There is a wide-held misconception that Android is unsecure and prone to attacks...
Security companies, primarily those dealing with antimalware and antivirus protection, cite numerous statistics about the increasing prevalence of malware on Android and larger numbers of reported infections/attacks.
But is Android inherently flawed and weak against attacks? Are other platforms less prone or less vulnerable to attacks? Well, experts agree almost unanimously that the answer is a firm “NO.”
So why is this misconception so commonly held?
Misconception 1: Android is less secure because there are more threats to it
Some people believe the misconception that Android is attacked more often as a result of a fundamental system flaw.
However, the simple truth is that Android has been increasing its market share drastically, surpassing former leaders Symbian, BlackBerry and iOS on the tablet and smartphone market. Estimates put Android’s global share at above 80%.
Logically, attacks against Android have increased over the years because, by sheer volume, there are more Android devices to attack and more apps to infect compared to other platforms. This is also a primary reason why the latest editions of Windows, which work on both PCs and mobile devices, are thought to be less secure than Apple’s operating systems, as well as Linux distributions and other OSs.
In addition, unlike iOS, mobile apps for Android can be obtained from various app stores, not just the official Google Play store. This, of course, poses a risk, but it is up to users to decide where to get their apps from.
An article in Forbes.com made the point that 97% of mobile malware was indeed directed at Android. However, only 0.1% of these were found on Google Play, with the vast majority of malware found in less respectable third-party stores.
Misconception 2: Android doesn't offer as much security as other systems
Again, this is not the case. Android's default security is at least comparable to iOS and other mobile platforms.
Unfortunately, the latest levels of protection are only applicable to those with the latest Android versions, and there are two huge problems with that - mobile device brand fragmentation and OS version fragmentation, which are tightly related.
In 2015, Open Signal made a study focused on these issues and found out that, compared to iOS, there were three times the versions of Android. Apple’s iOS 8 commanded 85% of the handsets, with only 2% having anything prior to iOS 7. On the contrary, Android 5.0 and 5.1 (Lollipop) combined for a mere 12.4% share of Android software. To match iOS 8’s percentage, Android had to count all versions back through Jelly Bean.
"Almost 70% of Android malware could be made obsolete by upgrading to the latest version of Android," says Troy Vennon, director of Juniper Networks' Mobile Threat Center.
So, just like any other piece of software, updating and upgrading is crucial to security.
Misconception 3: Android is less secure, because it doesn’t encrypt data on the device
This is often erroneously pointed out by iOS pundits. Apple has encrypted on-device data by default since iOS 3, and this has often lead the charge in claims that iOS is more security conscious than Google.
In a way, this is an accurate assessment, as by default, encryption has not been enabled by default in Android devices.
However, this argument glosses over the fact that data encryption has been available on Android for over 4 years, and that its availability has been promoted extensively by Google, by Security providers such as Norton and Sophos, and by experts in mobile technology.
Android’s latest versions, Lollipop and Marshmallow, have set encryption as a default, and will soon effectively nullify this argument.
The Android Compatibility Definition Document by Google now reads:
"For device implementations supporting full-disk encryption and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience."
Be aware though, that this too is subject to the same problem mentioned in point 2. Only a fraction of users are on the latest version of Android, and of those that aren't, a significant proportion of casual users don't have encryption enabled.
As you can see, Android is not inherently less secure. The latest versions offer equivalent or superior protection compared to rival mobile platforms.
However, there are significant reasons for this overall impression, notably more threats due to Android’s larger market share, the fragmentation issues, and that until recently, encryption has not been set as a default.
For tech-savvy individuals, there are numerous ways to secure their Android devices even beyond data encryption, including security conscious distributions, such as CyanogenMod.
Note, however that even these distributions are only as secure as their user... Users are by far the greatest threat to security in general, often bypassing measures placed for their protection.
If your organization is (rightly) concerned about their user-base exposing their network, a solution such as Secure Phone might the a great choice because it shuts down all Android backdoors, provides granular back-end administration with strict policies, as well as effective OS version control.