Android Security (was Re: Sending a message to users that floats above everything)

Mark Waddingham mark at livecode.com
Thu Aug 24 12:15:47 EDT 2017


I must confess I read Jacques post as meaning the Google Play Store (google play services are something else - although related).

If the store is now present on that percentage of devices then the problem with OS updates more than justifies the recent tightening of the rules of the store...

The recent revision essentially mean the OS APIs an app can use are frozen at the point of submission - if you use more than that after installation you are breaking the rules...

The fact google play can know what OS APIs are used means they can also use that knowledge to help guard against exploits - so I suspect unpatched android devices are safer than might be thought otherwise... assuming only apps from google play are installed, at least.

By the way, the above is mostly speculation based on the recent app guideline changes google have made. I'm sure google keep what they actually do internally a closely guarded secret, like Apple so no-one knows where the holes are. (Sometimes obfuscation is still the best line of defence - if weak).

Warmest Regards,

Mark.

Sent from my iPhone

> On 24 Aug 2017, at 15:48, Stephen MacLean via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> 
>> On Aug 24, 2017, at 3:14 AM, J. Landman Gay via use-livecode <use-livecode at lists.runrev.com> wrote:
>> 
>> On 8/24/17 12:22 AM, Stephen MacLean via use-livecode wrote:
>>> My point was that unfortunately that only means ~15% of currently active Android devices are fairly safe and Bob’s comment, while brief, was fair as far as it was concerned. Once Android hits iOS’s ~85% active devices on latest version of the os, then it wouldn’t be. I just don’t think that will happen anytime soon because of the way the OS is rolled out through 3rd parties for the most part.
>> 
>> Actually, I was trying to make the opposite point -- Google Play Services is now on (at least) 93% of all Android devices. It runs on any Android regardless of manufacturer or customized OS, provided the device is authorized to access the Google Play Store. It's had over 5 billion downloads and is, among other things, the security layer.
>> 
>> https://www.androidcentral.com/genius-google-play-services
>> 
>> It isn't only the "Google-made" phones that are protected, it's almost all of them now.
>> 
> 
> 
> I think it’s important to understand exactly what Google Play Services is and isn’t. 
> 
> It provides a base API, like Windows .NET, that runs on a variety of Android versions giving developers something common to develop against. Google Play Services can and does update those API’s and also updates Google Apps and components such as WebKit. It also provides malware scanning and blocking similar to Windows Defender, i.e. it is a layer of security
> 
> It does NOT provide core OS security updates. Those are, except for Google’s Pixel and Nexus, incorporated and provided by the manufacturer as a patch level update to the OS. It is not THE security layer for Android, just a part of it. 
> 
> So while 93% of Android devices have a layer of protection, it would be like saying Windows XP or Mac OS X 10.6 or even unpatched Widows 10 or macOS are “protected” because they have a malware scanner/blocker running. Sure, it may blunt some/most of it, but they are still vulnerable. 
> 
> At least with Google Play Services you get updates to some API components like WebKit, although that only starts with Android 5.0. You don’t get that on iOS.
> 
> Also, just like other OS vendors, it’s rolling support. 4.4 is the last supported version for Google Play and Google warns that will change as newer versions come out.
> 
> See https://source.android.com/security/overview/updates-resources <https://source.android.com/security/overview/updates-resources> and https://source.android.com/security/bulletin/ <https://source.android.com/security/bulletin/> for more details.
> 
> Sorry, this is getting long winded and probably pointless. To me, this isn’t about OS vs OS. You aren’t safe/secure/protected if you don’t fix the underlying problem.
> 
> Best,
> 
> Steve MacLean
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list