Don't blame Android for being like a PC

Just as with a PC, having an accessible filesystem and choice of app sources means you risk malware if you're too trusting

Here we go again -- another Android vulnerability that lets malware extract data from smartphones and tablets. It's clear Android is becoming the new Windows in a way no one wants: a big, juicy attack vector for malware, spyware, and the like.

Yes, Google hardly vets apps in the Google Play market for Android, so it's rife with malware and spyware that people install naively. If you enable this capability (very easy to do in the Settings app), Android lets you sideload apps from websites and other sources, which makes it an easy target for phishers. Like I said, it's like Windows. But it's unfair to blame Android for this situation.

[ The top Android malware apps revealed. | InfoWorld's clear-eyed guide to Android's actual security risks. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]

For some reason, mobile devices are held to a higher security standard than PCs. Android gets blamed because it's essentially architected like a PC: It has a shared filesystem. It allows people to install any apps they want. It lets apps work together. Those are features we love in PCs, and the lack of those abilities in Apple's iOS created a crescendo of complaints about it being a closed environment when iPhone apps debuted in 2008 -- complaints that continue today in some circles.

Guess what? You can't be open without opening the door to malware and spyware. No OS -- Android, Windows, OS X, or any of the numerous Linux flavors -- can know which apps are doing harm and which are not. Antimalware products look for known patterns to identify likely bad actors, but we all know that even antimalware apps that are 99 percent effective can fail. As a result, the malware and spyware industry has been quite lucrative for criminals and quite effective for spy agencies like the American NSA, British GCHQ, and Chinese military.

If you have a filesystem, then there's a way for bad apps to get at private data. Yes, you can (and probably should) encrypt that data, but as a recent Whatsapp flaw showed, developers can implement encryption poorly, giving malware a way in. The same is true for app sandboxes (used in iOS and to a lesser extent in OS X) and app containers, those currently fashionable multi-app sandboxes that dozens of mobile security vendors offer.

In other words, you can add protection to an open filesystem, but none is foolproof. That's not Android's fault. Instead, you have to gauge the level of risk you can accept and get what best addresses that. Most users and even companies do nothing, not even the first line of defense of antimalware. That's not Android's fault, either. (Ironically, Google does limit what Android antimalware apps can do when they detect malware.)

The only other option is to do what Apple decided to do and has been slowly adding to OS X: Close off the filesystem and restrict the apps to those it directly vets, while severely limiting interapplication communication and requiring explicit permission each time it's used where permitted. That's safer, but it exacts a price in flexibility that many people do not want to pay -- as the criticisms of iOS in its early days and the 2009-2011 mania around jailbreaking clearly showed.

Frankly, people need to stop expecting technology to do everything for them. Installing free apps is dangerous. Not making sure an app is from who it's supposed to be is dangerous. Installing apps from websites and email links is even more dangerous. Don't do it. And don't blame Android when you do.

This article, "Don't blame Android for being like a PC," was originally published at InfoWorld.com. Read more of Galen Gruman's Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen's mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies