fixed.
  • This is just another reason why usage of Android devices is likely to continue trailing that of iOS and why these devices are likely to yield a much lower return for the ecosystems that run upon them.
  • For example, RFM estimates that Google can earn $31.6 per user per year from an iOS device whereas its own Android devices can only generate $14.0 per user per year on average.
  • Part of this is due to the differences in demographics between the two ecosystems but I am certain that most of it is due to the fact that Android devices are more difficult to use, less secure and as a result generate much less traffic.
  • Consequently, I think that Google has to take control of Android because in its current state, it is very unsecure where very little is likely to change.
  • I continue to believe that this may happen in 2017 as Oracle has provided Google with the perfect excuse to do so (see here).
  • I remain pretty cautious on Alphabet preferring instead Tencent, Baidu and Microsoft.

RICHARD WINDSOR

Richard is founder, owner of research company, Radio Free Mobile. He has 16 years of experience working in sell side equity research. During his 11 year tenure at Nomura Securities, he focused on the equity coverage of the Global Technology sector.

Blog Comments

By all rights Android should be getting a thorough trashing in the media but it’s not for some reason, governments should be warning against Android but it’s just not happening.

The power and influence Google holds is the only reason I can see why.

Back in the day Microsoft got such a public trashing over the security around Windows XP it made them take security very seriously ever since.

It’s a sad state of affairs that today Google who increasingly resemble Microsoft from that era seem to be given a free pass.

I suspect that much of it is because not many people bank on their mobile phones and also the proven damage from these hacks has also been small so far.