For posterity’s sake, I’ve collected a few choice quotes from Google’s security team and sprinkled a handful of security stories in between.
I hope you find it interesting reading.
We’ll start off by jumping back in time to 2011, when Chris DiBona had a bee in his bonnet…
November 2011
Google staffer Chris DiBona posted a rant on Google+, sharing precisely what he thought of the anti-virus industry and its products:
https://plus.google.com/u/0/+cdibona/posts/ZqPvFwdDLPv
“Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and iOS. They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM or iOS you should be ashamed of yourself.” – Chris DiBona, Open Source Programs Manager, Google.
June 2013
Over 100,000 Android users download a fake BBM app from the Google Play store.
September 2013
The official launch of BBM for Android is delayed, as dozens of fake BBM apps are found in the Google Play store.
October 2013
Security researchers looked at over 600,000 apps available for download from the Google Play store – and were depressed to find that many were being reckless with users’ privacy and security.
April 2014
An anti-virus app, somehow makes it to the highly-prized position of #1 new paid app in the Google Play store, despite being utterly fake. A detail not spotted by Google.
July 2014
Despite virtually all mobile malware targeting Android devices, the operating system’s security head tells the Sydney Morning Herald that Android users don’t need anti-virus protection.
“I don’t think 99 per cent plus users even get a benefit from anti-virus. There’s certainly no reason that they need to install something in addition to [the security we provide]” – Adrian Ludwig, lead engineer for Android security at Google.
In the same interview, Ludwig declares that users shouldn’t need to worry about apps they download from the official Google Play store:
“By the time a user goes to install an app they’ve had … the best review of that application that is possible”
January 2015
The web browser built into Android 4.3 and earlier has many security issues, but Google said it wouldn’t be patching it anymore. An estimated 930 million users were running Android 4.3 or earlier.
https://plus.google.com/+AdrianLudwig/posts/1md7ruEwBLF
“..in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.” – Adrian Ludwig, lead engineer for Android security at Google.
Google confirmed to CNET, that Ludwig’s opinion was the company’s official position.
February 2015
Security company Avast warns Google about malicious and fraudulent apps in the Google Play store, some of which have been downloaded more than five million times.
July 2015
5000 new Android malware samples are being discovered every day, claims a report from security firm G Data.
August 2015
Google announces that it will start to issue monthly security updates to Android users, in response to critical vulnerabilities such as Stagefright and another flaw that can render an Android phone “apparently dead – silent, unable to make calls, with a lifeless screen.”
“We’ve looked at the events of the last few weeks and realized we need to move faster, and that we need to tell people what we are doing” – Adrian Ludwig, lead engineer for Android security at Google.
Samsung says it will also adopt a similar patching schedule.
It’s good to see Google becoming more proactive about Android security – as historically Android owners have suffered due to a lack of updates and proper support.
Let’s hope things are going to get better from now on – both in terms of keeping the Google Play app store free of malicious apps, and also ensuring that hundreds of millions of users get the security patches they deserve.
If you have any other quotes or incidents that you think the timeline would benefit from including, please leave them as a comment below – and I may update the article. Thanks!
Thanks for that interesting perspective, Graham.
Messrs. DiBona and Ludwig have the comfort of knowing that if they fail in the software business, they can always find work as dark comedy writers…or politicians.
Ludwig is an idiot and so is DiBona. I'm glad you got around to this because I had a similar idea some time ago, for doing something like this. This saves me the effort, is also more professional (than I would probably do it) and in this case probably more thorough.
One of these days I should write directly about the myth that malware doesn't exist in open source operating systems (perhaps with a POC example)… Of course, it isn't that it is open source that makes it flawed (DiBona is showing his ignorance there) so much as that malware is a simple concept and the only reason you mostly see Windows malware (over others) is because the target audience is larger (by a lot). I take that back. There is another reason: many Windows users are more vulnerable because they run with full privileges (less privilege separation, more problems). Open source has more auditors and open source developers (and I know this because I'm one of those) are doing it largely on their free time, with passion (and programmers tend to hate bugs in their work) and therefore not on the work schedule (less hasty, more thorough, etc.). That adds to the ability to keep it secure (plus if the source is available you can audit it yourself!) but that doesn't mean it doesn't have problems or can't have malware. That is a dangerous, irresponsible, very naive and ignorant lie.
Ha! With all the vulns being disclosed at Blackhat USA 2015,it will take a year of monthly updates to fix them all! Ludwig,just less than six months earlier was still telling the lie,that Android is so safe, and only a half of one percent of users actually downloaded any malware laden apps. And yet,his most recent statement says 15% of global users had some kind malware. I will dig up the quotes and send to Graham. The biggest issues have been a lack of transparency in telling us what's fixed and not fixed. My last update from HTC fixed the last two Masterkey vulns and Fake id,but I only knew that from the security scanners I had. I applaud the new attitude,but I feel that this only comes about due to the avalanche of security vulns just recently disclosed. It will obviously hurt the push for enterprise use,and retention of Android users. Apple has already reaped a windfall.
The problem with many large tech companies is that they live in their own bubble and getting the message through to them can take years. Only when it becomes a PR nightmare for them do they seem to finally admit they got it wrong and sort things out.
"Google Security Engineer Claims Android Is Now As Secure as the iPhone" https://motherboard.vice.com/en_uk/read/google-security-engineer-claims-android-is-now-as-secure-as-the-iphone