I occasionally need to use an Android device to get things done for my day job. I like the flexibility of the operating system: I can tweak to my hearts content. An Android phone often runs cheaper than a handset from Apple and, in some cases, boast photo snapping capabilities that kick the bejesus out Apple's Designed in Cupertino camera app and optics. But when I read shit like this story from The Verge, I'm reminded, once again, about why I put up with the walled garden and stuffy familiarity of iOS.
From The Verge:
Even if you say "no" to one app when it asks for permission to see those personally identifying bits of data, it might not be enough: a second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it. The two apps might not seem related, but researchers say that because they're built using the same software development kits (SDK), they can access that data, and there's evidence that the SDK owners are receiving it. It's like a kid asking for dessert who gets told "no" by one parent, so they ask the other parent.
…That's in addition to a number of side channel vulnerabilities the team found, some of which can send home the unique MAC addresses of your networking chip and router, wireless access point, its SSID, and more. "It's pretty well-known now that's a pretty good surrogate for location data," said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.
Yeah. Read the whole thing. It gets worse.
Google's been having the wind knocked out of them over Android's lack of security for years. Sometimes, they make great leaps forward in protecting their customers. Other times, the strides they take are half-assed. The next iteration of their smartphone OS, Android Q, is said to offer a ton of improvements in the areas of user security and privacy. If it comes to pass, super. Right now, however, security updates come rarely enough to some Android users; the brand of smart-slab you're rocking too often dictates whether you'll see OS upgrades and security patches down the line. Some companies, like OnePlus, Essential and of course, Google, with their Pixel smartphones treat their customers reasonably well: you can expect software support for at least a few years. Others? Not so much. A year out of the gate and you might not see an OS upgrade. Security patches are few and far between. Beyond this, who the hell knows if Android Q will plug the massive privacy hole described above.
For the time being, if you care about privacy, even if you have a pretty good idea of how to secure your digital life, it would seem that relying on an Android handset to police your location, browsing habits and other data is likely a poor choice.
Image via Unsplash courtesy of Mateusz Tworuszka
