← Back to context

Comment by ChrisCinelli

7 years ago

>Years ago I wrote “free security advice” and the basic concept is still relevant. I should update it now though.

It looks like you DID update it: https://gist.github.com/grugq/353b6fc9b094d5700c70

And from that gist:

> Use an iPod or an iPad without a SIM card

> Use an iPhone

How can you then says:

> A hardened Android device (disclaimer, I’m making one for retail sale) is safer than a stock iOS.

?

Is Android (and in general any open source system) safer than a iOS (a closed and highly customized system) ?

The idea I heard over and over is that a open source system is more secure because the code is scrutinized by anyone that wants to.

But with a monthly security update and how quickly a vulnerability can be exploited, it does not seems to be the case anymore.

The main reason is the time between a vulnerability is patched in the source code and the patch is deployed. When a commit that fixes a vulnerability is committed on the Android codebase, anybody that knows what is looking at would be able to notice it, and likely build/distribute an exploit before the patch is actually pushed to all users. On a closed source system, an exploiter can still reverse engineer the changes in an update but less people have the skills to do it and it is not straight forward to understand which changes in the code are a security patches.

Considering the timing and what I see on the Android security bulletin almost every month there are EoP and even RCE vulnerabilities being patched. A Google Phone, on average, will go 2 weeks every month vulnerable to a "known" vulnerability.

For all the others the situation is dramatically worse. Samsung is at best a month behind the security update schedule. A Samsung's user will have a phone that is always behind the last vulnerabilities patched and visible in the Android code base.

Some of these vulnerabilities can be quickly distributed since everybody has an LTE internet connection, read new on a browser.

1 comment

ChrisCinelli

Reply
grugq  7 years ago

As I said, I should update it.

When I wrote it Android devices never got patched (hence the advice to switch to a FOSS rom that would be updated, rather than a frozen in time factory ROM.)

Security involves a lot more than just access to the source code. That is simply a factor in the ease of some techniques for vulnerability discovery. Back then Android had poor process isolation, significant problems with its sandbox, lax SELinux configurations, insecure software architecture (eg not using “least privilege”)

For a regular user, a stock iOS device is safer than an Android device because there is very little iOS malware in the wild. For a user at risk, then they are safer using a secured device, which by default means modified Android.

Security is not a generic “thing”. It is a continuous process that provides countermeasures against threats by mitigating risks.

If you want a device that is safe by default, will always be patched, and is not vulnerable to indiscriminate exploitation or malware embedded in apps — use iOS.

You can achieve that with a Google Android device (starting with about v8 or so). Of course you still have to be vigilant against malware laden apps.