This is pretty funny considering Windows is the cause for nearly all of the security exploits that occur. The horror stories of people being infected with viruses, malware and ransomware all have one thing in common - Windows. You only need to look at the thousands of security patches this OS has had applied to it over the years and the new ones applied every month to truly grasp what a sieve it really is. BTW, where are all of the horror stories concerning the Stagefright exploit that so many "pundits/idiots" predicted would be a disaster for Android? I'm still waiting for that.
Also, was there a reason you started referring to specific versions of OS's like Windows 10 and BB OS 10 and then disrespectfully mentioned Android without a version number? Don't you think that was a bit disingenuous, and lame, of you to start mentioning specific OS versions and leave out Android? If you're going to use version numbers then shouldn't you have applied them to all of the OS's you mentioned instead of cherry picking OS versions and then shitting out the line "And then there's Android" at the end?
OK -- Android (until absolute latest) = lovecraftian horror.
Android marshmallow = exceptionally bad.
BB10 is a fundamentally different OS (QNX based) than pre-BB10. but Pre-10 was also a good OS from a security perspective, just utter shit to develop meaningful third party apps for.
Windows...used to be horrible. Big changes around Vista (although, ~unusable). Since Windows 7, it's been "reasonable" in a highly managed corporate environment, and not bad even out of the box. 8, 8.1, and 10 have been improvements on that. It's actually easier to do a 10k user highly locked down Windows deployment (although expensive, and involving a lot of experts and third-party tools) than to do a 10k user locked down Mac OS X deployment. Apple had a lot of advantages by starting from UNIX and from basically starting after security was a "thing", but hasn't done as good a job on OS X security as I'd like. iOS, on the other hand, is amazing -- the only serious deficiencies I find with iOS are a lack of "enterprise as sole root of trust" (which no one does, with the possible exception of (Blackberry Pre-10 and post-10), or roll-your-own open source linux/bsd with a lot of trusted computing grafted on in ways which are not at all trivial to do), and a lack of emphasis on anti-forensics on the device itself -- if you unlock it, it contains an sqllite db with ~every message, which shouldn't be how they do it.
OTOH, on cloud services, Google is far and away superior to Apple. The biggest problem with Apple is you're largely pushed toward iCloud which is not amazing from a security perspective. The true win of ChromeOS was you were equally pushed to the Google ecosystem, which is amazing for cloud service security -- the sole problem being you're 100% exposed to Google, Inc. which is both a US company and a single third-party entity, but if you had to pick a single company to be responsible for your cloud services security, you'd probably pick Google on the merits.
Why is Android 6.0 exceptionally horrible? I found one bug in a Play Services API that can crash Play Services remotely, but I can't get code execution so Google aren't interested.
Could you explain why you think Android Marshmallow is "exceptionally bad"? Because I'd really like to know why you think it is. Android gets a bad rap for malware, but it's really a lie perpetuated by people who dislike the platform because they're jealous of its popularity. And even when malware laden apps are sideloaded by people from questionable sites the effects are often minor due to the mitigation strategies employed by Android. Like I said before - where is this pandemic of Android infected phones wreaking havoc? Where are all of the stagefright exploit stories? There's virtually none.
Additionally, Android patches are distributed pretty fast by Google to their phones. It's unfortunate that the OEM's and carriers delay the process for their phones, but Google has no current control over this.
Your explanation that Ryan is jealous of Android's popularity doesn't make sense to me. This is a guy that has been working in security for some time, on both ends of the public / private infosec space [1]. Why would he be jealous of Android, but not ChromeOS?
Someone else expounded earlier: "On Android, questionable apps have direct access to the entire kernel system call interface, as well as to other OS features. Personally, I'm not so much upset because Android is uncommonly bad (it's like any other system that gives untrusted users non-root access to Linux: you can probably get away with it, but eh), but because CrOS is uncommonly good."
I don't think it's reasonable to ask for pointers on how to root an Android device in a public forum, and the size of the attack surface seems to me like a rather reasonable measure of a system's security.
Please, I did not specifically say this person was jealous of Android's popularity. I simply stated that the impetus for people who denigrate Android are generally people that are jealous of the platform's success and try to knock it down a few notches. Also, Android apps are sandboxed and each app is isolated in its own directory. Additionally, could you please cite how these "questionable apps have direct access to the entire kernel system call interface"? If Android apps want to access system functionality then I believe they have to go through a layer of Android framework services which in turn have access to the real kernel system calls.
As for the size of the attack surface being a factor - I agree, but with the exception of QNX and its microkernel (which has issues of its own) pretty much every other monolithic kernel based OS also has a large attack surface so I'm not exactly sure what point you're trying to make other than the obvious.
>Personally, I'm not so much upset because Android is uncommonly bad (it's like any other system that gives untrusted users non-root access to Linux: you can probably get away with it, but eh), but because CrOS is uncommonly good."
Chrome does have great sandboxing, but don't disparage Android just because it works like 99% of the other OS's out there. And I wouldn't be surprised if Android inherits some of Chrome's sandboxing tech when the two merge because I think it's pretty much inevitable that it will.
Also, was there a reason you started referring to specific versions of OS's like Windows 10 and BB OS 10 and then disrespectfully mentioned Android without a version number? Don't you think that was a bit disingenuous, and lame, of you to start mentioning specific OS versions and leave out Android? If you're going to use version numbers then shouldn't you have applied them to all of the OS's you mentioned instead of cherry picking OS versions and then shitting out the line "And then there's Android" at the end?