Google’s Sundar Pichai on Android malware and security

Google Android logo

A lot of people wondered what Sundar Pichai, Google’s Senior Vice President of Chrome and Apps, was up to earlier this week when he reportedly said that Google could not guarantee that Android was safe because it had been “designed to give more freedom.” Needless to say, the comment made some waves. According to FrAndroid, Pichai said, “We cannot guarantee that Android is designed to be safe, the format was designed to give more freedom” (“Nous ne pouvons garantir que Android est conçu pour être sûr, son format a été conçu pour donner plus de liberté.” according to a cached version since the original post has since been modified). But it turns out that it’s not quite what Pichai said. In fact, he pointed out that it was the very fact that Android was open that made it more secure.

TechCrunch has obtained a transcript of the event from Google and it gives us Pichai’s answer (in English) when asked about how Google and Apple differ on managing security. Here’s his answer in full:

Sorry, the premise of the question is because Android is open, it has more security issues? Respectfully, I’m not sure that’s a correct premise of the question. Open platforms historically undergo a lot of scrutiny, but there are a lot of advantages to having an open source platform from a security standpoint. I would argue that it’s the best way for a platform to be secure, because every researcher in the world can inspect it, every developer in the world can inspect it, and I think that contributes a lot to Android security.

Android was built to be very, very secure. The thing that you’re seeing is because Android is an open platform, many people can ship Android in many different ways and so there are some partners when they ship devices, they have an older version of Android. And sure you can have a security vulnerability there, but that doesn’t mean Android isn’t secure. We go to great lengths–the depth of work in Android to make it secure; the depth of work done by Google Play…Google Play automatically scans and verifies thousands of applications for malware. We track data on this. It’s state of the art in terms of what we do. What you see across the ecosystem…people will ship good phones and keep them updated…you will have some phones that will not be updated. That’s where we see issues. Not Android at a fundamental level.

Quite a different answer from what FrAndroid reported yesterday.

Pichai’s point is basically the same as we’ve all heard for years: Keep your software updated. In Android’s case, Pichai points out that OEMs who ship outdated versions of Android or fail to update devices contribute to the perception that Android is less secure than alternatives. For example, it’s much easier for Apple to push out an update given that it controls the entire platform. But any iOS user who has not updated to version 7.0.6 (or 6.1.6 for older devices) will find themselves in a similar situation: A vulnerable system because the software has not been updated.

With Android being open, Google faces a very different challenge than Apple with its closed system. As it controls the entire platform, it does not have to be concerned with a partner that decides not to offer an update to the latest version of its operating system.

Pichai’s also commented on why so much malware targets Android:

“Malware targets where users are. When you say numbers like 90% of malware is targeting Android, you know, I hate to point out that if you’re a smart business person running this malware company, that’s what you should do. It’s the wrong way to look at the lens. Obviously, you will always see more malware targeting Android because Android is used more than any smartphone platform by a pretty substantial difference. I think that drives a lot of it so I understand that part of it. What matters much more is – as a user, if you use Android, are you fundamentally more compromised? We don’t think so.”

It’s a less satisfactory answer. There may be a few less Apple iOS devices out there than Android ones but no one can deny their popularity. So why are they targeted so much less? It likely goe back to the fragmentation issue: Malware developers know that there are far many more outdated (and therefore vulnerable) Android devices out there than Apple ones.

In the end, Google and its partners still have a lot of work to do to ensure that the Android ecosystem is as secure as it can be but it’s clear that Pichai and Google have not thrown security out at the altar of openness.

Source : TechCrunch