Android was the most vulnerable system last year, but Google doesn’t think it means the system is unsafe

Recently, TheBestVPN compiled a “vulnerability alert” containing a common system or product on the market, based on official data from the National Vulnerability Database of the National Institute of Standards and Technology. This includes the most vulnerable systems/products of the past two decades. Microsoft, IBM and other established technology companies have introduced more vulnerabilities in products, including Microsoft’s products in the past 20 years (1999-2019) found a total of 6814 vulnerabilities, ranked first.

The full list of the top five is as follows:

1) Microsoft – 6814 vulnerabilities

2) Oracle – 6115 vulnerabilities

3) IBM – 4679 vulnerabilities

4) Google – 4572 vulnerabilities

5) Apple – 4512 vulnerabilities

Android was the most vulnerable system last year, but Google doesn't think it means the system is unsafe

But over the past year, 414 vulnerabilities have been disclosed on Android, developed by Google, making it the most vulnerable system in 2019. According to the report, Android had 525 and 843 vulnerabilities discovered in 2016 and 2017, respectively, making it the most vulnerable system in the two years.

Android was the most vulnerable system last year, but Google doesn't think it means the system is unsafe

In response to this result, a Google spokesman responded tomedia with a different view: “We are committed to greater transparency and to issuing monthly public safety bulletins on Android security issues to enhance security across the ecosystem.” We disagree with these views that the number of security issues that have been resolved is considered a measure of system security. This is actually the result of the Android ecosystem running as expected. “

As an open source system, Android is free lying to third-party vendors, which means That Google has lost the ability to coordinate software and hardware, resulting in more and more security vulnerabilities caused by irregular operations by third-party vendors or third-party hardware. After all, unlike iOS’s closed ness, Android open source means it needs to be “more friendly” to more chips and hardware, and hardware flaws from upstream vendors of mobile phones can also be passed on to devices that use Android.

In March, Google fixed a backdoor to a security vulnerability in CPU firmware that allowed malicious programs to gain access to Android devices using MediaTek’s 64-bit chips through simple scripts, affecting hundreds of smartphones, tablets and smart set-top boxes.

Unusually, the “QuadRooter vulnerability” that was exposed in Qualcomm GPU drivers in 2016 was also a security issue for upstream phone vendors, and because Qualcomm had a higher market share, it affected about 900 million Android devices worldwide at the time.

One of the QuadRooter vulnerabilities even allows an attacker to hide malicious code in the exif data of a picture, which is attacked when the victim’s device opens the image. This low-interaction, low-exploitation, low-perceptive nature also makes this vulnerability one of the most severe of the year.

In addition, the irregular development of Android systems by third-party OEMs is one of the reasons for security vulnerabilities. In order to differentiate in the market, many Android device manufacturers will customize the system, such as domestic MIUI, EMUI, ColorOS, etc., some of which will even modify the Android kernel code for some exclusive features. In addition to the code, it is inevitable that the entire system security risk will be increased.

In 2015, while Google’s security staff was studying the security of code added by OEMs to Android, Google discovered several vulnerabilities in the Samsung Galaxy S6 Edge that allowed an attacker to create system-privileged files, steal user email, and execute code in the kernel. Add both privileged and non-privileged applications.

In fact, this security vulnerability caused by THE private modification of code by OEM handset manufacturers is common among Android phone manufacturers. Google even issued a warning to some OEMs in February to put an end to this. Google Project Zero researchers say that direct hardware access to the Android kernel by adding downstream custom drivers, represented by Samsung, could lead to more vulnerabilities that could invalidate multiple security features that exist in the Linux kernel.

Android’s open source feature makes it the most market-share mobile operating system in one fell swoop than other OS. But while enjoying this dividend, the “side effects” of open source are also plaguing Google, and its fragmentation and security issues are growing concerns. But as consumers, we, in addition to maintaining safe machine habits and ensure that the system is up-to-date, it seems that there is nothing to do.