The Project Zero team at Google, tasked with discovering severe bugs and exploits in Android, recently turned its attention to Samsung's Galaxy S6 Edge smartphone, and its findings, published this week, have identified "11 high-impact security issues" with the handset. Samsung's email client and gallery app were both shown to create added security risks on top of those already inherent in the underlying Android operating system. In other words, Android OEM software is adding insecurity as well as visual clutter and update delays to Android phones.
There's a major positive to be taken away from this investigation, as the biggest of the 11 identified flaws were fixed within 90 days of discovery, and the three remaining ones pose lesser risks and will also be patched in November. But in order to get to that level of security consciousness and responsiveness, Google had to commit a team of 10 security analysts for a week. That's entirely unfeasible for the full cornucopia of Android devices, which are now provided by more than 1,300 brands. Each company will have its own drivers, and many will duplicate basic Android functionality with their own apps, just as Samsung has done, and thereby introduce their own vulnerabilities. And that's really the biggest security risk of them all for Android: Google doesn't control the final software that most people use and experience, and it doesn't have the means to secure each of the 1.4 billion Android devices in active use today.
11 vulnerabilities were discovered in one phone over the course of a week's audit
It would be easy to pin the blame on Android phone manufacturers' lapels (it would certainly be accurate), but let's not forget that they're engaged in a seemingly endless price war, which has delivered ever better and smarter devices at ever cheaper prices. Other than Samsung, there aren't many Android OEMs making big profits from their device sales, which in turn is forcing them to cut corners like diligent security checks. It's actually an easy choice to make because insecurity to malware and hacking is not an immediately obvious effect on the consumer. At least Google, along with partners like Samsung and LG, has committed to pushing out monthly Android security patches — and if it finds the necessary cooperation from mobile carriers, it could make some progress on having a more unified security strategy.
Selling people on security rather than some otherworldly spec is hard to do, but that's exactly what BlackBerry is planning on with its Priv Android smartphone, coming later this week. It has a full security suite and an app-monitoring tool to help users protect their phones and their privacy. In an ideal world, Google's Android partners would all be doing what BlackBerry is, but as it stands, the trend remains to focus on more easily marketable features like glorious displays and high-powered chipsets.
Verge Video: Samsung Galaxy S6 Edge review