Skip to main content
June 6, 2013

At FTC Event, Google Plays Dumb On Mobile Security

google-security-issuesGoogle joined the world’s other leading mobile device and operating system makers this week for a forum on mobile threats and security, where the world’s smartest technology company played it kind of dumb.

Faced with implicit and explicit questions about the security and manageability of its Android ecosystem, Adrian Ludwig, an Android security team member, told a Washington D.C. audience that Google considered tighter controls on its application ecosystem an infringement of user choice, akin to limiting what information they can find online with the Google search engine.

“I hear a lot of talk about curation. But curation is not about choice. It’s not about the user choosing, and the user should have choice.”

Ludwig was speaking on a panel, “Building Security into Modern Mobile Platforms” that was part of the FTC’s “Mobile Security: Potential Threats and Solutions” forum, held on June 4th at the FTC’s headquarters in Washington D.C. The panel featured representatives of leading mobile device makers, including Apple, Blackberry and Microsoft.

Ludwig’s comments were in response to input from Apple Computer’s Director of Global Privacy, Jane Hovarth, on that company’s approach to securing its mobile devices and mobile application stores. Apple, she said, relied heavily on transparency to maintain security: developers who want to create applications for the Apple AppStore have to verify their identity first. Then, their applications are vetted for malicious behavior and other issues before they are offered to the public. Transparency, she argued, creates accountability. Accountability, in turn, limits the opportunities for shenanigans.

As I’ve noted before, no comparable system exists in the Android ecosystem. Yes, Google scans applications for malicious behavior with its Bouncer technology – but only after they’ve been posted to its Google Play marketplace. And, with only minimal requirements to register as a developer (a Google account and $25), the downside to getting flagged is very low. Finally, even if you can’t push your wares onto Google Play, Google allows Android to “side load” applications from third party app stores – many operated with scant oversight.

If the FTC forum is any measure, Google’s messaging on this is now that the company’s lack of control is really a matter of “freedom” and “choice” over censorship. But that’s nonsense. Mobile security expert Jon Oberheide pointed out in a separate panel at the same forum that Google’s mobile application ecosystem is needlessly complex and “complexity is the enemy of security.” Specifically, Oberheide noted that Google’s decentralized Android ecosystem inserts many obstacles to the issuing of security updates. “If I’m an attacker and have an exploit…the path from attacker to end user is measured in hours or days,” he said. “The timeline for Google to get a patch for an (Android) vulnerability to (end user) devices is several orders of magnitude larger.”

That’s because Google has delegated control of its platform to a rogue’s gallery of partners: handset and device makers, on the one hand, and ISPs and carriers on the other. For each OS update, hardware makers have to download, modify and then test the update on their hardware. Their customers – the carriers – will likely test it further to make sure it works with their unique mix of third party bloatware.

Google doesn’t seem too concerned about this right now. Speaking at the FTC, Ludwig sniffed at the challenge of keeping its Android ecosystem free of malware – noting that Google is all about scale, and that keeping tabs on the world’s compiled knowledge is a much bigger task. He also promoted third party app stores as an alternative for users who want to get their hands on an application that Google doesn’t feel comfortable offering on Google Play, the company’s official app store. That’s all well and good, but it sidesteps the now-obvious security concerns linked to shady, third party Android app stores – especially those located outside the US. Those have been the leading source of infection for threats like FakeInstallers and SMS Trojans – the most common category of mobile malware right now.

Critics call this FUD and note that the mobile malware problem is still tiny. That’s true. But the population of mobile malware is also growing at near exponential rates. And, as we know, with exponential growth, it doesn’t take long for really small things to turn into really big ones.

For now, concerns about attacks on Android and the dangers of mobile malware are mostly conjecture. But it seems inevitable now that Android will be the OS of choice for a population of billions of IP-enabled devices, just as Windows is the choice for more than a billion PCs. If they were asked (and they surely won’t be) Microsoft would warn that “heavy is the head that wears the (OS) crown.” It’s inevitable that Android’s popularity will make it a prime target for everyone from nation-state backed hacking crews and sophisticated cyber criminal groups to basement-dwelling script kiddies. The attacks aren’t here yet. But they’re coming. Security experts speaking for the FTC seemed to be warning Google that the sooner it can make the changes it needs to in order to secure its Android ecosystem, the better for everyone. For now, however, that’s advice that is falling on deaf ears.

Related Content

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe,, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.