Is Android less secure?

There seems to be an endless stream of vulnerabilities on Google's mobile OS, but is it really less secure than iOS or Windows?

The security of a device can be very dependent on how it is used, however Android devices are designed to offer users control over their mobile environment. Consequently, Android users can install whatever they want from where ever they want, which exposes them to a comparatively high level of risk.

However, if a user only loads applications from official stores and keeps their device and its applications up to date they will have a generally secure experience. That being said, a number of remote access vulnerabilities have been discovered this year for which the Android patches have not been made immediately available, if at all, by some vendors.

Are Android vulnerabilities being exploited in the wild? 

At present, mobile devices are not the path of least resistance for gaining access to sensitive content and consequently are not as appealing a target as they otherwise would be. This is in part, a result of the fact that it is not often possible to target users remotely. An attacker would normally have to pick their targets and focus specifically on those individuals.

Most of the malware that exploit users indiscriminately attempt to trick users into sending premium rate SMSes. These malicious application are rarely available on the Google Play Store.

If the current techniques preferred by the majority attackers were to become less viable, we would likely see a change in the number and type of exploits developed for mobile phones and applications.

Is regular security patching the answer?

As with traditional computers, the most secure system can still be breached if the people who use it do not operate in a secure manner. User education is vital, and will remain vital even if the patching policy of vendors improved. Android is a platform that is intended to provide users with a large degree of freedom.

While this remains a core component of the Android platform, the security of individual Android devices will be subject to the practices of its owner.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.