Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Modern Android is pretty secure (palone.blog)
81 points by p410n3 on July 2, 2020 | hide | past | favorite | 113 comments


Sadly I don't think Android as a platform is less secure. but still, in comparison to iOS (the common comparison) or desktop platforms. Most phones stops getting security updates earlier than the other platforms.

I had a Nexus 4, Nexus 7, Nexus 5X. All which should get top notch security updates. stopped where other platforms kept getting updates.

Just a few days ago I saw on HN some great news for Android (https://news.ycombinator.com/item?id=23692257). but again, this isn't a security update. It a broader security improvement equivalent to a major update on other platform.

While my 1st iPhone SE will get iOS 14, my Nexus 5X is still on Android 8.


> While my 1st iPhone SE will get iOS 14, my Nexus 5X is still on Android 8.

Google has improved this in the Pixel line, with three years of updates. https://support.google.com/pixelphone/answer/4457705

My original Pixel (2016) received Android 10 last year. That's pretty good.


Three years of updates is better than it used to be, but iOS devices average around five years of support, and I'm not sure that's enough either. Hardware devices should receive security updates until they start physically failing.


The original iPhone SE is about to start it's sixth year of OS and Security updates.

That's less than $70 per supported year.


> Hardware devices should receive security updates until they start physically failing.

That's just entirely unreasonable. I recently dug my original iPhone (now 13 years old) out of a box and it still works fine, but, you can't expect Apple or Android to support 13-year-old devices.


Consider that Windows 10 still runs on some 13 year old devices. macOS supports devices almost eight years old. That's MUCH longer than the average mobile support period. Desktop/laptop users can also switch to Linux after the support period ends to extend the life of their hardware further.

If mobile vendors can't do that, then they should limit support to the expected life span of a the battery under average daily usage conditions, starting on the date that device sales are discontinued. That's certainly less than 13 years.

Alternatively, the manufacturer could just unlock the boot loader after the official support period ends and provide the community with the resources they need to support the device.

Some people will continue to use their device until it is no longer functional. Either they can't afford frequent upgrades, or they're trying to reduce electronic waste, or whatever. It's wrong to strand those users on an unsafe platform.


It is reasonable to not support 13-year-old operating systems but there shouldn't be any reason current operating systems can't support old devices. Certainly Linux based operating systems manage to do that.


this is exactly why Apple still rock at phones

you may choose Android for the specs, guess what, your phone will still get deprecated in 2 years


Hmm. My $170 phone from the middle of 2014 is still working perfectly and shows no signs of being "deprecated". Every application I use gets frequent updates, including the browser. I don't have to worry about targeted attacks (as I am not a billionaire/movie star/CEO of a large company/whatever), and a new shiny iPhone won't help with those anyway. µBlock Origin (with JS disabled on most sites) protects me from everything else.


Yeah the security patches are still worth thinking about. There was a Media Framework bug that needed nothing but a PNG on your phone to get RCE and there was a bug with the bluetooth stack this year which also could achieve RCE when your bluetooth was turned on and an attacker knew the BSSID

PNGs are easy to send and in times of Contact Tracing via Bluetooth... well there are certain risks to running unpatched


Apps may be getting security updates, but when was the last time that the version of Android it's running was patched?


Isn’t that the point though? Your phone works perfectly, shouldn’t it still receive OS updates?


Didn't we recently learn that only Android 10 prevents background apps from constantly watching the contents of the clipboard?


For a lot of folks, especially those at Hacker News, that is totally fine. It is interesting how people's perspectives change when it comes to defending their choice. So in this case, yeah Android seems secure but what happens after 2yrs - even though that point doesn't apply to them. Call out what is important to you vs. just talking about averages.


I’m on hacker news and I care about the environment. I don’t want perfectly good hardware going in to landfill.

Apple supporting their phones for 5+ years is good, and they should be commended for doing this, but we should be introducing laws to make sure all manufacturers are doing this to a reasonable level.


Aside from gaming, which isn't prevalent aside from casual games in NA and EU to my knowledge, I'm not sure what someone may possibly need it's phone for where something like a S7 (a bit more than 4 years old) isn't largely sufficient. Not a diss on Apple, I think the iPhone 5 is vastly better than circa-2012 Android phones, I just disagree with the premise of throwing phones every 2 years as being remotely necessary (perhaps until the next paradigm shift in computing/web/mobile usage where current tech starts to be too sluggish).


Yeah but in the context of security your point is moot. No more updates means no more security patches, right? Throwing phones away every two years is of course not necessary, an Android phone from 2012 is probably perfectly usable - yet horribly insecure.


Yeah I could have amended about security, but I was replying to a comment about specs and Android phones being deprecated after 2 years, which I don't interpret as being security-related.


Fair enough, I was thinking in context of the overall thread. Cheers


I had an S3 from launch for ~7 years before switching, and it was completely unusable by the end. Most websites and big-name apps halve in performance every 18 months or so. Doesn't help that your battery will be on its last legs by then. 2 years is definitely much more often than required, but until ad-tech corps and web developers call off the assault, we're stuck on the phone treadmill to some degree.


on Apple’s case, means good app experience for the users and the developers. for example, SwiftUI comes to iOS 13 or later. If most devices were to be left off without updates(which is the case with Android) most developers would be hesitant to pick up the newer shiniest technology. apps on android still tend to be ugly and old fashioned. sure, there’re exceptions but generally apps on iOS are fresh and consistent probably because developers can depend on the users having the latest platform.


Thus LineageOS (for those who want droid), or in the future postmarketOS (for those who don't care about app support).

No, neither of these support all android phones, but they each support several.


So many phones can't install those, though. Like every single US Samsung model.

If we had a law forcing phone makers to unlock bootloaders once support ends, then we could talk.


> So many phones can't install those, though. Like every single US Samsung model.

Unfortunately true. If you were going to want to use either of these you would have to purchase a phone specifically for it. The only reason I brought these up was the parent comment implying the purchasing of phones anyways.

> If we had a law forcing phone makers to unlock bootloaders once support ends, then we could talk.

Honestly, this would be amazing. This is one of the reasons I haven't purchased a phone yet, and am waiting on the PinePhone to become a viable daily driver.


I'm a long-time fan, but Lineage breaks the Android security model - knowingly.

Other AOSP variants are more secure by an order of magnitude.


> Lineage breaks the Android security model - knowingly.

That's gonna be a big nope from me then. I was unaware of this, thank you for bringing it up.

I've been mostly unsuccessful trying to find other android variants that appear to still be maintained, would you mind pointing me towards one? I'll probably still wait for the PinePhone, but I'd like to stay knowledgeable on the subject.


GrapheneOS might be something you like.

https://grapheneos.org


Thank you, this is super interesting and may well wind up being something that I wind up using in the future.

I noticed that it only officially supports the Pixel devices.

I've always avoided the Pixel devices because I assumed that the firmware was closed source and therefore a privacy issue, especially coming from google.

However, the FAQ states "These devices meet the stringent privacy and security standards and have substantial upstream and downstream hardening specific to the devices."

Am I mistaken about the Pixel drivers being closed source? If not, how is this statement verified?


The author doesn't mean that the drivers are open source. It's impossible to have a device with all drivers open sourced at the moment, hence the Pinephone. From the "supported devices" faq:

"Devices need to be meeting the standards of the project in order to be considered as potential targets. In addition to support for installing other operating systems, standard hardware-based security features like the hardware-backed keystores, verified boot, attestation and various hardware-based exploit mitigations need to be available. Devices also need to have decent integration of IOMMUs for isolating components such as the GPU, radios (NFC, Wi-Fi, Bluetooth, Cellular), media decode / encode, image processor, etc., because if the hardware / firmware support is missing or broken, there's not much that the OS can do to provide an alternative. Devices with support for alternative operating systems as an afterthought will not be considered. Devices need to have proper ongoing support for their firmware and software specific to the hardware like drivers in order to provide proper full security updates too. Devices that are end-of-life and no longer receiving these updates will not be supported."

Source: https://grapheneos.org/faq#device-support


Thank you for the info and being so responsive to my questions. Sorry if I'm slow, this is outside of my normal range and my duckduckgo-fu is weak on this subject.

I saw this part of the faq, but it was a bit beyond my comprehension.

This is an extremely interesting topic to me however, could you point me toward where I could do better research on the topic? I'll keep looking around myself and post something here if I see it for anyone else who's interested.


Asking questions is not a sin. I will endeavour to answer where I can. :)

I'm no expert in this area myself (read as I've been educated by the internet and been too lazy to dig deeper), but I hope this reddit thread[0] leads you to some answers. Daniel Micay is the author of GrapheneOS, formerly CopperheadOS.

[0]: https://www.reddit.com/r/GrapheneOS/comments/bddq5u/os_secur...


Thank you :)

This link does seem like a good place to start, thank you much.


+1, this all day, over Linux phones with dubious security models/hardware switches that just delay exfiltration if it's going to happen on a non-verified boot device.


In what way does Lineage break the Android security model?


> deprecated in 2 years

They get security updates for 3 years (longer for enterprise devices). System libraries and builtin apps such as browser are updated via play store indefinitely.

But how many people _really_ use a phone more than 3 years?


Anecdotally, most of the older folks I know will use hardware until it disintegrates because they don't use many apps and "it still works." I've seen a seven year old iPhone 5C in the wild.


I totally agree.

Pixels are getting better, and Samsung flagships are getting their OS updates for 2-3 years and an additional 2 for security patches. That is.. barely good enough in my eyes.


It might be "secure", but almost every app is exfiltrating my personal information by using crashlytics, facebook and co.

Who needs security when the apps do it by design.

Check your firewall logs, or use a root/no-root firewall, it's frightening.

Edit: click the screenshots at https://play.google.com/store/apps/details?id=eu.faircode.ne... to see an example. Fourth picture "Access attempts"


Amen. My guess would be that 90% of Hacker News readers use a desktop browser ad blocker, but <10% have a tool like Blockada installed on their phone.


10% seems low. On Android Firefox supports extension so a lot of people are having exact same extension on desktop and mobile.


I even got uMatrix.


On iOS I use AdGuard Pro, which offers DNS and safari protection, but I normally use chrome. On my home network, i have a pi-hole as well. Is Blockada just DNS blocking or is there more to it?


Looks like just DNS blocking using VPN API. I use a different method for system-level adblocking on ios. I temporarily jailbreak, supervise the device, and install easylist's pac to block connections without an external server. Jailbreak is removed after it is set in place. Guide: https://www.reddit.com/r/jailbreak/comments/dbdb8x/tutorial_...

The only downsides I have seen to this method are it's slightly annoying to initially install and if github goes down (where the pac is hosted), phone network connectivity goes down until it comes back up.


Many of us don't have any app that contains ads (maybe except twitter/instagram/reddit etc.. but I don't find them much disruptive).


Netguard is such a wonderful tool. Highly recommend either the free or paid versions.

It's a shame Android doesn't allow vpn chaining though, because netguard creates a local vpn connection you can't use it with an actual vpn simultaneously.


I would like to see Netguard add global blacklisting, e.g. to blacklist fb for all applications, not per-application.


Yeah, I would love to see that.

I think the author could take the same engine and create a new so that just blocks trackers and Facebook and people would gladly pay for it.


This is the main issue I have with app security. It would be great if one could deny network access to apps. I would be much more willing to install many apps if I knew they would keep the data local and not be able to send my data to some insecure cloud service for sale to the highest bidder behind my back.

It would be cool if app stores showed which apps require network access and which don't.


Googles decision to give all apps full network access to "improve user experience" was the worst thing that happened to security and privacy.


On Android you can do exactly that with an app like NoRoot firewall:

https://play.google.com/store/apps/details?id=app.greyshirts...

For example it helped me find a trustworthy e-mail client (K-mail) by only allowing network access to my email server.


That is cool but now you're relying on some random third-party app developer for your security/privacy. Even if they're good people, there's nothing to stop them from selling it to some jerk that will enable their own apps to bypass it and/or enable other shady developers to bypass it for money.

This kind of software can also be difficult to get right. There may be ways to easily bypass it.

If Google did this, I'd seriously consider going back to Android.


There appear to be at least one open source thing that does the same: netguard


AdAway and AFWall+ solve that. As long as I can root my device, I'm good.


But, no verified boot?


Crashlytics is necessary unless you want shite software.


There's a rather large selection of good-to-extraordinary software that doesn't use any sort of analytics/auto-reporting. Off the top of my head, GNU coreutils, and BSD flavor, sqlite, qmail, (neo)vim, emacs, GIMP...



> Apport will notify you about the crash and offer to file it. Do that.

I wouldn't call it auto-reporting when the user has to agree first; consent is the sticking point. (Same for abrt) (granted, I should have been more precise and I suppose that is automated in a sense; I took "automatic" to mean "without asking")


It's almost like you can ask your users to help with automated one-touch bug report submissions, instead of taking the data without asking.


Those are all CLI/desktop apps and stable as they've been around for decades. They also had supportive communities to file bug reports, changelists, etc..

You can hardly compare coreutils to smartphone apps.

As someone who deals with Android fragmentation daily, you wouldn't believe how hard it is to support the whole ecosystem. Disliking analytics I can understand, but crash reporting adds measurable improvement in the quality of software.


Yeah, I realized halfway through my list that I was mostly listing infrastructure; that's why I tacked on editors and GIMP. The original claim was that analytics were required to avoid software being terrible, and I mostly wanted to point out that this is obviously false; kind of software and community support make an impact, but they're not a hard requirement, and at any rate I think we're moving the goalposts here.

> You can hardly compare coreutils to smartphone apps.

Indeed; coreutils works on an absurd variety of unix-family systems, is copyleft, respects privacy, and is high-quality. If smartphone apps were more like coreutils, we'd all be better off.

> As someone who deals with Android fragmentation daily, you wouldn't believe how hard it is to support the whole ecosystem. Disliking analytics I can understand, but crash reporting adds measurable improvement in the quality of software.

I do understand where you're coming from; while I don't have skin in that game, I'm passingly aware of the remarkable ways that vendors break their systems. And honestly, if you get user consent, I don't actually have a problem with having the app report problems to you. It's just the "send information about the user's system without asking" thing that I object to.


Right now we have shitty software _and_ a crashlytics that phones home constantly for no apparent reason.


The Open Source nature of Android might have something to do with it as well. It is interesting to compare iOS and Android in terms of how visible the source code is and how much vulnerable a system can be in effect.

Here's an interesting article that goes in depth about the concept: https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/o...


Android is less open source than it used to be. I wonder what percent of the vulnerabilities in Android are in the open-source portions (kernel, system libraries) vs the framework/apps.


I think it is all listed here: https://android.googlesource.com/

It's interesting to see how they call out repositories specifically for different manufacturers (ex. Samsung, Sony).


Meta but having the full post in a modal feels... off.


Like the 2 scrollbars right next to each other. Works better than I would have expected, though.


There's something about a SPA for a blog that feels completely wrong...


You can happily browse the noJS version at wp.palone.blog


This should be your default :)


The disadvantage of that one is that it doesn't seem to support links for individual posts.


Well. Tastes are different


I should note that these things can only keep your device secure if they’re not buggy, and most platforms offer these features. The difference is quality of implementation and which ones keep them up-to-date when problems are found.


This article wholly misses the point. Android is not a secure OS because it enables and allows behaviors that make it leak data and protect the user poorly. Security isn't just a matter of not having memory vulnerabilities or using good encryption.

That's where Google and it's advocates have failed to understand what security is. Security is keeping something safe. And with the amount of data exfiltration Google's default platform plus the apps it allows and encourages do does not do a good job securing your information.

When a user installs an app that does behavior they didn't expect or intend to permit, that's a security issue, even if the platform APIs allowed it.

The difference in how Apple and Google approach Web APIs discussed a couple days ago highlights this: Google added a ton of APIs that lets websites do stuff with your computer, Apple decided they are risky and chooses not to implement them. Google would say the user has to give permission for those APIs to be used, so there's no security flaw if a website uses them maliciously: The user gave permission. Whereas, Apple would recognize the benefits to the user are minimal compared to the risk when the user grants permission unintentionally, which happens all the time for other web APIs like push notifications and even extension installs.

Practical security and technical security are two different things. Google does not even comprehend the former, while receiving wide accolades for their expertise at the latter, as in this article.


> Android is not a secure OS because it enables and allows behaviors that make it leak data and protect the user poorly.

I am going to bite. You are just biased. Google adds more APIs because it doesn't have much interest in limiting some features to Play store, because Play is a such small part of their revenue. Apple would benefit if things are only possible through native apps because sweet 30% rent.

That said Google isn't exactly dumb but they aren't well organised in terms of Android - some areas get focus while others not. They even made it harder for external contributers of Android Open Source Project by following Google style monorepo patterns.

Contrast to Apple where mobile OS is their core business and they have to do it well.


If this is the case, then all desktop Linux distros are unsafe as well.


Now if only I could get the Pixel (or generally clean Android) software experience on Samsung hardware....


Oneplus?


OnePlus is a terrible company. I purchased one of their phones, I had some issues with the device within the 30 day return period. It was a popular issue, I think it was ghost touch but it has been a while. Anyway, in order to get a refund I had to do a charge back with my CC company.

I am pretty confident my next phone will be an Apple device. I was an Android fan, purchased all google/nexus devices starting with the G1. I had problems with many of those devices. I have switched to Samsung, but the amount of garbage on the phone still annoys me. Therefore, it is time to try iOS.


Oneplus had some occasional hickups in the support department but I don't think their hardware is significantly better or worse than anyone else.

What I really like about OnePlus is their software. It's hands down the best Android version ever created. Love their additions to vanilla OS.


OnePlus has a history of breaking basic Android security features. For example:

- https://www.xda-developers.com/oneplus-6-bootloader-protecti...

- https://www.xda-developers.com/two-critical-oneplus-33t-boot...

While OxygenOS is smooth and not bloated and their phones are cheaper than other flagships (in some markets at least), their security record isn't the best.


Not saying they are without faults, but if that's all you get on them then they are pretty damn secure.


The first link is about a flaw that allowed the OS to be replaced without the user knowing. It's the opposite of "pretty damn secure".

And they had other security issues, both with their phones and servers. I'm sure you can find more info with a quick search.

OnePlus makes good phones, but this thread is about Android security... and they don't have the best record.


No band 14 support :(

I admit this is a niche issue, but it's critical for me.


Why? What don't you like?


All of the extra Samsung apps. The themes are absolute dog shit. The members app doing a push notification that I haven't rebooted my phone in 7 days like I'm still running Windows 98. The garbage games they install by default. The fact that the UI of said apps doesn't match the rest of Android at all. Bixby existing. Ads in their apps.

Samsung Pay is OK, and I love the magnetic stripe emulation, but I hate that I need to auth again even though I've already unlocked the phone.


I never got ads in any of the Samsung apps, I keep hearing this but never saw it in my lifetime using Samsung phones.

Also don't know what are people's problem with Touchwiz. It's a launcher, why are people so anal about a launcher? It does what it's supposed to do and stays out of the way.

I chose Samsung because of the value it brings in software, particularly Knox and support for app containers. Their hardware ecosystem is also quite fleshed out, although I haven't buy into it yet.

No other phone manufacturer comes close in terms of value.


I am NOT a security export, just an observer, but saying "Contrary to popular belief, modern Android is pretty secure." (Which is how this post finishes) sounds pretty much like something I'd agree with, but saying "Your Android might be the most secure device you own" isn't really something that I'd agree with as much.

I don't even know how one would really measure these things in a reliable and objective way. Do we compare it to IOS or Windows or ChromeOS or MacOS? Which version of Android and so on.

The post picks out the best things about Android, nothing wrong with that, but isn't that just ignoring all the problems with Android? I agree though, Android is pretty secure, but so is everything else.


Hm guess I subconsciously chose an clickbaity title...

Well in my case, I use Debian as my main operating system on my Desktop. Debian is great, but as a classical desktop OS it does not have those cool security things like app sandboxing, permissions management (camera acces etc) and stuff like that. Which makes sense, since mobile Operating Systems were designed from the ground up way later and also seem to move at a faster pace. The fact alone that almostt all ANdroid Apps run in the JVM and are written in memory safe languages is a huge plus that the GNU/Linux family does not have. (Solely speaking about security, I wouldnt want my /bin/sh to be in java)

In my particular case, it suprised me to find out that my android is the most secure device I own. Thus the title (and the intention to wrote this post).

So yeah, misleading title. Kinda. My Bad. Updated the title


The big difference between Debian and Android is that with Debian you don't generally want or need to run untrusted or untrustworthy 3rd party code. Instead your software comes from trusted source with maintenance promise and security updates. And I'm starting to think that is better model than trying to sandbox and lock down everything; the world needs more trust at certain places. In contrast you are no way able to trust random Android apps, neither the quality or the intentions, so you are left with actively hostile relationship between you, the OS, and the apps.


I'm saving this. Very good point


I feel that most OS (Windows, Mac, Linux, iOS, Android) have continued to improve security but at the same time reduced privacy.

If that's true, is there a TailsOS equivalent for phones?


I really don't see how improving security and reducing privacy are related: like generating fingerprints of installed programs, or scanning the memory, disks for malware and reporting results to the OS provider/device manufacturer and mapping the results to a user account or an ip address ?

For me improved security was more synonym to degraded performance.


Hard to do I think. Even plain old "linux but for phones" is pretty difficult at this point because:

--most drivers and hardware specifications are proprietary, and probably secret under NDA

--most bootloaders are cryptographically locked and controlled by vendor

--necessary wifi and cellular modem hardware is the same, and are also patent minefields even in the foundational platonic ideals of design, as is mobile graphics hardware

--the modems are subject to regulatory requirements that they be secured from modification by the user/owner of the device

Secure in this context means secure from the user and device owner, which can arguably be for good reason -- think of an ATM kiosk, for example.

So no "tails for phones" yet, but people are trying. Check out postmarketOS, lineageOS, replicant, sailfish. Last I tried things were still kind of science project, like 90's style linux.


Adding ubports to the list- I have it on my Pinephone and can place and receive calls, send and receive SMS, and utilize GPS. There are some features that don't yet work on Pinephone like MMS but it's on the threshold of being daily-driver worthy.


Sounds great. Is the battery life OK? Was it hard to get the phone?

To be clear, I see some measure of compromise as totally reasonable if one's goal is to get on an open os...


Users on Pine64.org have reported their devices can run 14 hours on idle and my own experience is the battery will last all day with moderate usage. Getting it on the phone is as simple as getting Raspbian on a Raspberry Pi, you just flash the image onto an SD card.


There's GrapheneOS. It's really good, but it's not really focused on not leaving a trace.


I feel as though the improvements in security lend themselves to improvements in privacy, and vice versa, in a rather linear relationship.

That being said, privacy factors are primarily user-choice in that it is the optional apps and programs that compromise privacy, even if the privacy breaches are less-than-voluntary, as seen in the recent clipboard skimming scandal. Making an OS more secure by limiting unauthorized access to information like the clipboard is both more secure and more private.


You can use the phone as an access point, and then have an additional secure wi-fi device.

A wi-fi only Android tablet that doesn't require proprietary blobs to run vanilla Linux might do.


The Firefox OS but nobody is using it.


It lives on as a fork: https://www.kaiostech.com/


AS long as you do not start installing apps, and avoid using some vendor pre-installed apps.


Maybe a pure Android phone is secure but the reality of most phones is a dozen of system and store apps deliberately spying on their users.


I think people are more concerned about the data Google and apps mine from their devices than the type of encryption.


Then it should not allow apps to ask for permissions they don't need. Just a thought..


HN title is misleading clickbait.

The article says that modern Android security is pretty good, listing a number of Android's security features and recent improvements, but the author never tries to make the case that it's "the most secure device you own".

There's also zero comparison between Android and any other operating system that would be required to support the HN title's conclusion.

Also, Android isn't a device, it's an operating system. An operating system is only as good as the devices it's put on; a deeply insecure device isn't going to magically be made better just be installing Android on it.


It’s the author’s own headline


The headline was updated since I wrote that comment.

The original headline was "Android might be the most secure device you own".


Yeah guess the mods did that or something. I just updated the original title :)

Read here: https://news.ycombinator.com/item?id=23714416#23716962


Random nitpick: I wish each post has what I'll call "full page scrolling". You have to hover your mouse over the actual post to scroll it or you end up scrolling the background.


I'll keep that in mind and will probably fix this... Someday


Learned something today. Android is a device.

I always thought it was an os by Google based on aosp(also Google..).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: