SN-844 - The absence of Android zero-day flaws

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Lob

What could possibly go wrong?
Nov 7, 2020
161
44
From SN-844, we have @Steve summarising the following about Android:

After counting last Tuesdays latest addition, Android has only needed to address a total of 6 0-days this year

I am going to go out on a limb to try to quantify some reasons why Android is seemingly fairing well in this area....
  • Fragmentation in the Android ecosystem means that not all flaws impact all devices and thus make the exploits less worthwhile attempting to exploit
  • There is less wealth per Android user, in perception at least (it seems certainly the on-device upsell is greater: https://www.androidauthority.com/ne...n-in-app-purchases-than-android-users-700983/)
  • Open source software has more eyes on it than closed source and has been widely assessed before zero-day flaws result
  • It's challenger, the iPhone, is seen as more prestigious and thus the targets for criminals (and states, think NSO Pegasus) lead to more trying to attack iOS than Android
It's almost like iOS is the "Windows of the mobile world" in this context with everyone pointing their canons at it.

Do you think this could be the case? Or am I speculating wildly?
 
That's a good list. I would also speculate that lines of code and extent of services provided are factors. I have no hard statistics but I would speculate that Windows has at least double the lines of code of iOS, and that IOS has more than Android. The larger number equates to bigger target and more possibility for vulnerabilities.
 
With point 1, I think fragmentation makes the scope of the impact small if the 0-day is for a driver, so if it requires a flaw in a radio driver, it might only be devices using the same chipset or chipset family. Aside from Pixel devices, most Android 0-days reported on SN are going to be for OS level stuff only. Kinda like fragmentation on Windows could be a Intel vs AMD on the processor level. If anything, the fragmentation allows for more successful attacks on Android.

Point 2 and 4 are the same thing, so attacks wanting to get money out of the victims will target iOS users more often and leave Android alone. For any reason outside of money, iOS and Android can be on the same level.

Point 3 is moot, and it doesn't help that the drivers for most Android devices are closed source anyway.

The main reason, iOS just has more users, like Windows has more users in the desktop space.
 
With point 1, I think fragmentation makes the scope of the impact small if the 0-day is for a driver, so if it requires a flaw in a radio driver, it might only be devices using the same chipset or chipset family. Aside from Pixel devices, most Android 0-days reported on SN are going to be for OS level stuff only. Kinda like fragmentation on Windows could be a Intel vs AMD on the processor level. If anything, the fragmentation allows for more successful attacks on Android.

Point 2 and 4 are the same thing, so attacks wanting to get money out of the victims will target iOS users more often and leave Android alone. For any reason outside of money, iOS and Android can be on the same level.

Point 3 is moot, and it doesn't help that the drivers for most Android devices are closed source anyway.

The main reason, iOS just has more users, like Windows has more users in the desktop space.

I disagree with your last point. This might be the case in the US (as discussed here) but worldwide, Android has a much higher market share compared to iOS (according to Statcounter ≈71% vs ≈28%).
 

more Android active than iOS

My 4th point was that the heads of state and other PEPs targeted by those using the NSO software likely do have iPhones over Android......it's not about the net spend per user per say but rather who Pegasus might be galloping after :)
 
I'd wager that Apple believes too strongly in its own marketing abilities around security. They seem to believe very strongly in security by obscurity and also actively try to hide any flaws and wall paper them over whenever possible. This means people make a lot more noise when an attack is found, because it seems more devastating.