
Modern Android is pretty secure - p410n3
https://palone.blog/#post-your-android-might-be-the-most-secure-device-you-own-4
======
rock_artist
Sadly I don't think Android as a platform is less secure. but still, in
comparison to iOS (the common comparison) or desktop platforms. Most phones
stops getting security updates earlier than the other platforms.

I had a Nexus 4, Nexus 7, Nexus 5X. All which should get top notch security
updates. stopped where other platforms kept getting updates.

Just a few days ago I saw on HN some great news for Android
([https://news.ycombinator.com/item?id=23692257](https://news.ycombinator.com/item?id=23692257)).
but again, this isn't a security update. It a broader security improvement
equivalent to a major update on other platform.

While my 1st iPhone SE will get iOS 14, my Nexus 5X is still on Android 8.

~~~
FirstLvR
this is exactly why Apple still rock at phones

you may choose Android for the specs, guess what, your phone will still get
deprecated in 2 years

~~~
throwaway8941
Hmm. My $170 phone from the middle of 2014 is still working perfectly and
shows no signs of being "deprecated". Every application I use gets frequent
updates, including the browser. I don't have to worry about targeted attacks
(as I am not a billionaire/movie star/CEO of a large company/whatever), and a
new shiny iPhone won't help with those anyway. µBlock Origin (with JS disabled
on most sites) protects me from everything else.

~~~
p410n3
Yeah the security patches are still worth thinking about. There was a Media
Framework bug that needed nothing but a PNG on your phone to get RCE and there
was a bug with the bluetooth stack this year which also could achieve RCE when
your bluetooth was turned on and an attacker knew the BSSID

PNGs are easy to send and in times of Contact Tracing via Bluetooth... well
there are certain risks to running unpatched

------
noja
It might be "secure", but almost every app is exfiltrating my personal
information by using crashlytics, facebook and co.

Who needs security when the apps do it by design.

Check your firewall logs, or use a root/no-root firewall, it's frightening.

Edit: click the screenshots at
[https://play.google.com/store/apps/details?id=eu.faircode.ne...](https://play.google.com/store/apps/details?id=eu.faircode.netguard&hl=en_US)
to see an example. Fourth picture "Access attempts"

~~~
xnx
Amen. My guess would be that 90% of Hacker News readers use a desktop browser
ad blocker, but <10% have a tool like Blockada installed on their phone.

~~~
panpanna
10% seems low. On Android Firefox supports extension so a lot of people are
having exact same extension on desktop and mobile.

~~~
lostmsu
I even got uMatrix.

------
dummydata
The Open Source nature of Android might have something to do with it as well.
It is interesting to compare iOS and Android in terms of how visible the
source code is and how much vulnerable a system can be in effect.

Here's an interesting article that goes in depth about the concept:
[https://dwheeler.com/secure-programs/Secure-Programs-
HOWTO/o...](https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-
source-security.html)

~~~
ghostpepper
Android is less open source than it used to be. I wonder what percent of the
vulnerabilities in Android are in the open-source portions (kernel, system
libraries) vs the framework/apps.

~~~
dummydata
I think it is all listed here:
[https://android.googlesource.com/](https://android.googlesource.com/)

It's interesting to see how they call out repositories specifically for
different manufacturers (ex. Samsung, Sony).

------
parliament32
Meta but having the full post in a modal feels... off.

~~~
timw4mail
There's something about a SPA for a blog that feels completely wrong...

~~~
p410n3
You can happily browse the noJS version at wp.palone.blog

~~~
parliament32
This should be your default :)

~~~
jolmg
The disadvantage of that one is that it doesn't seem to support links for
individual posts.

------
saagarjha
I should note that these things can only keep your device secure if they’re
not buggy, and most platforms offer these features. The difference is quality
of implementation and which ones keep them up-to-date when problems are found.

------
ocdtrekkie
This article wholly misses the point. Android is not a secure OS because it
enables and allows behaviors that make it leak data and protect the user
poorly. Security isn't just a matter of not having memory vulnerabilities or
using good encryption.

That's where Google and it's advocates have failed to understand what security
is. Security is keeping something safe. And with the amount of data
exfiltration Google's default platform plus the apps it allows and encourages
do does not do a good job securing your information.

When a user installs an app that does behavior they didn't expect or intend to
permit, that's a security issue, even if the platform APIs allowed it.

The difference in how Apple and Google approach Web APIs discussed a couple
days ago highlights this: Google added a ton of APIs that lets websites do
stuff with your computer, Apple decided they are risky and chooses not to
implement them. Google would say the user has to give permission for those
APIs to be used, so there's no security flaw if a website uses them
maliciously: The user gave permission. Whereas, Apple would recognize the
benefits to the user are minimal compared to the risk when the user grants
permission unintentionally, which happens all the time for other web APIs like
push notifications and even extension installs.

Practical security and technical security are two different things. Google
does not even _comprehend_ the former, while receiving wide accolades for
their expertise at the latter, as in this article.

~~~
entha_saava
> Android is not a secure OS because it enables and allows behaviors that make
> it leak data and protect the user poorly.

I am going to bite. You are just biased. Google adds more APIs because it
doesn't have much interest in limiting some features to Play store, because
Play is a such small part of their revenue. Apple would benefit if things are
only possible through native apps because sweet 30% rent.

That said Google isn't exactly dumb but they aren't well organised in terms of
Android - some areas get focus while others not. They even made it harder for
external contributers of Android Open Source Project by following Google style
monorepo patterns.

Contrast to Apple where mobile OS is their core business and they have to do
it well.

------
xxpor
Now if only I could get the Pixel (or generally clean Android) software
experience on Samsung hardware....

~~~
harpratap
Oneplus?

~~~
avgDev
OnePlus is a terrible company. I purchased one of their phones, I had some
issues with the device within the 30 day return period. It was a popular
issue, I think it was ghost touch but it has been a while. Anyway, in order to
get a refund I had to do a charge back with my CC company.

I am pretty confident my next phone will be an Apple device. I was an Android
fan, purchased all google/nexus devices starting with the G1. I had problems
with many of those devices. I have switched to Samsung, but the amount of
garbage on the phone still annoys me. Therefore, it is time to try iOS.

~~~
panpanna
Oneplus had some occasional hickups in the support department but I don't
think their hardware is significantly better or worse than anyone else.

What I really like about OnePlus is their software. It's hands down the best
Android version ever created. Love their additions to vanilla OS.

~~~
celsoazevedo
OnePlus has a history of breaking basic Android security features. For
example:

\- [https://www.xda-developers.com/oneplus-6-bootloader-
protecti...](https://www.xda-developers.com/oneplus-6-bootloader-protection-
exploit-physical-access/)

\- [https://www.xda-developers.com/two-critical-
oneplus-33t-boot...](https://www.xda-developers.com/two-critical-
oneplus-33t-bootloader-security-flaws-discovered-one-patched-and-other-being-
addressed/)

While OxygenOS is smooth and not bloated and their phones are cheaper than
other flagships (in some markets at least), their security record isn't the
best.

~~~
panpanna
Not saying they are without faults, but if that's all you get on them then
they are pretty damn secure.

~~~
celsoazevedo
The first link is about a flaw that allowed the OS to be replaced without the
user knowing. It's the opposite of "pretty damn secure".

And they had other security issues, both with their phones and servers. I'm
sure you can find more info with a quick search.

OnePlus makes good phones, but this thread is about Android security... and
they don't have the best record.

------
blakesterz
I am NOT a security export, just an observer, but saying "Contrary to popular
belief, modern Android is pretty secure." (Which is how this post finishes)
sounds pretty much like something I'd agree with, but saying "Your Android
might be the most secure device you own" isn't really something that I'd agree
with as much.

I don't even know how one would really measure these things in a reliable and
objective way. Do we compare it to IOS or Windows or ChromeOS or MacOS? Which
version of Android and so on.

The post picks out the best things about Android, nothing wrong with that, but
isn't that just ignoring all the problems with Android? I agree though,
Android is pretty secure, but so is everything else.

~~~
p410n3
Hm guess I subconsciously chose an clickbaity title...

Well in my case, I use Debian as my main operating system on my Desktop.
Debian is great, but as a classical desktop OS it does not have those cool
security things like app sandboxing, permissions management (camera acces etc)
and stuff like that. Which makes sense, since mobile Operating Systems were
designed from the ground up way later and also seem to move at a faster pace.
The fact alone that almostt all ANdroid Apps run in the JVM and are written in
memory safe languages is a huge plus that the GNU/Linux family does not have.
(Solely speaking about security, I wouldnt want my /bin/sh to be in java)

In my particular case, it suprised me to find out that my android is the most
secure device I own. Thus the title (and the intention to wrote this post).

So yeah, misleading title. Kinda. My Bad. Updated the title

~~~
zokier
The big difference between Debian and Android is that with Debian you don't
generally want or need to run untrusted or untrustworthy 3rd party code.
Instead your software comes from trusted source with maintenance promise and
security updates. And I'm starting to think that is better model than trying
to sandbox and lock down everything; the world needs more trust at certain
places. In contrast you are no way able to trust random Android apps, neither
the quality or the intentions, so you are left with actively hostile
relationship between you, the OS, and the apps.

~~~
p410n3
I'm saving this. Very good point

------
jotto
I feel that most OS (Windows, Mac, Linux, iOS, Android) have continued to
improve security but at the same time reduced privacy.

If that's true, is there a TailsOS equivalent for phones?

~~~
elipsey
Hard to do I think. Even plain old "linux but for phones" is pretty difficult
at this point because:

\--most drivers and hardware specifications are proprietary, and probably
secret under NDA

\--most bootloaders are cryptographically locked and controlled by vendor

\--necessary wifi and cellular modem hardware is the same, and are also patent
minefields even in the foundational platonic ideals of design, as is mobile
graphics hardware

\--the modems are subject to regulatory requirements that they be secured from
modification by the user/owner of the device

Secure in this context means secure from the user and device owner, which can
arguably be for good reason -- think of an ATM kiosk, for example.

So no "tails for phones" yet, but people are trying. Check out postmarketOS,
lineageOS, replicant, sailfish. Last I tried things were still kind of science
project, like 90's style linux.

~~~
makerofspoons
Adding ubports to the list- I have it on my Pinephone and can place and
receive calls, send and receive SMS, and utilize GPS. There are some features
that don't yet work on Pinephone like MMS but it's on the threshold of being
daily-driver worthy.

~~~
elipsey
Sounds great. Is the battery life OK? Was it hard to get the phone?

To be clear, I see some measure of compromise as totally reasonable if one's
goal is to get on an open os...

~~~
makerofspoons
Users on Pine64.org have reported their devices can run 14 hours on idle and
my own experience is the battery will last all day with moderate usage.
Getting it on the phone is as simple as getting Raspbian on a Raspberry Pi,
you just flash the image onto an SD card.

------
aritmo
AS long as you do not start installing apps, and avoid using some vendor pre-
installed apps.

------
lobocinza
Maybe a pure Android phone is secure but the reality of most phones is a dozen
of system and store apps deliberately spying on their users.

------
heyjupiter89
I think people are more concerned about the data Google and apps mine from
their devices than the type of encryption.

------
stefannn
Then it should not allow apps to ask for permissions they don't need. Just a
thought..

------
darklion
HN title is misleading clickbait.

The article says that modern Android security is pretty good, listing a number
of Android's security features and recent improvements, but the author never
tries to make the case that it's "the most secure device you own".

There's also zero comparison between Android and any other operating system
that would be required to support the HN title's conclusion.

Also, Android isn't a device, it's an operating system. An operating system is
only as good as the devices it's put on; a deeply insecure device isn't going
to magically be made better just be installing Android on it.

~~~
Synaesthesia
It’s the author’s own headline

~~~
darklion
The headline was updated since I wrote that comment.

The original headline was "Android might be the most secure device you own".

~~~
p410n3
Yeah guess the mods did that or something. I just updated the original title
:)

Read here:
[https://news.ycombinator.com/item?id=23714416#23716962](https://news.ycombinator.com/item?id=23714416#23716962)

------
joshstrange
Random nitpick: I wish each post has what I'll call "full page scrolling". You
have to hover your mouse over the actual post to scroll it or you end up
scrolling the background.

~~~
p410n3
I'll keep that in mind and will probably fix this... Someday

------
Happpy
Learned something today. Android is a device.

I always thought it was an os by Google based on aosp(also Google..).

