I try to take all these security reports with a grain of salt, considering McAfee’s vested interested in scaring the bejesus out of us to sell more security software, but there’s several notable specifics in this one worth examining.
A vulnerable robot
The report (pdf) explains one of Android’s best defenses is also one of the leading complaints about the open-source OS fragmentation. The multitude of different handset makers offering a plethora of phones running one of a handful of different Android flavours has actually helped protect the ecosystem from being an even easier target.
The release of Ice Cream Sandwich, which seeks to unify a few of the previous Android releases into a single, more cohesive system, could actually make Android more vulnerable to attackers. More standardisation in hardware running Android will also lower the overall cost of designing new malware that’s more effective in creating headaches.
McAfee points out that as Android has surpassed Symbian in leading the smartphone market, it has also attracted the lion’s share of new mobile malware attacks – 63 percent in the second quarter of 2011.
While the meteoric rise of Android in the last four years is certainly a factor, McAfee says it suffers from serious security deficiencies, notably a lack of high-level APIs for security developers, using an insecure Java-based virtual machine to execute apps, and a lack of trusted digital signatures for apps.
So what does Google have to say about this?
Chris DiBona, Open Source Programs Manager at Google, recently put it bluntly on Google+: “Virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers.”
DiBona touts the track record of the Linux kernel that underlies both Android and iOS and while he acknowledges there have been apps that do “bad things,” he says the reactive approach works and there have been no major problems with mobile viruses.
Apple’s ‘walled garden’ approach is a virtual fortress in comparison to Android, especially when it comes to malware protection. As McAfee points out: “Apple so far has done an excellent job of securing its devices; as we write this there were no reported cases of malware for iPhones that have not been jailbroken.”
That doesn’t mean iOS devices are bulletproof, however. McAfee envisions a possible scenario where a legitimate, useful (perhaps even paid) app might have hidden malicious code that evades detection and lies dormant for a while before eventually ‘waking up’ to steal user information or wreak havoc. “For all we know some applications in the App Store might have hidden malicious functionality,” the McAfee report observes.
McAfee describes Apple as generally taking a more proactive approach to dealing with threats, whereas Google tends to be more reactive. No surprise there, but there’s another key factor on the horizon when it comes to mobile security.
Return to the wild web
“The release of HTML5 has the potential to disrupt the app store environment currently dominated by Apple and Google,” McAfee points out.
That could take part of the security equation out of the hands of Google and Apple and put it back on the world “wild” web, which happens to be a place that McAfee can more easily design security software for.