Android Security – Swiss cheese pt. IV
Another horrible hack that Google is powerless to address
§ The worst part of this latest breach is that the hackers are targeting vulnerabilities in Android that have been well known for some time which no-one appears capable of fixing.
§ This only serves to reinforce my view that Google’s only way out of the nasty mess of Android fragmentation where virtually no phones can be properly updated remains to take Android fully proprietary.
§ 3m Google users appear to have had their accounts stolen which are now being used to generate $320,000 per month in fraudulent advertising scams.
§ The Gooligan exploit is a variant of Ghost Push which came to light in September 2015 some 14 months ago meaning that there has been plenty of time to issue a fix.
§ The problem with Android is not that it has any particular flaws that make it less safe than iOS or Windows but that none of the fixes for these problems ever make it onto the affected devices.
§ There remain two reasons for this:
§ First: The infrastructure for updating Android devices is horribly fragmented with each manufacturer or operator having control if its updates.
§ With all the different variations and add-ons, extensive testing is required to ensure that the variations and add-ons don’t break when the phone is updated.
§ Furthermore, because none of these players own the end relationship with the customer they have no incentive to improve it.
§ We think that this is Google’s most pressing problem (see here) .
§ Second: Most Android handsets cannot be updated.
§ Android is a commoditised, brutally competitive market meaning that in the mid-range, every cent of cost matters.
§ Making a device updateable means that extra storage and memory must be added to the device which are never reflected in the price.
§ Hence, the vast majority of Android devices are not updateable to later versions of Android as there is no incentive for the device maker to add this capability.
§ The net result is that there is very little prospect for owners of these devices ever to be free from this problem or any of the others that have emerged for Android without buying a new device.
§ This is far beyond the means of most Android users meaning that they will constantly be exposed to any new threat that emerges with little prospect of it ever being fixed.
§ This is just another reason why usage of Android devices is likely to continue trailing that of iOS and why these devices are likely to yield a much lower return for the ecosystems that run upon them.
§ For example, Edison estimates that Google can earn $31.6 per user per year from an iOS device whereas its own Android devices can only generate $14.0 per user per year on average.
§ Part of this is due to the differences in demographics between the two ecosystems but We are certain that most of it is due to the fact that Android devices are more difficult to use, less secure and as a result generate much less traffic.
§ Consequently, we think that Google has to take control of Android because in its current state, it is very unsecure where very little is likely to change.
§ We cohttp://www.radiofreemobile.com/google-closed-source/ntinue to believe that this may happen in 2017 as Oracle has provided Google with the perfect excuse to do so (see here) .
§ We remain pretty cautious on Alphabet preferring instead Tencent, Baidu and Microsoft.
Disclaimer - Past performance is no guarantee of future results. Inherent in any investment is the potential for loss. This material is being provided for informational purposes only and nothing herein constitutes investment, legal, accounting or tax advice, or a recommendation to buy, sell or hold a security. This document may contain materials from third parties, which are supplied by companies that are not affiliated with Edison Investment Research. Edison Investment Research has not been involved in the preparation, adoption or editing of such third-party materials and does not explicitly or implicitly endorse or approve such content. No recommendation or advice is being given as to whether any investment is suitable for a particular investor. It should not be assumed that any investments in securities, companies, sectors or markets identified and described were or will be profitable. All information is current as of the date of publication and is subject to change without notice. While based on sources believed reliable, we do not represent this material as accurate or complete. Any views or opinions expressed may not reflect those of the firm as a whole. Edison Investment Research does not engage in investment banking, market making or asset management activities of any securities. The material has not been prepared in accordance with the legal requirements designed to promote the independence or objectivity of investment research.