Twenty-six letters are counted as P. However, the security of the Android ecosystem is still a worrying situation. More recently, this situation has been more concentrated.
At this year’s Google I/O conference, David Kleidermacher, head of Android platform security, revealed that Google will incorporate security patch updates into its OEM agreement as part of its marketing of Project Treble, allowing more devices and more users to receive regular updates. Security patch.
This is a positive act, but careful study is not worthy of praise, because the reason why this proposal was put forward has been exposed.
In April this year, after testing 1200 mobile phones of different brands and channels, the Security Security Research Lab said that the installation status of security patches was not satisfactory. Some vendors even missed at least four months of security patches.
Just one month before this report was published, Kleidermacher said in an interview with CNET that Android is now as safe as its competitors.
People who have used Google Pixel will notice that Google has a safe push every month, and whether or not you want to update, but in fact this security patch Google is not just for mobile phones.
For security issues, Google will now publish a security patch announcement on the first Monday of each month. The bulletin will list patches for known vulnerabilities. The same is the patch, major manufacturers generally receive one month in advance, the purpose is to make OEMs and suppliers —— such as chip factory & mdash;—
This is a good idea, and it works well if the friendly is serious. For example, the Essential mobile phone, although not well sold, can push security updates on the same day as Google Pixel.
However, as mentioned earlier, other manufacturers do not all do this.
Security also pointed out that the chip vendors behind this result have a great responsibility, because mobile phones with MediaTek chips are even worse when it comes to security updates:
The relationship between the update and the chip supplier is not absolute. For example, there is a Qualcomm Snapdragon 835 mobile phone for PingWest product play. Currently, the Android security update still remains on December 1, 2017.
After this phenomenon was revealed, Google quickly responded by admitting the importance of the study and stated that it would verify it. The final result is what was announced on Google I/O this time. And Project Treble, which Google has been implementing for the past two years, is just ready to use. With this mechanism, it is easier and cheaper for vendors to make security patches.
It is a very good routine to use policies to restrain manufacturers, and on the other side, to lower the resistance. However, it is estimated that Kleidermacher could not even think of it. While helping the friendly army, his own position was disorderly.
According to the Symantec security software study, some malicious applications that have been discovered have been reinstalled on Google Play, and the method used is very simple: change their name.
There were 7 malicious applications discovered this time. They were reported to Google and delisted as early as last year, but now they are re-entering Google Play using emoji keyboards, space scrubs, calculators, etc. by changing the package name. .
Here is a brief introduction of the performance of these malicious applications, we pay attention to the following:
- After installation, it will enter a quiet period of hours to avoid being noticed
- Get admin rights with Google Play icon
- Change your own icons to common apps like Google Play, Google Maps
- Profit by providing content ——such as redirection site —— and this form is cloud-controllable
Relatively speaking, this time the behavior of malware is not really important. What's more dangerous is the form of Google Play login this time, and problems in the Google Play security process.
First of all, Google Play's review mechanism can be said to be flawed. In the process before the application on Google Play, security testing became a device, the automatic detection algorithm did not work at all, and the manual review was like a promotional title —— according to Symantec, these applications did not provide normal functionality at all. So what did you do manually?
Second, protection from Google’s promotion did not work after it was put on the shelf and users were installed. Google Play Protect, which is based on machine learning technology to identify rogue software, allegedly scans billions of apps per day and is bypassed.
What is most unacceptable is that these systems have been bypassed twice, and the second time has only been forgiven by changing their name. This is inevitably not reminiscent of Google Play's security process is not without "summary experience" behavior, the so-called machine learning is not to learn and do it separately.
In contrast to system vulnerabilities, malicious applications require users to be more uncomfortable. After all, the probability that most people's devices are intentionally exploited is nearly zero, but the wrong application is directly involved.
When it comes to malicious applications, many people naturally think of rogue applications, and then they think of "the family bucket". Then they think that Google has updated several management measures in the past few years, and even further thought why they suppress Can't live them.
Actually, you have to complain about Google because Google has never wanted to understand the problem.
Take Android 8.0 as an example. Although Google introduced a background control feature, if there is a prerequisite for this feature to be fully functional, the application's packet SDK must reach API 26 (a user-oriented development setting, and the Android version). Synchronous update, the highest official version of the current API 27, Android P is API 28), directly stated that the application is developed for Android 8.0. If the application does not do so, the result is that the new feature can only play a small part at most, but it will not affect the normal use and abuse of the App.
Therefore, control is in the hands of application developers. If they think that the new Android mechanism is great and should be followed, then go for the new API. If the product department or push service provider thinks that the whole family bucket is sold well, then it will remain as it is.
PingWest Play has tested several applications on Google Play and found that the lowest one actually can be as low as API 18, and even some of Google’s own apps are still on API 24. Outside of Google Play, Tencent’s newly-launched TIM is still enjoying the Android 4.0.3 API 15.
Obviously, under the premise of a near gentlemen's agreement, we want to expect manufacturers to keep up with the pace and self-restraint. This is tantamount to idiotic dreams in the short term.
As to when this situation can be further improved, it also depends on when Google wants to understand the importance of power.