No, Google’s Sundar Pichai Didn’t Say Android’s Openness Makes It Less Secure

This morning at Mobile World Congress, Google’s Sundar Pichai discussed Android’s security and the impact of its ‘openness’ thereof.

A local site quoted Pichai as indicating that Google’s Android operating system was, to quote one reblog of the comments, “not designed to be safe, it was designed to be open.” Naturally, something of that nature caused a stir. Google admitting that Android is inherently insecure due to its core tenet of openness?

Unsurprisingly, that’s not what Pichai actually said. In fact, he made the opposite point, arguing that Android’s openness actually makes it more secure, not less. 

TechCrunch secured a transcript (in English) from Google of the relevant portion of the event. Responding to a question contrasting the security position of Android and iOS, Pichai said the following (Bolding TechCrunch):

Sorry, the premise of the question is because Android is open, it has more security issues? Respectfully, I’m not sure that’s a correct premise of the question. Open platforms historically undergo a lot of scrutiny, but there are a lot of advantages to having an open source platform from a security standpoint. I would argue that it’s the best way for a platform to be secure, because every researcher in the world can inspect it, every developer in the world can inspect it, and I think that contributes a lot to Android security.

Android was built to be very, very secure. The thing that you’re seeing is because Android is an open platform, many people can ship Android in many different ways and so there are some partners when they ship devices, they have an older version of Android. And sure you can have a security vulnerability there, but that doesn’t mean Android isn’t secure. We go to great lengths–the depth of work in Android to make it secure; the depth of work done by Google Play…Google Play automatically scans and verifies thousands of applications for malware. We track data on this. It’s state of the art in terms of what we do. What you see across the ecosystem…people will ship good phones and keep them updated…you will have some phones that will not be updated. That’s where we see issues. Not Android at a fundamental level.

Pichai’s point that the fragmentation caused by OEMs shipping outdated — and thus intrinsically less secure software — leads to non-Google-sourced insecurity is fair. He’s asking that the security quality of up-to-date Android be compared to iOS.

That’s not to say that Pichai isn’t trying to have it both ways. If the openness that he heralds helps keep the most recent Android build secure, but also allows for the shipping of dated, unsafe code, the openness of Android is both positive and negative. Thus, OEMs and carriers are making Google’s security work harder by selling phones with old code, and then failing to provide brisk updates.

Apple’s un-open platform handles its own updating, making platform fragmentation roughly a non-issue for iOS.

In response to another question, Pichai doubled down on the issue of updating:

As long as you’re on a phone and able to update, Android is very very secure. It’s designed to be very very secure. I would go as far to say — open systems are far more secure. We do this on the browser side. Chrome is very secure. The fact that some things are open, by any stretch of the imagination, does not make it any less secure.

And finally, Pichai discussed why Android might be a larger target for abuse. Studies have indicated that something akin to 99.8 percent of mobile malware targets Android. This matters as Android now occupies in a great many ways the old market position that Windows held onto for decades, that of being the defacto platform in terms of unit volume.

Windows got dinged for years because if you wanted to hack the most users, you went to where most of them were. Then: Windows. Now: Android-ish but still Windows as well. (Android is larger than iOS, but that alone can’t fully explain why Android is targeted orders of magnitude more often than iOS. Other factors exist. So, we shouldn’t let Google throw its hands in the air, shout “we’re so popular,” and give them a pass.)

Here’s Pichai:

Malware targets where users are. When you say numbers like 90% of malware is targeting Android, you know, I hate to point out that if you’re a smart business person running this malware company, that’s what you should do. It’s the wrong way to look at the lens. Obviously, you will always see more malware targeting Android because Android is used more than any smartphone platform by a pretty substantial difference. I think that drives a lot of it so I understand that part of it. What matters much more is – as a user, if you use Android, are you fundamentally more compromised? We don’t think so.”

Want to exploit lots of phones? Attack the tighter controlled platform with smaller market share, or the larger, more open platform that has fragmentation issues leading to material weakness?