Security Bits Logo

Security Bits – 5 April 2019


  • 🇦🇺 Australia’s controversial anti-encryption law has been referred for independent review to check whether it adequately safeguards citizens rights —…
  • 🇪🇺 The EU Copyright Directive passed the EU parliament with the two controversial articles intact (the so-called link tax and upload filter) —…

Security Medium 1 — Android Security at Age 10

As Android turns 10, Google have released their 5th annual Android Security Review. The document is written in relatively human-friendly language and has lots of interesting graphs, well worth a read IMO.

I’ve chosen a few highlights that caught my eye, but before reading them, note that Google use the acronym PHA for Potentially Harmful App rather than the more common term malware.

Fundamentally, there are three areas Google has been, and continues to, fight to improve Android security.

The first is OS security controls. Just like iOS, Google has been, and continues, to add ever more OS-level protections to keep apps locked down ever more tightly. The report lists all the changes made in 2018. While none of them struck me as particularly spectacular in and of themselves, taken together they represent a nice step up in Android security, and underline the fact that Google is continuing to work hard to make Android ever more secure.

The second important area is getting security updates out to users. Historically this has been a real Achilles heal for Android, but Google are making good progress in this regard. They now have monthly security updates, and they’re working hard to get those updates out to more users more quickly.

As of December 2018, over 95% of deployed Google Pixel 3 and Pixel 3 XL devices were running a security update from the last 90 days.

In the 4th quarter of 2018 we had 84% more devices receiving a security update than in the same quarter the prior year.

Newer versions of Android are less affected by PHAs. (impressive graph showing progress from 0.65% on Lollipop to 0.18% on Pie)

It’s still not true that all Android devices get security update promptly and for at least 3 years, but, it is true that if you choose your vendor carefully, you can have an Android device that gets patched promptly.

The third important area is malware, or PHAs as Google calls them. This is a game of two halves — apps downloaded via the Google Play store, and apps downloaded outside of the the Play store.

The report makes two things very clear — firstly, Google are doing a good job of driving down overall Android malware numbers regardless of course, and secondly, the Google Play store is significantly safer than other sources of apps. It’s definitely wise to advice friends and family to stick exclusively to the Play store for their apps.

According to Google’s numbers, about one in 200 Android devices were infected with malware in 2018. Those infections were not evenly spread though. Devices that used the app store exclusively had much lower infection rates, a little less than one in 1,000.

What that tells you is that despite Google still taking a mostly reactive approach to their store, they are reacting quickly enough to seriously limit the damage done by malicious apps that do temporarily worm their way in.

What’s also interesting is that Google seem to be getting some good traction with their Google Play Protect security suite. This is basically Google-provided AV that ships as standard on modern versions of Android, and it tries to protect users who side-load apps from getting infected with malware.

In 2018, 0.45% of all Android devices running Google Play Protect had installed PHAs, compared to 0.56% of PHA-affected devices in 2017.

In 2018 only 0.08% of devices that used Google Play exclusively for app downloads were affected by PHAs. In contrast, devices that installed apps from outside of Google Play were affected by PHAs eight times more often. Compared to the previous year, even those devices saw a 15% reduction in malware due to the vigilance of Google Play Protect.

In 2018, 0.04% of all downloads from Google Play were PHAs. In 2017, the number was 0.02%. This increase is due to the change in methodology of upgrading the severity level of click fraud applications from policy violations to PHAs. If we omit the addition of click fraud for a comparision, 2018 is at 0.017% which is still a reduction from 2017.

Google Play Protect prevented 1.6 billion PHA installation attempts from outside of Google Play in 2018.

As Google tighten down their store, malware developers are turning to different avenues of attack. The following quote illustrates that point:

In 2018, there were two notable changes to the Android threat landscape: an increase in pre-installed PHAs and backdoored SDKs (software development kits).

While Google is clearly moving the needle in the right direction on all three major problem areas, Android is still far from a utopia. Just in the last two weeks three more stories broke highlighting security and privacy problems with apps in the Google Play Store (see links section below).

So, what’s the bottom line? In my opinion (Bart), it is now possible to be a security conscious Android user. You need to be careful who you buy your phone from, and you need to constrain yourself to the app store, but you can use Android and keep yourself safe. It’s also still true that it’s much easier to stay safe on iOS, so I’ll still be recommending that my non-techie friends and family confine themselves to Apple’s walled garden, but for the technologically literate Android is now a reasonable option. I’m also heartened by the fact that Google don’t appear to be resting on their laurels, and that they seem to continue to work hard to make Android ever more secure.

Note that I’ve left my privacy concerns around Google completely out of this. It goes without saying that if you use Android you accept that you will be paying with your privacy, and that you are happy with that exchange.


Security Medium 2 — Facebook Continues to Evolve

This week Facebook CEO Mark Zuckerberg released another missive titled ‘Four Ideas to Regulate the Internet’ (this time as a Washington Post Op.Ed.). The CEO used this platform to call for government regulation to address four big problems:

  1. Harmful Content
  2. Election Integrity
  3. Privacy
  4. Data Portability

Zuckerberg’s argument basically boils down to the fact that private companies like his should not be setting the standards for what is and is not OK, and that government regulation could create a universal standard that all companies could follow.

This is the same sentiment as that expressed last June by Microsoft’s president Brad Smith when he called for governments to regulate facial recognition to prevent a ‘race to the bottom’.

Zuckerberg also called attention to some changes Facebook have been making recently, including the moves they’ve made to add more transparency to election ads. To underscore that point, Facebook launched a new searchable database of political ads this week.

In other somewhat related news, Facebook also added some new features to make it easier for white-hat security researchers to study their platform.

This week’s news also shows that Facebook is still a long way from perfect though. Reports surfaced of an extremely dangerous practice that seems to have started recently — to make it easier for new users to confirm their email address, Facebook asked them to enter their email password so Facebook’s servers could use that password to verify they were the true owners of the account. Encouraging users to give up their passwords like this sets a terrible precedent and encourages all sorts of dangerous bad habits! Needless to say Facebook came under strong criticism. They quickly saw the light though and ended the practice.

Facebook’s years of poor oversight also came back to bite them this week when large caches of old Facebook data from the era when 3rd-party apps could access oodles of data with few restrictions were found on Amazon cloud servers without even so much as a password protecting them. Clearly, it was the app makers who failed to secure their copy of the data, but of course, had Facebook treated user data with respect back then, the apps would never have had it to lose!

For what it’s worth, my (Bart’s) take on this missive is that I completely agree with what Zuckerberg is calling for. I don’t know how serious he is about it, or how noble his intentions, but I don’t care, I firmly believe we need the kind of regulation he’s calling for!

It should be noted others are much more critical, as evidenced by the opinion piece from the Guardian linked below.


Notable Security Updates

Notable News

  • TP-Link SR20 routers are vulnerable to a zero-day exploit that lets anyone (or any device) connected to the WiFi network to execute arbitrary commands on the router as root. Despite the researchers best efforts, TP-Link have not responded to his bug report, so after 3 months he has gone public with the vulnerability. If you have one of these routers, do not connect any un-trusted devices to it, and don’t give anyone you don’t trust your password —…
  • 🇳🇿 New Zealand have passed a law that threatens social media companies that don’t deal with violent content quickly enough with large fines and even jail time for execs —…
  • Security researchers are warning users of smart car like Teslas that when they sell their vehicles, they need to pro-actively wipe the data stored on them, because their research showed that second-hand Teslas, including car wrecks sold for scrap, contain a lot of un-encrypted personal data —…
  • Security researchers have found novel ways to trick Tesla’s AI into mis-reading the road and in some cases, changing lanes into the wrong lane, the one meant for use by on-coming traffic! While headlines use inflammatory words like “into oncoming traffic”, the researchers did not find that the lane-keeping mistake would cause the car to drive into an obstacle like an on-coming vehicle, something its sensors would definitely detect —…
  • CloudFlare have announced a new Freemium VPN service to compliment their DNS resolver. The new service is named Warp, and is available as a limited preview ATM. The company are very explicitly promising not to track users or sell their data —…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top