This past week I did what was previously unthinkable — I bought an iPhone. It was no small journey to get to this point, but the past several months in particular have forced my hand. Android, once the operating system I adored, has turned into that colleague you are not sure you can trust anymore. Will they steal your lunch or not?
If you wondered if security was on my mind, you are on the money. We live in the most dangerous time yet as far as digital safety is concerned. Fear for your computer used to revolve around viruses, worms and malware. All of these had one thing in common: a breach of security was most likely due to human error.
This is still true today. Speak to security experts and they confirm that poor user habits and social engineering — the very un-digital practice of impersonating people to get to sensitive information such as a password — remain the biggest threats to any digital fortress.
But a new dimension has arrived, one that ties in with those sloppy habits. Poor security protocol is usually most obvious with patches. Every time Windows begs you to restart so it can apply an update, it’s often towards patching a security hole. This is not just a Windows characteristic: Ubuntu is equally prolific at releasing patches. The consequences of not patching can be dire.
It may be redundant to explain this to such a tech-savvy audience, but let’s run through the sequence of events. The first is that a flaw is discovered in the software. Most often that comes from the vendor or its community, but there are times when less ethical types find a hole and then keep it for themselves (such as Hacking Team). Presuming the flaw is now known, a patch is made and released. At the same time, a whitepaper detailing the flaw is also released in order for third-party developers and others to that software to know what is happening. This is the critical period, because nefarious types also see the whitepaper. It creates a rush — can systems be patched before criminals build tools to exploit the gap? It’s a phenomenon often referred to as “zero day”.
The problem is that people don’t patch. But what if your vendor simply doesn’t release patches or takes too long to produce them? Earlier this year, Firefox briefly banned Adobe Flash from its browser for exactly this reason: the security hole in Flash was a big one, but it took Adobe days to release patches for several serious flaws.
To be fair, Adobe was caught completely off guard and had to patch holes that criminals already knew about. But creating patches takes time and effort, not to mention lots of testing. Still, Flash’s universal exposure to most operating systems made its flaws seriously dangerous.
With that context, let’s talk about Android. The system has also in recent months been hit by several big flaws, including a means of hacking a phone simply through an MMS (dubbed “Stagefright” after the Android media module it targets).
So, patches everywhere, right? Here it gets fuzzy. Google really only supports direct patching to its own Nexus devices. Beyond that it starts to rely on the device manufacturers, who in turn kick the can to the network operators. Yes, that same carrier you already have a shaky relationship with is responsible for patching your phone. In reality this process is far more convoluted, so abandon all hope ye who load this infographic.
It gets worse: if you bought your phone from carrier A, but since moved to carrier B, your phone’s update may still need to come from carrier A. This is thanks to Android’s incredibly fractured landscape. Seriously, it reads worse than trying to follow Genghis Khan’s family tree. Throw in that support really depends a lot on which version of Android you have — if your Android version still starts with “2” or “3”, run.
So, why is Apple different? I’ll admit that it has its share of security flaws, including a Bluetooth vulnerability only patched in the latest iOS 9. But it enjoys a much narrower device ecosystem: perhaps six phones at the most (not counting tablets). It also pushes updates directly to those devices, so no carrier liability. This makes sense: network operators are not in the business of patching your devices. That would be like expecting Incredible Connection to offer patches for the Windows system you bought.
None of this mattered a few years ago, when smart devices didn’t run banking apps or became a beacon for every one-time-Pin authorisation we use as a security buffer. But our phones are quickly becoming more valuable than our computers, thanks to the sheer amount of access and data they carry. If someone gets their hands on your phone, they have your life. Your e-mail account alone is bulging with useful data that can lead to all kinds of calamity.
So, it’s goodbye Android. I hope Google looks into this. Maybe BlackBerry’s security-centric vision will change the market with its first Android phone. Perhaps I’ll save up one day and buy a Blackphone. There is also Wileyfox, the phone from Cyanogenmod that would make sure my updates are from the source. I am not wedded to Apple.
But right now it appears to be the only sensible choice in the market, other than buying a new Nexus phone, and they aren’t officially available in South Africa.
- James Francis is a freelance writer whose work has appeared in several local and international publications
- Subscribe to TechCentral’s free daily newsletter