Sending a message to users that floats above everything

Wed Aug 23 23:27:21 EDT 2017

> On Aug 23, 2017, at 4:23 PM, Richard Gaskin via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> J. Landman Gay wrote:
> 
> > On 8/23/17 9:46 AM, Bob Sneidar via use-livecode wrote:
> >> But the reason there are more attacks against Android is simple.
> >> It's orders of magnitude easier to exploit.
> >
> > Very true. But the actual percentage of Android users who contract
> > malware is less than 1% (0.01 sticks in my memory.) And almost all of
> > those users are downloading apps from non-authorized sources. If you
> > stick to Google Play and Amazon you're as safe as iOS. Those stores
> > vet their apps much as Apple does.
> >
> > If it helps, Android scans your device regularly and removes malware
> > even if the app was downloaded from an unauthorized source.
> >
> > Avoid the cheap Chinese knock-offs that ship without Google's
> > software.
> > Those are the dangerous phones.
> 
> Amen, sister.  The only part I take exception with is the "orders of magnitude":
> 
> There are probably orders of magnitude more malware available, roughly proportionate to the much larger audience size.
> 
> But an ATTEMPT is not an EXPLOIT.
> 
> Like anything else in life, simply trying to do something is no guarantee it'll be successful.
> 
> Once we exclude jailbroken devices, not-real-Android knockoffs, and anything else where either the user or the maker went out of their way to thwart the protections built into the OS, the rate of actual exploits is very low on both OSes, and not really all that different proportionate to market share.
> 
> Stock Android is safer than just about any desktop OS, including macOS.
> 
> Most headlines discuss lab discoveries of things that may or may not actually even be in the wild.  Among the subset that are in the wild, if exploits are found they're usually in PRC or other markets where not-Google-Android/merely-Android-compatible devices are sold.

I agree...
> 
> Whether the messaging is coming from marketing execs or geopolitical active measures, it's really helpful to read past the headlines and discern the relevant details.

Only about ~15% of Android devices are at anywhere near a recent patch level or current OS version.

Android, locked down like iOS (store only apps, current OS version, no - cheap knock offs, stock only OS, etc, etc.) may be close to be being as safe, but you’ve just removed the majority of Android devices from the equation. Now look at market share, and it’s a totally different percentage. Remember, stock Android is only available on a Google “made" device. All others have a manufacturers version of Android, that may not even be the latest version of Android and/or with features that may open security holes.

However, you can’t just ignore all those devices, because they are out there being used every day. They are also being targeted, attacked and exploited just like those that still use Windows XP, earlier versions of Mac OS X, iOS and other out of date, un-supported, un-securable OSes.

The very latest version of Android, just announced, made MANY important advances in security and is much, much more secure. However, since the majority of Android devices out there will never, ever see it installed, it still leaves a bunch of gapping security holes.

With that said, I’m happy that all the major OS players are making huge strides in security… it’s been far too long in coming. It’s too important, no matter what flavor of OS you use or like.

The problem still remains for any OS, desktop, server or mobile… if the user steps outside the box, they open themselves up. This has been an issue since the floppy disk and sneaker net… and won’t likely change. Just think Adobe Flash and that even a huge software company like Adobe couldn’t make it secure and is discontinuing it.

The difference here, on this list, is that most folks are professionals or at least highly knowledgeable end users that know what to look for, what not to do and what’s safe to get their devices looking and running the way they want. They know what trade offs can be made and still stay secure.

Since this is about security, I would suggest to all that if you haven’t done so already, you sign-up for alerts from CERT, the US Computer Emergency Readiness Team. https://www.us-cert.gov/ncas. There was a good one sent today about North Korea’s DDoS botnet and ransomeware.

Whatever OS you use, develop on/for or just plain love, be safe.

Best,

Steve MacLean