Android's unpatched dead device jungle is good for security
'Attackers can't just use one exploit to pwn a billion devices' says Square's security lead
Black Hat Asia Android's diverse and oft un-patched ecosystem is a strength, not a weakness. So says says Dino Dai Zovi, security lead at mobile payments outfit Square, because he feels diversity makes criminal hackers work harder.
Android variants are a dime a dozen, thanks to customisations used to get the OS running on myriad phones and tablets.
About a third of all measured devices run version 4.4 (KitKat) of the operating system, released in 2013, and a further third operate version 5 (Lollipop) released in 2014.
This is problematic because those old operating systems are un-patched against scores of dangerous vulnerabilities, and most manufacturers are slow or outright refuse to roll in the latest ASOP updates to their own Android operating systems.
But Dai Zovi, who today spoke at the Black Hat Asia conference in Singapore, says this fragmented heterogenous ecosystem brings safety to the un-patched masses because exploiting dangerous vulnerabilities like Stagefright requires tailoring for each device make
Dino Dai Zovi. Image: Darren Pauli / The Register.
“The ecosystem is such that it makes exploitation more difficult because it needs to be designed for [each device],” Dai Zovi said during a session at the event.
“[Android] security features like verify apps, and Google Play store application checks makes it a much safer system.”
Android vulnerabilities are regularly discovered that affect huge numbers of devices. The re-occurring StageFright menace was first noted as affecting up to a billion devices with relatively simple but highly dangerous attacks which prompted Google to issue a fast run of patches.
Dai Zovi did not go as far as to recommend those who warn the likes of Stagefright are world-ending should back down, but did strongly suggest that the descriptions be weighed against the high cost of developing exploits for the many diverse Android platforms.
The best Android security features are present in the latest versions Lollipop and Marshmallow and include security checks for side-loaded applications by producing warning flags that make it difficult for users to inadvertently compromise their devices. Such warnings help those who accidentally use pirated apps or code downloaded from sources other than Google Play.
Dai Zovi referenced the Georgia Tech University study The Core of the Matter: Analysing Malicious Traffic in Cellular Carriers [PDF] published in 2013 which found malware resided in 0.0009 percent of Android devices, noting that the low statistic would be similar across the current landscape.
“The number of actually infected devices is exceeding low,” Dai Zovi says. ®