This isn't going to be popular on Windows Central, I know that there are many who hate Google... you may fire at will.
I may ask you to back that bus up a little bit. Two claims that may need to be adjusted with some additional context:
1. Stagefright: At its HEIGHT the media ran with the story that over 1 billion devices were effected. In truth, stagefreight had the ability to impact less than .08% of devices at the time that it was discovered and no single device has ever been impacted in the wild. All devices running Android 4.0 were systemically protected by other mechanisms within Android for all known attacks that this vulnerability had available. The devices at the highest risk were Android phones running API level 10 Gingerbread 2.3.3 to 2.3.7 with more than .5GB RAM and Tablets/Google TV and other devices on API levels 11 through 13 Honeycomb with more than 1GB of RAM and being MMS capable through cellular radios. You can imagine the tiny number of devices that this is comprised of. The security updates rolling in September and October eliminated the first step of the risk so that unknown implementations of this attack can not expose undiscovered vulnerabilities that could make it through the other 6 layers of defense against this attack.
Firstly, thank you for your response. It's good to stick to facts and makes such a change from the usual Android user response.
I take my lead on security matters from Steve Gibson of the Security Now podcast. If he says the situation isn't good enough, as far as I'm concerned it isn't. Steve covered Stagefright over three or four weeks, covering its discovery, going through technical issues, explaining the type of attack and why features like address space layout randomisation(ASLR) do not adequately defend users against hackers exploiting these weaknesses - don't forget Stagefright is actually seven or eight separate vulnerabilities. Don't forget features like ASLR are not new or unique to Android; they were developed on Windows years before they were incorporated into Android - and hackers have long ago developed strategies to get around them. Also, as I understand it, these vulnerabilities are zero-day, which means they are already being exploited in the wild.
2. Privacy: Most users of things that connect to the internet are aware of the fact that they are giving their information to some company or another. The question about privacy, from a public perception, typically generates fear of that information being SHARED. In most cases, people think of data being bought/sold/traded, etc. Google has a unique model in AdSense with which your data, stuff about you, never makes it to the advertiser. Instead, the ad is placed by Google and the revenue is shared with the site, etc. at the expense of the advertiser and all of this happens with your data never leaving Google's side of the equation. This is unknown to most users, but Google takes another step and forbids themselves from sharing your data with ANY third party (unless required to do so by law, such as via a VALID warrant) without your explicit permission to share specific data with that specific third party. They give you complete control over this. This is different from the approach that say, Apple takes, where they give themselves permission to share your anonymized data with whomever they choose. To the end user, this is more or less the same thing - personal details about you, connected to your identity, never make it outside of the company you shared it with. BUT, Apple is trading data and Google is not. This is the opposite of the public perception. That said, Microsoft gives itself permission to share data within their network of Microsoft controlled affiliates, subsidiaries and vendors. This SOUNDS like the worst of all three, but in reality it just means that they outsource some of their big data analysis, etc. I have not heard of a situation in which Microsoft has abused user privacy other than the Yahoo partnership fiasco from 2013 but users of all systems should remember that their Outlook account belongs to Microsoft, their gmail belongs to Google and their Facebook belongs to Facebook, etc. On a similar note, ever word typed in this forum belongs to Mobile Nations.
This is good to know, but I don't think I ever accused Google of sharing data with third parties. For me
Google themselves crossed the line, by using user's property to track them. It is one thing to send a device's (and therefore user's) location when that user requests a service and completely another to continually track their movements. Google, Facebook, Microsoft and Apple have all inadvertently shared user information with the NSA, GCHQ etc, so I'd rather that type of information wasn't collected at all.
I don't really think that any mobile OS is inherently more secure that another, I do think some users are more inherently secure than others. That said, Google has a LOT of FUD being spread about them and most of it is being spread by hypocritical mouthpieces of companies that actually violate the tenants for which they want to accuse Google of violating. Yes, Google's business is data mining and turning that data into two things: 1. useful features and 2. (most important) dollars. Apple and Microsoft are in the same business with the same tools and they're doing the exact same two things with data - they just have a different way of describing it and a different twist on the feature-set.
Well everybody has a right to their opinions, but I can't agree with the assumption that all OSs are equal in terms of security. The whole point of closed ecosystems like those of Apple and Microsoft is that all apps are vetted prior to publication so users can be safeguarded against malware. Although I'm happy that apps downloaded from the Play store are safe, there's nothing stopping users from installing apps from somewhere else. Also, Apple do not store user's fingerprints on the device, but hash the image so that the fingerprint cannot be recreated, but HTC for instance stored the fingerprint as an
unencrypted jpeg. Then there was the case where Samsung stored the PIN for their Knox secure folders in
cleartext on the device. Why do you expect me to agree that the levels of security are the same when I can point to these and other serious breaches? You over time have shrugged each of these off, but I don't have the same investment in the ecosystem that you do, so I've no reason to be as lenient. By all means point to similar stories about Microsoft's mobile ecosystem if you can find them.
The simple fact is that Android is the new Windows with security not only not the top priority, but often compromised by OEMS. With Windows at least you can say it was programed before viruses were prevalent, but Google had Windows as an example to learn from and Microsoft learned from their brush with Code Red, such that most third party anti-virus/firewalls actually
increase the attack surface on PCs (again, according to Mr Gibson, who recommends Microsoft Security Essentials.).
As for FUD, well you can't tell people who follow Microsoft anything about that, given the hysteria surrounding Windows 8, Windows 10 and Cortana. But I won't accept that accusation against me, because I've linked to reputable sources like the BBC and The Guardian, not some click-bait site that splits the story up into eight pages so you have to load more ads.
Finally, don't fixate on Stagefright, because I'd rejected Android long before that and long before I came to hated Google for not respecting my right to choose which phone I carry. My concern was and is exactly what other vulnerabilities there are and could these tiny drops ever club together to make a torrent. Exactly how many leaks does this bucket actually have?