This story is over 5 years old.


Google Security Engineer Claims Android Is Now as Secure as the iPhone

If you’re paranoid, Android will protect you just as well as the iPhone, according to Google’s director of security for Android.
Image: Tsahi Levent-Levi/Flickr

It's a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees—but of course he would.

"For almost all threat models," Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, "they are nearly identical in terms of their platform-level capabilities."


Read more: What If the FBI Tried to Crack an Android Phone? We Attacked One to Find Out

In a short interview after a talk at a security conference in Manhattan on Tuesday the talk, Ludwig said that, "for sure," there's no doubt that a Google Pixel and an iPhone are pretty much equal when it comes to security. Android, he added, will soon be better though.

"In the long term, the open ecosystem of Android is going to put it in a much better place," he said, without mentioning that Android has already been around for more than eight years at this point.

During his talk at the O'Reilly Security Conference Ludwig said that Android's built-in security product called "Safety Net" scans 400 million devices per day and checks a stunning 6 billions apps per day.

The result of these security checks, coupled with the exploit mitigation measures baked into Android, mean that a really small number of Android devices has malware or, as Google calls it, "Potentially Harmful Applications" or PHAs, according to Ludwig. In fact, Ludwig said showing a graph, less than 1% of Android smartphone contain malware.

Adrian Ludwig speaks at the O'Reilly Security conference in Manhattan, New York, on Nov. 1.

As an example of Android's misunderstood security, Ludwig used the infamous series of critical bugs known as Stagefright, which were found last year. Ludwig noted that despite the alarm and the potential danger to practically all Android users, they have yet to see a real-life hack on an Android phone done exploiting Stagefright.


"At this point we still don't have any confirmed instances of exploitation in the wild," he said.

Obviously, Ludwig admitted that while things have gotten much better in the last year, telephone carriers and phone manufacturers that use Android still have to improve their update cycles and become quicker in adopting security patches.

"We got quite a bit of work left to do to get to a point where that actually happens on a regular basis across the whole the ecosystem," Ludwig said.

The good news, according to him, is that Android is already secure enough that it's almost impossible for someone to target a large number of people at the same time. That's why, he said, "mass exploitation is something that I'm not expecting that we're going to see at any point in the Android ecosystem."

Get six of our favorite Motherboard stories every day by signing up for our newsletter.