TR Forums

Depends on a lot of factors, including how good your carrier is about pushing security patches out, how much bloatware the phone maker and/or carrier includes in the base install (and quality or lack thereof of said bloatware), whether the phone is rooted, and whether you install a lot of 3rd party apps (and what permissions they request), among other things. Every additional piece of software running on the phone represents a potential attack vector, either via as-yet undiscovered exploits, or (in the case of dodgy 3rd party app developers) intentional back doors. Google exerts less control over their ecosystem than Apple (or Microsoft, in the case of Windows Phone), so more of the onus is on the user to practice "safe computing".

In your particular case, it sounds like maybe your desktop is compromised (and was used to indirectly attack your phone)... or Facebook has a security hole in Facebook Messenger.

 I think Android, as a platform, can be secure, but it's very up to the manufacture.  If I had to guess you, like most people, were the victim of a known vulnerability that was exploited through a drive by style attack.One of the greatest weaknesses of most phones is the lack of security updates.  Unless you're on a Nexus (or now Pixel) phone you're mostly SOL when it comes to getting updates of any kind, let alone security.  Some companies promise updates but they are not nearly as timely as Google.

Then there's the issue of the fact it's an "open" (well, mostly) platform.  That means you can develop your own phone.  It inherently allows to modification, including things like boot loaders and the ability to be rooted.  Now, most of the time this stuff is hard to do because the manufactures don't want you mucking with their hardware. Very few phones are very "developer" friendly (like my Moto X 2nd Gen) and you can mod stuff fairly easily, say to root your phone (which I'll do, again, after I get a new phone to use this one as a pen-test learning tool).  This is typically for the betterment of security.

Then there are some other issues that have been recently addressed.  Things like media handling (i.e. Stagefright issues) have been hardened much more lately though code enhancements and SELinux improvements.  The Linux kernel on a lot of phones is usually horribly out of date, too.  It usually has a lot of customization, though, so it's a crap shoot to determine if a kernel vulnerability actually applies to your phone.

If you're paranoid your options are Apple or Microsoft.  Both companies update their stuff far more often.  However, the platforms are not "open."  In the case of Apple you are at the mercy of their version of security.  At the moment, though, that's a strong selling point for them.  They usually keep updating hardware for at least 3 years, which is twice that of the minimum Google commits to.  Microsoft has a lot of skin in the game.  They earn most of their money from big companies and licensing.  Security is important.  They also want to allow "enterprise" type control of the phone.  So it's possible to do more to them than an Apple phone, for better or worse (mostly better, IMO).

Now that I've said all of this I'll let the gerbils pick everything I said apart.  The TL;DR version: no, I don't consider most Android implementations very secure today (save from the supported Google stuff).  Apple is the paranoid gerbils best bet, but I'm banking on Microsoft as a very close second.

nssatikunvar wrote:

Now the question is how secure is an android device when it comes to security?

It depends entirely on the manufacturer.

There are vulnerabilities in Android just like there are in iOS, Windows Phone, and desktop OSes. It's up to the manufacturer to release patches in a timely manner.

Most of them fail horribly. I would strongly recommend reading up on the patching performance of a particular vendor before buying their products. The Google-sanctioned Nexus and Pixel devices generally receive updates immediately.

Also, don't sideload apps or install alternative app stores unless you really know what you're doing. There have been nasty things distributed through those channels. This applies more to Android than iOS solely because Apple has made it more difficult to do those things in the first place.

Both platforms have had things slip into their official stores, so you're facing some risks regardless of how safe you try to be. I believe both Google and Apple can revoke apps from their respective stores if issues are discovered, so there is that at least.

TheRazorsEdge wrote:

nssatikunvar wrote:

Now the question is how secure is an android device when it comes to security?

It depends entirely on the manufacturer.

There are vulnerabilities in Android just like there are in iOS, Windows Phone, and desktop OSes. It's up to the manufacturer to release patches in a timely manner.

Most of them fail horribly. I would strongly recommend reading up on the patching performance of a particular vendor before buying their products. The Google-sanctioned Nexus and Pixel devices generally receive updates immediately.

Also, don't sideload apps or install alternative app stores unless you really know what you're doing. There have been nasty things distributed through those channels. This applies more to Android than iOS solely because Apple has made it more difficult to do those things in the first place.

Both platforms have had things slip into their official stores, so you're facing some risks regardless of how safe you try to be. I believe both Google and Apple can revoke apps from their respective stores if issues are discovered, so there is that at least.

Thanks for taking time to help me out. I'm using Moto G4+ now a days and I'm a tech savvy person so, always keep safe distance from junk download. The reason I've raised this question is because, Android OS is not upto the mark when it comes to performance. It consumes 2GB of ram in idle state. I'm very much flexible with Windows OS and not keen to have millions of dump apps. I use mobile phone more for official work then the personal. So, I'm considering your advice on going with good manufactures in future. Thanks a lot. 

generally, android devices are secure. it's us, the users, who aren't.

Android as an operating system is very secure. It has multiple layers of protection to keep malware at bay, and it requires your specific permission to do almost anything that could lead to your data or the system being compromised. However, Android is an open system that trusts you the user and its community of developers to do the right thing. If you want to, you can give away a lot of permissions, and even access to deeper parts of the system if you've rooted your phone.

Olson23 wrote:

generally, android devices are secure. it's us, the users, who aren't.

Android as an operating system is very secure. It has multiple layers of protection to keep malware at bay, and it requires your specific permission to do almost anything that could lead to your data or the system being compromised. However, Android is an open system that trusts you the user and its community of developers to do the right thing. If you want to, you can give away a lot of permissions, and even access to deeper parts of the system if you've rooted your phone.

I dont agree this. A lot of malware apps in the store. Android system looking sweety and nice but security is low. Apple ecosystem generaly more secure than droids.

Robotics wrote:

Olson23 wrote:

generally, android devices are secure. it's us, the users, who aren't.

Android as an operating system is very secure. It has multiple layers of protection to keep malware at bay, and it requires your specific permission to do almost anything that could lead to your data or the system being compromised. However, Android is an open system that trusts you the user and its community of developers to do the right thing. If you want to, you can give away a lot of permissions, and even access to deeper parts of the system if you've rooted your phone.

I dont agree this. A lot of malware apps in the store. Android system looking sweety and nice but security is low. Apple ecosystem generaly more secure than droids.

Google Play store should be pretty good since they actively scan for stuff (like Apple) and take down relatively quick (can do better of course). It is the 3rd party and pirate stores that are malware laden. Same basic computing principle applies: don't install anything and everything that you see in first sight. Only install what you need and stay with brand names.

The Play Store (last I heard) still does let some stuff through, so you have to just be careful that what you wanted is from a reputable developer. But that's a normal safe computing practice anyway.

I'm not sure I'd need an antivirus on an iphone on another note, but I won't use a droid without one.

Flying Fox wrote:

Robotics wrote:

Olson23 wrote:

generally, android devices are secure. it's us, the users, who aren't.

Android as an operating system is very secure. It has multiple layers of protection to keep malware at bay, and it requires your specific permission to do almost anything that could lead to your data or the system being compromised. However, Android is an open system that trusts you the user and its community of developers to do the right thing. If you want to, you can give away a lot of permissions, and even access to deeper parts of the system if you've rooted your phone.

I dont agree this. A lot of malware apps in the store. Android system looking sweety and nice but security is low. Apple ecosystem generaly more secure than droids.

Google Play store should be pretty good since they actively scan for stuff (like Apple) and take down relatively quick (can do better of course). It is the 3rd party and pirate stores that are malware laden. Same basic computing principle applies: don't install anything and everything that you see in first sight. Only install what you need and stay with brand names.

yeah third party apps always have danger out side the store. But maybe look at ''wheather bug'' app and some of the others have malware. Some web sites warned about them. But they are on the store now. My antivirus program doesnt detect them. A lot of mindblowing ****.

I would answer this another way. You don't have a choice. Its either an iPhone, a Nexus/Pixel or recently some Samsung flagships(if you are careful with version and carrier match). Those are the only ones getting security updates. If you read the monthly patch list for Android, you'd know you're sticking your head in sand with none patched phones. Now most people it really doesn't matter. But if you live in a crowded city, are traveling,... There are just too many random creeps that could accidentally target you.

In and of itself, because of how/where Googles real revenue comes from(ads, which needs proper tracking), the permission architecture has always been and was again moved in the last major permission revamp to not give you control over your data.

You will never see Contacts permission have an Android system level helper ask you who to provide to app. App gets everything.
You will never see Internet have any constraint (specific domain name, no IP,)... Internet permission hasnt been flagged as critical/dangerous permission, requiring a warning on app install since 5.0.

Fact is, you really just dont have a choice and absolutely no way to know what happens to your data. Google will never help with that. When you give any app access to permissions because it just wants to make it easy for you to in game share something with friend, you are just wishing. They have access to any IP on internet and can send everything.

Android will always be all or nothing permissions. Anything else will hurt Googles bottom line.

Ive always used Nexus, so i dont have personal experience with iPhone, but fact that Nexus/Pixel only get 3 years updates(from launch day) and the fact that Pixel will always be very expensive phones only, im thinking to switch to iPhone as you get updates longer. Have to research first. If im going to have head in sand, my as well do it in style and hate to say this but get my moneys worth. The new Pixel was a truly bad value all around.

TL;DR: Android will always be architect-ed and constrained by the Google's actual revenue source(ads/which need tracking+info). Apple's big revenue stream is not. Hence the big differences. Also, App store is not safe, time and again, to this day, malware has been found on Playstore. You have internet access, you can load anything you want from there, after you've been installed and certain criteria met. (not running inside Google detection VM and in real phone out in world).

blahsaysblah wrote:

I would answer this another way. You don't have a choice. Its either an iPhone, a Nexus/Pixel or recently some Samsung flagships(if you are careful with version and carrier match). Those are the only ones getting security updates. If you read the monthly patch list for Android, you'd know you're sticking your head in sand with none patched phones. Now most people it really doesn't matter. But if you live in a crowded city, are traveling,... There are just too many random creeps that could accidentally target you.

In and of itself, because of how/where Googles real revenue comes from(ads, which needs proper tracking), the permission architecture has always been and was again moved in the last major permission revamp to not give you control over your data.

You will never see Contacts permission have an Android system level helper ask you who to provide to app. App gets everything.
You will never see Internet have any constraint (specific domain name, no IP,)... Internet permission hasnt been flagged as critical/dangerous permission, requiring a warning on app install since 5.0.

Fact is, you really just dont have a choice and absolutely no way to know what happens to your data. Google will never help with that. When you give any app access to permissions because it just wants to make it easy for you to in game share something with friend, you are just wishing. They have access to any IP on internet and can send everything.

Android will always be all or nothing permissions. Anything else will hurt Googles bottom line.

Ive always used Nexus, so i dont have personal experience with iPhone, but fact that Nexus/Pixel only get 3 years updates(from launch day) and the fact that Pixel will always be very expensive phones only, im thinking to switch to iPhone as you get updates longer. Have to research first. If im going to have head in sand, my as well do it in style and hate to say this but get my moneys worth. The new Pixel was a truly bad value all around.

TL;DR: Android will always be architect-ed and constrained by the Google's actual revenue source(ads/which need tracking+info). Apple's big revenue stream is not. Hence the big differences. Also, App store is not safe, time and again, to this day, malware has been found on Playstore. You have internet access, you can load anything you want from there, after you've been installed and certain criteria met. (not running inside Google detection VM and in real phone out in world).

Yeah, Nexus and Pixel best around the devices in droid zone for security. But iPhone is still best if you thought. And I easly say to you droid systems are very relax and funnier than apple's.

Robotics wrote:

Olson23 wrote:

generally, android devices are secure. it's us, the users, who aren't.

Android as an operating system is very secure. It has multiple layers of protection to keep malware at bay, and it requires your specific permission to do almost anything that could lead to your data or the system being compromised. However, Android is an open system that trusts you the user and its community of developers to do the right thing. If you want to, you can give away a lot of permissions, and even access to deeper parts of the system if you've rooted your phone.

I dont agree this. A lot of malware apps in the store. Android system looking sweety and nice but security is low. Apple ecosystem generaly more secure than droids.

There is a ton of malware. Most of it requires the user to download and install. Especially if it's on the Play store. Google's garden is more open than Apple's, and that opens the door to a lot of *user-based* vulnerabilities. So what you said doesn't refute Olson23's argument; your statement actually enhances it.

Upfront disclaimer, I'm a BlackBerry employee but I don't work on the phone side of things.

BlackBerry does Android phones, the Priv, DTEK 50 and DTEK 60. They get the monthly Android Security patch, have signed bootloaders (so no rooting) and have some software on them called DTEK to check on the security level. Yes you can still install a random apk file and get all your data stolen, but if you are the least bit sensible then they are probably the most secure Android phones you can get.

Thank you so much, everyone, for taking out time for replying my question. I would take consideration of all the suggestions.

notfred wrote:

Upfront disclaimer, I'm a BlackBerry employee but I don't work on the phone side of things.

BlackBerry does Android phones, the Priv, DTEK 50 and DTEK 60. They get the monthly Android Security patch, have signed bootloaders (so no rooting) and have some software on them called DTEK to check on the security level. Yes you can still install a random apk file and get all your data stolen, but if you are the least bit sensible then they are probably the most secure Android phones you can get.

I'm glad you posted this because I was about to. I have an unlocked Priv which I just bought brand new. If you're going android, it's Blackberry or Google all the way if you want updates. And always buy unlocked so that you don't have to wait on your carrier to get off their lazy arses and issue updates.

blahsaysblah wrote:

I would answer this another way. You don't have a choice. Its either an iPhone, a Nexus/Pixel or recently some Samsung flagships(if you are careful with version and carrier match). Those are the only ones getting security updates. If you read the monthly patch list for Android, you'd know you're sticking your head in sand with none patched phones. Now most people it really doesn't matter. But if you live in a crowded city, are traveling,... There are just too many random creeps that could accidentally target you.

If you're prepared to muck around with custom roms and have a supported phone then that is another choice for getting monthly security patches. I've got a Nexus 4, 5 and 7 (2013) all running 7.1.2 with the April security patches thanks to lineageOS.

This is a big "if" and it means you're putting a lot of trust in the maintainer of the rom.

What I do find interesting about the whole android security issue is how there hasn't been a major botnet given how bad a lot of the CVEs have looked and how few patches actually get installed. Maybe the various security layers built in to android make exploits a lot harder than they appear or maybe it's just so much easier to convince users to install APKs directly. Could it even be the fragmentation in android makes mass exploits harder.

I really want to put LineageOS on my Moto E but I couldn't get a VM working on here as easy as it usually is, so heh. I'll have to do it on a different machine later.

Robotics wrote:

Flying Fox wrote:

Robotics wrote:

I dont agree this. A lot of malware apps in the store. Android system looking sweety and nice but security is low. Apple ecosystem generaly more secure than droids.

Google Play store should be pretty good since they actively scan for stuff (like Apple) and take down relatively quick (can do better of course). It is the 3rd party and pirate stores that are malware laden. Same basic computing principle applies: don't install anything and everything that you see in first sight. Only install what you need and stay with brand names.

yeah third party apps always have danger out side the store. But maybe look at ''wheather bug'' app and some of the others have malware. Some web sites warned about them. But they are on the store now. My antivirus program doesnt detect them. A lot of mindblowing ****.

This "weather bug" app? Looks legit to me and it is not a very good app anymore. I never touched it personally. I will have to call for citation on this one about those "web sites that warned about them". I am genuiuely interested to know some poster child examples of malware-infected apps in Google Play Store that is still not taken down after all this time.

kvndoom wrote:

And always buy unlocked so that you don't have to wait on your carrier to get off their lazy arses and issue updates.

I am going to put forward a counter example: the S7 unlocked US versions. They are way behind on updates with that one compared to the carriers' versions. At least they are up to March now though.

Unfortunately the sub-headline on that Are link isn't true. Samsung supports several models way less than the unlocked Galaxy S7. All of the J-series, for example. Most of those never get an update at all.

It really does depend on the manufacturer. OnePlus has been doing a decent job, and I've been pretty happy with ZTE for 2nd tier OEMs.

Also, Apple only promises 3 years of updates as well, from the launch date I believe. If it's no extra effort, they generally stop supporting new OS updates on those devices, unless it was one of their huge successes (iPhone 4 got engineers assigned to bring it up to iOS9 when the plan was to sunset it after iOS 7).

nssatikunvar wrote:

Few days back I suffered a malware attack during my Facebook session on desktop, a malware was able to take control of my locked Android phone's Google chrome browser to call a web page through facebook messenger. I was using windows phone since last 5 year and recently switched to Android phone and this is a crucial concern as I'm using my phone for many banking and official activities. I never had a single issue with Windows phone or windows 10 mobile in past. 

Now the question is how secure is an android device when it comes to security?

Color removed so it's readable for those of us who use the dark scheme.

Please don't use color schemes like that.

The software was breaking things like that for a while - it probably wasn't the OP's fault.

What I don't get is why the world is so alright with people not properly owning their devices. A black box baseband processor with unrestricted access is plenty bad enough in my book, but not having root and being dependent on both the manufacturer and the carrier for updates is insanity. If PCs worked like that, people would rightly flip. For a knowledgable user who isn't going to catch a trojan, the unknowns left open by that seem like the biggest weakness by far.

There are plenty of things individuals can do to make their own setup better (like LineageOS), but most people aren't going to care enough, and there's still a very fundamental problem here.

synthtel2 wrote:

What I don't get is why the world is so alright with people not properly owning their devices.

Because 99.99% of the world's population can't be trusted with root, and about 50%-75% of those who know how to root shouldn't be trusted with root. Don't take the conversation here and extrapolate to the rest of the world, most of which cares only if their texts/Snapchats/Instagrams/am I looking old yet? go through.

Users have root by default on PCs. If it's alright there, it should be alright on phones.

Beyond that, carriers (meaning Verizon) often make getting root impossible. I don't agree with the argument that there should be hoops to jump to get root, but at least there is a valid argument there. Verizon's behavior is inexcusable.

Users should not have root by default on PCs either. It doesn't have to be difficult to get root access(sudo make-sandwich), but it shouldn't be given away without even asking first.

Even if you have root, you're not truly in control unless you're running Open Source code, and have the inclination, know-how, and time to dive deep. Not having root on my phone doesn't bother me, because it's a tool I use for a very specific and narrowly defined set of purposes. I'm OK with treating it mostly as a black box. Would having root on it make it more secure? Only if I'm willing to spend a lot of time and effort on it.

You also don't have the diverse ecosystem of modular, third-party hardware devices on a phone, so you don't need to be able to tinker with the OS configuration at will.

My desktop PC and laptop are a different story... I run Linux, but even there I don't "dive deep" that often, unless there's a particular device or application that's pissing me off and I think I can fix it (or compiling something from upstream source might fix it). The set of tasks I use them for is also more open-ended, since I'm a software/firmware developer; not having root would cause difficulties there.

synthtel2 wrote:

Users have root by default on PCs. If it's alright there, it should be alright on phones.

Again, these days home PC users tend to be the self-selected gerbils.

Work PC users can't get root on their AD-driven work PC (unless they are a cunning gerbil ) so they consider their phone the PC/comms/gaming device. I don't want those people having root because they'll just spread crap everywhere. The one takeaway from my 30 years in banking/regulation is that well-intentioned yet stupid users are how systems get infected. Every time I read the results of an external phishing test or a social engineering test at one of my regulated institutions, I just shake my head at the utter stupidity of far too many of this planet's inhabitants.

When I say users should have root by default, I mean they shouldn't have to go through any adversarial shenanigans to get it. Not running as root all the time is only sane, and doesn't reduce my ownership of my computer at all.

Being truly in control is all but impossible (there's the Ken Thompson hack if nothing else), but degrees of control still matter. I haven't looked at the Linux kernel's source at all, I've got a binary blob from Nvidia attached to it, and Intel has layers set aside that are entirely invisible to my OS, but there's still very little equivalency to the cluster that is the majority of phones out there right now.

Having full access to a phone can still be very useful. Think of the difference between a PC with a typical "clean" OEM install of Windows and an actual clean install you did yourself. Even when OEMs make an effort, they don't know what clean really means. To me, Google feels like an analogous OEM themselves, and a cleaner install (starting from LineageOS / F-Droid) is really a whole lot better than even the most basic Nexus experience. Aside from stylistic issues and my dislike of Google, there are a lot of ways I can and do use that to improve security, I really appreciate the extra determinism, and on at least one device it was worth a noticable amount of extra battery life.

I know a lot of home PC users, many of non-technical stripes, and they mostly manage to stay out of trouble. There's always going to be that one guy who clicks on every other ad and is generally way too credulous, but people like that wreck Android devices too, even without root. Going fully walled-garden might be the only real way around that (and even that doesn't help with pure social engineering). I wouldn't want to use one, but I can appreciate why iOS is as it is. Google wouldn't want to make Android like that, but what they're doing right now ends up taking on a lot of the worst characteristics from both iOS and more open platforms.

I researched a bit, iPhone 5 got iOS 10(latest). The iPhone 5 was introduced in Sep 2012...

As for Playstore malware...