Android Stagefright: The heart attack that never happened

The extremely exaggerated risk of the Stagefright vulnerability may have precipitated an improvement in the Android security model.

Since Joshua Drake of Zimperium announced his talk at the Black Hat conference on Twitter, speculation in the blogosphere has been rampant.   

If some of the claims were true, Android phones would be exploding into flames. Since the introduction of version 4.1 Jelly Bean, Android has been protected from buffer-overflow vulnerabilities such as Stagefright with Address Space Layout Randomization (ASLR). A glance at the chart below reveals that 90% of the Android devices are protected by ASLR. Drake's estimate of one billion Android devices affected by this vulnerability was inflated.

080615 android chart

It certainly did create anxiety, though. Android users were so anxious about the possibility of something really bad happening that the Google Trend chart of the word “stagefright” spiked on over two million search results.

080615 google trend

Compared to iOS and Windows 10, Android’s security model is better in every respect but one. Updates to the core operating system have been unpredictable and slow. Google has produced regular updates to the Nexus line of devices it sells through its Play store. But the adoption of new versions, patches, and improvements by Android OEMs has at times been spotty. Often, Android OEMs have required the cooperation of mobile carriers to distribute updates, adding more complexity and dragging out the process.

Though StageFright only affected a small fraction of the estimated one billion devices, the possibility of a vulnerability of that scale may have forced Google and many of its Android OEMs to commit to monthly updates. Like a patient who has the warning signs of a heart attack eliminates health risks, Google and its Android OEMs have eliminated the risk of a vulnerability affecting the entire Android platform.

Now with regular updates, Android’s security model is much better than iOS and Windows 10. Android source code is available for the security community to examine. Open source makes Android a good subject for commercial and academic researchers to test theories and postulate vulnerabilities. Google will pay a bounty for verified vulnerabilities. 

Google implemented on-device safeguards a few years ago with its VerifyApps module that checks apps at installation and scans apps for potentially harmful behavior. Google also has applied its substantial big data and machine-learning skills to predict where Android exploits will come from next.

Since the Virus Bulletin conference in 2013, Google has quantitatively reported the state of Android security and the number of harmful apps that have penetrated its ecosystem. The Android Security 2014 Year in Review (pdf) that Google will publish annually reveals that fewer than 0.15% of devices using the Google Play store have any kind of potentially harmful app installed. Apple and Microsoft don’t share this information, so it’s impossible to compare. 

If someone believes that iOS and Windows 10 are more secure than Android, its just an unfounded belief based on subjective faith.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10