Surprise!
Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is never about Microsoft.
People need to give themselves a shake and start using MS products!
Google's Bouncer Android defence tool is one of a dozen malware detection platforms that can be flawlessly skirted by malware employing smarter heuristics, researchers have found. Malware kitted out with virtual machine detection functions and clever heuristics could bypass seemingly any detection platform on the market. …
The word "exploit" or the phrase "security problems/issues" is not actually used anywhere in the article?
Why do people need to "give themselves a shake" before using MS products, that's a euphemism for something else isn't it? Is this optional or a mandatory requirement? People need to know.
http://www.theregister.co.uk/2014/05/13/adobe_outdoes_microsoft_swats_18_bugs_in_latest_update/
It is newsworthy that someone else has more issues that MS. The reason why there is no news about Microsoft and security issues is that after 30 years it is no longer news - it is situation normal.
"However Google's Bouncer would have the smarts to detect the slippery malware if it were upgraded..." blah blah blah..
And I suppose the writers (or funders) of this "news" have such a product for sale? Isn't this just a sales pitch for Google? and they are using El-Reg for free advertising space...
Prior to smartphones/tablets, Windows was the biggest and most insecure platform - so it got targeted.
Nowadays, steadily more people are turning to mobile devices. On these devices, Android has the greatest OS market share. It is also inherently the most insecure out-of-the-box, by it's "open" nature. The fact that compared to the app stores of other, "walled garden" mobile operating systems, Google's security checks for new apps are very lax only makes matters worse.
"The price of freedom is eternal vigilance" - you want an open OS, expect to be targeted by miscreants. Simples!
I see what you did there, you compared Android and Windows. Android is WAY more secure than Windows.
For starters, by default, apps come from a curated store. Sure it's loosly currated, but on Windows, you can download stuff from ANYWHERE.
Secondly, on Android, all applications run in their own sandbox, with their own user-account that no other application can use. System access is granted on a fine-grained permissions scheme, granted at install, and can be revoked by uninstall. Windows has none of this.
Thirdly, removing an application, removes anything it's installed, due to application sandbox. Any problem app is only a uninstall click away. Android controlls the install and uninstall, there is no way for an Android app to be authored in a way that leaves executible code active after it's been removed. Windows doesn't do this, it's trivial to write an install that does anything you damn want.
If that's the case, why does Windows Phone meet military spec. security requirements out of the box, but Android requires bolt-ons like Knox?
Android is based on Linux which has an inherently weaker secuirity model. Windows has features like constrained delegation to minimise applied rights that don't exist and have no real equivalent in Linux. You have to resort to using insecure bodges like SUDO - which must always execute as Root / UID 0.
Hey AC can you help me out with some advice. I have got hold of a copy of that Windows OS you keep going on about and I am ready to install it and give it a go. Unfortunately I've only got an old sock to hand. Will this do, or should I nip out and get a box of Kleenex to do the job properly?
And I see what you did there AC, you ignored the timeframes and platforms I specified. The contrast I was drawing was between the most popular desktop OS prior to mobile devices becoming widely used, and the most popular mobile OS at the present time.
Of course, if you want to do a direct comparison, then you will have to compare Android to Windows Phone. Both have the same sandboxing and uninstall capacity you describe, but by default, Windows Phone apps come from the Microsoft store, which enforces stringent certification checks - I know, because I have a number of apps published, and on my first couple, I spent some time addressing where I had failed some of these checks. Compared to my first Android apps, which required a grand total of my paying Google $25 and uploading them... until I read this, I wasn't even aware that Google's store was curated.
Why do the scanning and operating environments have to be different? I figured that Google could easily build a PCIe card with a SoC and an FPGA to emulate a full tablet or phone. The peripherals would actually be tied to the host systems, but would appear to be regular devices from the SoC's point of view (emulating hardware in hardware) so software running on the SoC can't differentiate between this device and a tablet in the hands of the consumer.
If built correctly, it could be adopted as a standard reference device for other manufacturers of Android devices producing a very secure platform (either Malware detection is better or malware writers will treat them like VMs and have their malware disable itself).