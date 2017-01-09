Android tops 2016 vulnerability list - security industry says "meh!"

by Davey Winder  |  Monday 9 January 2017  | Comment Now
Android tops 2016 vulnerability list - security industry says "meh!"

The Common Vulnerabilities and Exposures (CVE) statistics for 2016 are in and it doesn't make great reading for Google. Or does it? Davey Winder runs the numbers.

Android tops the CVE charts for most insecure product (ahead of Debian, Ubuntu and Adobe Flash) and Google comes second (behind Oracle but ahead of both Adobe and Microsoft) in the insecure vendor listings.

That's according to a summation of the stats for 2016.

If we dig a little deeper than the headline figures, and take the last couple of years into account, things don't get any the rosier for Google. Both Apple products, and Apple as a vendor, have become ‘more secure' over time using this metric whereas Google has gone in the opposite direction.

Measuring security by the number of distinct vulnerabilities disclosed across the year, however, is not really an accurate metric. We asked the IT security industry what it made of the numbers, and the ‘face value' headlines they have generated.

Ian Trump, global cyber security strategist for SolarWinds, was of the opinion that “the CVE numbers speak the truth” and “Android will always remain a security concern for Google”.  

He went on to insist that there's little financial incentive for Google to improve the security of Android, and he wouldn't be surprised if Android was spun off from Google parent company Alphabet in the next few years.

Most everyone else disagreed, however. Take Craig Young, a security researcher at Tripwire, who said that “counting CVEs to gauge relative security levels is a fundamentally flawed practice”, adding it is “discredited by many in the industry including some of the engineers responsible for creating the CVE numbering system”.

Stephen Gates, chief research intelligence analyst at NSFOCUS, agrees. He told us that “just because a vendor has a high number of known vulnerabilities, does not mean they have inferior products”. A more meaningful metric, he suggested, would be the how quickly patches were issued.

Another nail in the coffin of the CVE charts as a measure of insecurity was hammered home by Jonathan Couch, SVP of Strategy at ThreatQuotient, who in conversation insisted that the real tell for these stats is “how many vulnerabilities were leveraged as actual exploits in the wild”.

After all, if the bad guys can't leverage a vulnerability to steal data, for financial or political gain, then it really doesn't matter much in the real world. Consider that Android vulnerabilities tend to require a malicious application to get into the official app store, past the checks that are made, and then for users to download and execute them. This exploit execution simply doesn't happen for most such vulnerabilities.

Then there's the open source factor to consider. Lawrence Munro, senior director of SpiderLabs EMEA at Trustwave, points out that “the approach of open source vs. closed source (Android (ASOP) vs. Apple iOS for example) influences the number of bug discoveries, as there's more to work with when you have the source code".

And, as High-Tech Bridge CEO Ilia Kolochenko adds, “Android is an open source, very popular, emerging and developing product, it's totally normal that new vulnerabilities are regularly discovered.”

Indeed, open source projects will always get more bugs reported courtesy of many more eyes on the code.

But it's “hard to explain the precipitous increase of Android bugs compared with last year”, according to Drie CTO Tom Van Neerijnen.

Arian Evans, VP of product strategy at RiskIQ, is not so surprised. “The recent spike in Android vulnerabilities isn't particularly concerning or surprising; in many ways, this may be a positive.” Indeed, Google only launched its official Android Bug Bounty programme in June 2015 so what we are seeing now is likely a result of the timing of this programme.

Paul Calatayud, CTO of FireMon, agrees and points to the time when the Apple OS was considered secure based upon the low number of disclosed vulnerabilities. Over time, as Apple increased in popularity in the workplace, the vulnerabilities started to be discovered. “I would look at this trend and pattern,” Calatayud says, “and apply it to Google as the main observation.”

Some would look outside of Google for the reason why Android tops the CVE listings for 2016. Jonathan Sander, VP of product strategy at Lieberman Software, told us, "Many of the vulnerabilities reported are sourced from their many, many partners involved in the Android ecosystem – from Qualcomm to Samsung and even another CVE chart-topper Linux."

So, should we be concerned by Google and Android taking such high positions in the CVE charts?

We'll leave the last word to MWR InfoSecurity's managing director John Fitzpatrick who says, “These numbers should be reassuring to Google customers; we should be concerned about the companies who are not assigning CVEs and question what security assurance activities they are undertaking."

Related Articles

Source: Copyright © SC Magazine, UK edition

See more about:  android  |  cve  |  google  |  security  |  vulnerabilities
 
 

More in Misc Handhelds (1 of 10 articles)

Why Cyanogen&#8217;s death is a boon to Google&#8217;s control of Android

NEWS

Why Cyanogen’s death is a boon to Google’s control of Android

More in Misc Handhelds (2 of 10 articles)

This orb lets you charge your phone with your body's own movements

NEWS

This orb lets you charge your phone with your body's own movements

More in Misc Handhelds (3 of 10 articles)

Dongle Dangler aims to help you never lose your iPhone 7 audio cable again

NEWS

Dongle Dangler aims to help you never lose your iPhone 7 audio cable again

More in Misc Handhelds (4 of 10 articles)

Gooligan ad fraud malware infects 1.3 million Android users, installs over 2 million unwanted apps

NEWS

Gooligan ad fraud malware infects 1.3 million Android users, installs over 2 million unwanted apps

More in Misc Handhelds (5 of 10 articles)

Nokia to make comeback in 2017 under HMD Global

NEWS

Nokia to make comeback in 2017 under HMD Global

More in Misc Handhelds (6 of 10 articles)

The phone bed is the most ludicrous product you'll see today

NEWS

The phone bed is the most ludicrous product you'll see today

More in Misc Handhelds (7 of 10 articles)

Malicious link to video causes iPhones to crash

NEWS

Malicious link to video causes iPhones to crash

More in Misc Handhelds (8 of 10 articles)

The 40 best games on Android right now

FEATURE

The 40 best games on Android right now

More in Misc Handhelds (9 of 10 articles)

Qualcomm launches bug bounty programme to find chip flaws

NEWS

Qualcomm launches bug bounty programme to find chip flaws

More in Misc Handhelds (10 of 10 articles)

Qualcomm&#8217;s next flagship processor will be the Snapdragon 835

NEWS

Qualcomm’s next flagship processor will be the Snapdragon 835

Latest articles on BIT Latest Articles from BIT
Pre-holiday checklist to help secure your business
22 Dec 2016
Here are five ways to reduce the chances of coming back to a nasty surprise after the Christmas ...
A billion Yahoo accounts hacked in yet another breach
15 Dec 2016
The online giant's latest breach is yet another reminder of why it's vital to protect your email ...
Several Netgear routers are open to external attacks
14 Dec 2016
A US security watchdog has named a number of Netgear routers as being vulnerable to remote attacks.
Malware discovered in online ads on popular sites
9 Dec 2016
Eset has warned that online ads are delivering images containing malware that runs without user ...
Are you certain your documents are being safely destroyed?
8 Dec 2016
So you've decided it's too much time and trouble to do your own shredding. Here's what you ...

Latest Comments

Powered by Disqus

From our Partners

PC & Tech Authority Downloads
 
 
 

Most popular tech stories

BIT
iTNews
PC PowerPlay