Not long ago, I was in an argument with another IT pro about why Linux never really suffered much in the way of viruses and malware. My take was simple — it's just more secure. The other guys take — Windows is more popular, hence more targeted.
Why do I bring that up? Android has surpassed all other platforms on the planet in popularity. Does that mean it's suffering the same fate as Windows? Since the worlds' most popular platform is based on Linux, wouldn't it also enjoy that same security?
What's interesting about this is how rampant the rumors are about Android and security. From the Facebook Messenger issue, to SMS worms, to a too-generous permissions system... Android seems as vulnerable as Windows ME to attacks and criticism. But are the comparisons legit? Is Android as vulnerable as the Windows platform once was (and many still believe is)?
This particular topic is very hard to nail down. First of all, you have to know what mobile malware is. Google is constantly on the lookout for malware-infected apps. What constitutes a malware-infested app? Let's take a look at one of the most recent notorious pieces of mobile malware to hit Android — BadNews. This malicious code looked like a framework for serving up ads in ad-based software. What the code did was send your private data (including phone number and IEMI) to a server (not surprisingly, a Russian server). It can't be debated that this is malware. Google recently removed 32 applications (mostly Russian language) from the Play Store that contained the BadNews code.
Add to that the recent viral scare (one that was completely unfounded) that Facebook was planning on stealing pretty much everything (from your soul to your salary), and you can see how easy it is to get worked up into a frenzy about Android and security.
The good news is that Google has our back. They are constantly combing the Play Store for malicious code, and they also are planning on rolling out a new malware scanner sub-system that will scan your device for malicious code in real time.
But even with all the protection, bad code can still wind up on your device. To that end, Google created the permissions listing for Android — one that the end user is supposed to view before installing an app. Bad move on Google's part. Why? Any IT pro will tell you that the weakest link in a system's security almost always ends up being the end user. The average user isn't going to comb through the Google permissions listing (even though they are warned to do so, often in bold letters) to discover "Hey, this fun little game wants access to my contacts, my personal data, my social security number, and the security code for my home!"
In a perfect world, that system works. Unfortunately, we do not live in a perfect world. We live in a world where end users must have their system security taken care of under the hood and behind the scenes. No matter how much you tell the end user not to tap on this or trust that... they will. This was never better illustrated than by the never-ending need for Windows desktop support. Was it an insecure system by design? Some people think so, but even the most robust security can be circumvented by a single end user clicking Yes.
Does that mean that security falls completely in the lap of the end user? Not at all. You can't blame the end user for a wide open app store that allows the likes of BadNews to get rolled into other applications. Does that mean that security falls into Google's lap? Not completely. The only way Google could end user-proof Android would be to remove access to the Play Store, remove users' ability to get online, and disconnect devices from the network.
Just like I strongly disagreed with the idea that Window's weakness was driven by its popularity, I refuse to give into the same argument against Android. It's really easy to write malicious code and just as easy to get people to install it. It's not nearly as easy to get that malicious code into the Google Play Store and keep it there. Google will find and remove it.
It still happens though, which is why end users must exercise a bit of caution. No matter the platform, an end user can compromise security with a single tap. iOS, Linux, Windows, Android — it doesn't matter what platform you're on. What's important is how you use your device.
Because Android has become so widespread, the writers of malicious code will continue to target the platform. That means end users need to:
- Always read the permissions listing and look out for suspect permissions
- Never install an app outside of the Google Play Store (unless you are 100% sure it is safe)
- Avoid tapping in-app ads
- Install Malwarebytes and use it
- Keep your operating system and apps updated
- Log out of sites after you make an online payment
Like I said, because of the meteoric rise of Android, it will be targeted. That doesn't mean you have drop it like an infected potato. What it does mean is that your mobile device must be used with the same care and caution that you use with your desktop and laptop. Just because Android has a foundation built upon Linux doesn't mean that it can't be compromised. In time, with enough poor usage, anything can be made insecure.
What do you think about the security of the Android platform? Share your thoughts in the discussion thread below.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.