Do Android Updates Matter?
August 11, 2019
I was browsing through The Loop this past Friday morning and came across an article by Dave Mark titled iOS adoption, 90%. Android Pie adoption, 10%. Does it matter?. Near the end of his article, Dave invited the reader to correct him on Twitter regarding his question about whether or not it matters from a security perspective if users are on the latest version of Android. I'm not on Twitter (in fact, I eschew most social media), and as such, I thought I would post this instead. I think it will provide a more in depth response than a tweet anyway. :-) In short, the answer to Dave's question is nuanced.
First, a few things to note. I'm an iPhone user, having switched in July 2018. Prior to that, I was an Android user for five years. I’m experienced with custom ROMs, unlocking boot loaders, and the inner workings of Android. I’m a fairly technical nerd. :-) Common security best practices such as not downloading strange apps, being careful where you go on the web, not clicking links in texts, emails, etc. apply equally to Android and iOS. Those things being said, the official answer to Dave's question is as follows: From a security perspective, it does not matter as much whether or not an Android user is on the latest version of Android as much as it matters that an iPhone user is on the latest version of iOS. Let me explain...
When I am talking about Android here, I specifically mean Google-blessed Android that can download applications from the Google Play Store. I am not talking about a) Chinese and other market Android devices with no Google involvement and/or b) Fire tablets, IOT devices, etc. Those devices in the former category, while great in number since the Chinese market is so large, are not representative of most Android devices in the US.
So, with that out of the way, all Google-blessed Android devices have an app installed that has essentially god-like power on the device called Google Play Services. Google uses Play Services to provide (even as far back as version 4.4, Kit Kat) updates to various lower level services that run on the device. In fact, Google has been decoupling a lot of services, processes and features from Android itself (i.e. the Android open source project (AOSP)) and into the Play Store over time. What this essentially means is that Google can push security updates to various services and system level apps through this mechanism, regardless of Android version. An example of this is a find my device tracking feature that Google nearly universally rolled out to all users through Play Services. Another example of a new feature that was universally rolled out through Play Services is Google Play Protect, which scans all apps on the device for malware. The safe browsing feature was also pushed out to users via Play Services.
Now, there are some things that still require updates to the core OS itself that cannot be done through Play Services. This is why Google introduced the “Android security patch level” and requires all OEMs that sell phones with Google blessed Android that have been activated by more than 100,000 users to roll out security patches to those devices. My son uses an unlocked Moto G5 Plus, which runs Android 8.0 (Oreo). While this phone will never receive Android Pie (9.0), it still continues to receive security updates.
Furthermore, the architecture of Android is secure out of the box, due to controls including but not limited to process isolation in the Linux kernel, a user based permissions model, application sandboxing, SE Linux, and verified boot. Yes, one can select to install applications from outside of the Play Store, but that is not enabled by default, and one must acknowledge a security warning before doing so. Even then, Play Protect continues to scan the device. For most users, not installing apps from outside of the Play Store is enough to prevent most malware. Yes, there have been occasions where Google does let malware slip through and enter the Play Store. However, this is typically caught pretty quickly. I would argue that the same holds true for iOS as well, and there have been occassions, albeit rare, where Apple has had malware distributed in apps available within their App Store.
Because of the modular nature of Android and the Play Store, Google also ensures that app versions are up to date, no matter which version of Android you’re on. Take for example Google Chrome. As the default browser, it is the way that most users will interact through the web, either through the full browser itself or though WebView. Both Chrome and WebView are not updated with the OS, but rather through the Play Store. This means that the same version of Google Chrome (with the same features and more importantly security patches) is available on devices even as far back as Kit Kat (4.4). Contrast that with iOS and Safari. If you’re not on the latest version of iOS, you don’t have the latest version of Safari. Yes, sometimes Apple does issue out of band security patches, as they recently did with iOS 10, but it is a rarity. (Also, I think that fixed a GPS issue and nothing with Safari).
What about preinstalled malware? There are many articles such as this one that sound the alarm on this issue. The sad reality is that the market is so vast and the eco-system is fragmented. As a result, one really does have to be careful which phones one purchases. Samsung (yuck), LG, Google's own Pixel line, Motorola, OnePlus, and Nokia are all basically safe, reputable bets. BLU and some of the other “budget” manufacturers have been suspect. Bottom line, it goes back to the moral compass of the manufacturer in question and how the supply chain is secured end to end from manufacture to consumer. Just food for thought, and not to cast a doubt on Apple or iOS (and again, I use an iPhone), but whose to say that an iPhone could not be compromised somewhere along the line in the supply chain? There is no proof of this happening at the moment, but it could happen.
I often get asked by folks what phone to get. The first thing I always start with is budget, and unfortunately, this is something that Apple really should improve upon. They need a “budget” iPhone that is not an older model. I got my SE for $240, but it won’t get updates after iOS 13 (presumably, based on Apple's past update precedent). Depending on budget, or other factors such as whether or not they want a device with more options for customization, I usually do recommend an iPhone. However, there are a lot of really good Android devices out there. I have recommended a Pixel for some. I recommended a OnePlus 7 to one of my wife's friends, and she seems to be very happy with it so far. Both my boys (17 and 14) use Android by preference, and they are happy with their Moto G’s (G5 Plus and G6 respectively). My youngest son is actually on his second Moto G.
I hope this helps shed some additional light on the Android security model. While it is different than iOS, that does not necessarily mean that it is not as good or that users of older Android devices are all using phones that are plagued by malware.