"Android was 2016's most vulnerable product"

[mikeymikec]

https://www.bleepingcomputer.com/news/security/android-was-2016s-most-vulnerable-product/

In other news, Win7 has a significantly lower number than Win10

 

[Ketchup]

I suppose this is news to some folks. Historically this OS has has had plenty of vulnerabilities, but it didn't matter because:
a. it wasn't a huge enough market, and
b. in the case of it's roots, wasn't typically in an environment that had free access to the world wide web.

Looking at the list, it comes as no surprise to see its roots (Linux) listed right below it. I noticed that my latest cell phone comes with an antivirus standard. Something my last phone didn't have. That's probably a good idea. It's probably only a matter of time until our phones and tablets turn into the newest targets for Malware, but I think the current structure for downloading apps onto devices (stores) is a huge leap from where we started with PCs (anywhere on the web).

 

[Red Squirrel]

What is the best way to protect ourselves from all these exploits? Most of the time my phone is on a wifi or otherwise behind some kind of router, so I'm probably safe, but what about when it's on data, it's basically directly connected to the internet. is there any firewall/AV apps for android?

Obviously keeping up to date is a good start, but I'm talking about general protection, for exploits that are perhaps not patched yet.

 

[Ichinisan]

What is the best way to protect ourselves from all these exploits? Most of the time my phone is on a wifi or otherwise behind some kind of router, so I'm probably safe, but what about when it's on data, it's basically directly connected to the internet. is there any firewall/AV apps for android?

Obviously keeping up to date is a good start, but I'm talking about general protection, for exploits that are perhaps not patched yet.

I'm pretty sure a firewall is not relevant to most of these vulnerabilities. Most are probably browser vulnerabilities and API vulnerabilities that allow malicious apps apps to bypass sandbox restrictions and access more than they should.

Get iOS.

 

[mikeymikec]

Get iOS.

Filing under "Macs aren't vulnerable to malware".

I don't know about you guys, but in my line of work I've encountered a grand total of one instance of mobile device malware first hand (which was on Android). IMO Android's only inherent vulnerability* at present is how some devices get left behind on an older version of the OS.

* - in the same way that Windows's main vulnerability is that programs can be installed via downloaded executables rather than say a heavily monitored/restricted scripting language. If that vulnerability was properly dealt with, Windows would have a lot less security problems, however just like with any OS the main vulnerability is the user and I doubt that's ever going to change.

 

[Ichinisan]

Filing under "Macs aren't vulnerable to malware".

I don't know about you guys, but in my line of work I've encountered a grand total of one instance of mobile device malware first hand (which was on Android). IMO Android's only inherent vulnerability* at present is how some devices get left behind on an older version of the OS.

* - in the same way that Windows's main vulnerability is that programs can be installed via downloaded executables rather than say a heavily monitored/restricted scripting language. If that vulnerability was properly dealt with, Windows would have a lot less security problems, however just like with any OS the main vulnerability is the user and I doubt that's ever going to change.

The part in bold is exactly what I was getting at. Not that iOS is never targeted for vulnerabilities.

That said, there's no question the OS is more locked-down and apps in the App Store are analyzed with more scrutiny.

 

[joutlaw]

One of the worst for Android was Certifigate in 2015 in my opinion. Some remote access tools were given legitimate access to Android system level permissions through device manufacturer signing. They typically had a manufacturer sign their add-on module with their platform key. These remote access tools had access to the frame buffer and could inject events (touch, keys, etc.). This allowed screen sharing and remote control of the devices for support purposes. The attack was other apps gaining access to the remote access modules and their app being granted those permissions.

 

[Elixer]

Yeah, that is the thing, makers just dump & run on the android market, and thus leaving all those devices vulnerable.
They should make it so that all devices which the maker won't support anymore, be fully unlocked & rooted, so people can update the OS if they want.
Of course, this don't help devices where you can't update the OS.

 

[Red Squirrel]

Is there a reason updates can't just come straight from Google anyway? Take Windows for example, does not matter if you buy a Dell or a HP, or build your own, the updates all come from the same place. Why is it different with phones?

 

[russ6150]

If you buy a phone from a carrier, say T-Mobile (what I have), you typically will have a non-rooted device that ships with their own custom ROM, along with some of their apps. So OS updates are pushed by / from the carrier.

You end up with a situation where, if you have any beefs with the device's behavior, T-Mobile shruggs their shoulders and says, "You'll have to call Samsung.". If you call Samsung, they say,....yeah - you guessed it.

As some of you already know, you can firewall a non-root droid by first creating a VPN on it, then you have control of the traffic. This *only* works on wifi, forget 4G. It also doesn't work with any UDP based transport layer. I have a no-root firewall and I like it a lot but - since it requires using up the one VPN you can run (at a time), you can't run another VPN client (like PIA).

Also - if you *do* run your (insert "privacy" oriented VPN client) on your droid, you are commiting "privacy suicide".

Think about it - now all your apps are not firewalled. Pretty much all of them are phoning home, using the IDs / keys / that are already unique to YOU, and now you've associated yourself with an IP address of some VPN.

 

[Ichinisan]

Is there a reason updates can't just come straight from Google anyway? Take Windows for example, does not matter if you buy a Dell or a HP, or build your own, the updates all come from the same place. Why is it different with phones?

Multiple CPU architectures and hardware features unique to specific manufacturers and models.

 

[Red Squirrel]

Hmmm I guess there's still lot of fragmentation then. They really need to work on a more standardized hardware system, kinda like how x86 / x64 is standard across all PCs.

 

[KeithP]

Android? But what version? It seems to me if they are going to group all different versions of Android into one category then they should do the same for different distributions of Linux (and OS X, Windows, etc., as well).

So it would seem Linux, by their own numbers, is actually the most vulnerable product for 2016.

-KeithP

 

[Ichinisan]

Android? But what version? It seems to me if they are going to group all different versions of Android into one category then they should do the same for different distributions of Linux (and OS X, Windows, etc., as well).

So it would seem Linux, by their own numbers, is actually the most vulnerable product for 2016.

-KeithP

The thing is, an Android device typically comes with the expectation that you won't be able to run the latest OS in 2 years.

 

[poofyhairguy]

I'm pretty sure a firewall is not relevant to most of these vulnerabilities. Most are probably browser vulnerabilities and API vulnerabilities that allow malicious apps apps to bypass sandbox restrictions and access more than they should.

Get iOS.

No, most are not API and browser vulnerabilities. Most of the issues on Android are tied to people who install applications from outside of the Google Play store and those applications have malware in them.

It is the same thing we have seen on Macs and PCs where pirate games and applications are injected with malware or viruses. The best way to stay safe is to simply avoid sideloading applications.

Also most major Android makers roll out OS patches for vulnerabilities (for at least their flagship devices). It's just that users don't get the full OS updates.

 

[Ichinisan]

No, most are not API and browser vulnerabilities. Most of the issues on Android are tied to people who install applications from outside of the Google Play store and those applications have malware in them.

It is the same thing we have seen on Macs and PCs where pirate games and applications are injected with malware or viruses. The best way to stay safe is to simply avoid sideloading applications.

Also most major Android makers roll out OS patches for vulnerabilities (for at least their flagship devices). It's just that users don't get the full OS updates.

From the start of the article:

"This statistic is based on the number of vulnerabilities reported by security researchers in the past year, bugs which have received a CVE identifier."

 

[poofyhairguy]

Ok I can admit where I am wrong on that.