What's the consensus on "most secure" version of Android / most secure Android phone? Or is that an oxymoron, and Android just isn't secure?

[VirtualLarry]

Really curious about this. I've upgraded phones three times now, after exploits surfaced, and there was no carrier upgrade to be found. (And yes, things were "happening" to my phone, all of my apps running in the background, getting mysteriously warm, etc.)

Is there a way to have an Android phone, and NOT get hacked? I don't surf anything bad on my phone, I generally use Firefox for Android.

 

[gpse]

Pixel devices run the latest software/security on the Android platform. If you really care about security/privacy then go iOS/Apple.

 

[VirtualLarry]

No way I'm ever buying or using an Apple device. Just no way.

 

[Muadib]

No way I'm ever buying or using an Apple device. Just no way.

And why is that? The XS Max is my current phone, and I simply love it. Trust me, I'm far from being an Apple fanboy, but everyone in my little circle went with the iPhone, so I did too. My first smartphone was the iPhone 3G, but I jumped ship to Android when Samsung phones screens went big, and Jobs said the iPhone didn't need to.

To answer your question, Apple is on a security kick right now, and Android is trying to catch up. The app store has always been safer compared to the play store. The app store was always monitored better than the play store. Having to give permissions to apps in Android just begs for trouble. The majority of Android users simply have no clue what they are doing when it comes to that. Don't get me started on getting apps outside of the play store.

If you truly want a safer phone, Apple is what you want.

 

[Commodus]

No way I'm ever buying or using an Apple device. Just no way.

I don't get your logic. "Every Android device I've used so far appears to have been compromised with no hope of official fixes due to the inherently flawed approach to security, but I refuse to switch to the platform that's guaranteed to solve my problem." You'd rather risk cybercriminals going on a joyride with your personal data than break your ideological rigidity.

 

[mikeymikec]

Really curious about this. I've upgraded phones three times now, after exploits surfaced, and there was no carrier upgrade to be found. (And yes, things were "happening" to my phone, all of my apps running in the background, getting mysteriously warm, etc.)

Is there a way to have an Android phone, and NOT get hacked? I don't surf anything bad on my phone, I generally use Firefox for Android.

AFAIK no phone of mine has ever been compromised. As for "mysteriously getting warm", 9/10 it was Chrome in the background. I stopped using Chrome.

 

[VirtualLarry]

Well, 1) I don't use Chrome, and I really don't care to battle all of the Apple fans coming out of the woodwork. My question was strictly about Android phones, Apple is off-topic in this thread.

And as for the "inherently flawed approach to security", at least, for older Android versions that I had at the time, I agree. My understanding, was the Google was re-working Android, to make it more amenable to frequent updates, and isolating the Carrier portion of the OS.

My most recent phone purchases, were a pair of Oreo 8.1 "Android Go" phones. As I am coming to understand, though, the "Go" edition is kind of like an Android Lite, and it won't run regular Android apps. (Though, it did run Firefox Focus. But not the app from my carrier for earning rewards, said it was incompatible.)

 

[Commodus]

And as for the "inherently flawed approach to security", at least, for older Android versions that I had at the time, I agree. My understanding, was the Google was re-working Android, to make it more amenable to frequent updates, and isolating the Carrier portion of the OS.

You're thinking of Project Treble. It kind of addresses the issue by making it easier for vendors to update the guts of the OS without having to rework their customizations, but it doesn't always work that way (Samsung still takes forever to release OS updates and tends to skip point releases) and doesn't address some of the other problems.

For instance, even Google's updated Android security update policy only requires that large vendors release four security updates in the first year, and they're only obligated to provide support for two years. So there's a real chance that you'll be left open to an attack for months if your vendor is only adhering to the bare minimum, and that's assuming there are no delays (which is highly unlikely on most Android phones).

There's also the problem of the overall length of the update schedule. Even in the best case scenario of something like a Google Pixel, you're looking at three years of security updates... and like I said, Google only officially requires two. We're in a situation where the majority of Android phones are permanently vulnerable to attack after two years, and sometimes less (OEMs are notorious for poor support on budget phones).

You see why I was raising those points? Google's making improvements to security, but I don't think it's taking the issue as seriously as it should. I can't help but worry that there will be a Blaster-style worm on Android that spreads rapidly precisely because the clear majority of Android phones not only don't use the latest software, but in many cases can't because OEMs aren't required to do better.

Google really needs to step things up. All Android phones must get every security update Google releases for a given OS revision, and those security updates should be required for three years or more. You shouldn't have to install an antivirus app or live dangerously just because you want to keep your phone for a while.

 

[VirtualLarry]

Google really needs to step things up. All Android phones must get every security update Google releases for a given OS revision, and those security updates should be required for three years or more. You shouldn't have to install an antivirus app or live dangerously just because you want to keep your phone for a while.

I wholeheartedly agree! In fact, I would be in favor of legislation to enforce that three-year support period. Europe already has similar "fit for purpose" laws.

Edit: But what can I do in the meantime? Is Android Oreo 8.1 Go the most secure version? I noticed when it did updates, it had a system update, to "Mar. 2019 Security Patch level" or whatever, and there were a couple of "Carrier Service" updates too. (I assume, that handles the Carrier-dependent parts of the OS???)

 

[Commodus]

I wholeheartedly agree! In fact, I would be in favor of legislation to enforce that three-year support period. Europe already has similar "fit for purpose" laws.

Edit: But what can I do in the meantime? Is Android Oreo 8.1 Go the most secure version? I noticed when it did updates, it had a system update, to "Mar. 2019 Security Patch level" or whatever, and there were a couple of "Carrier Service" updates too. (I assume, that handles the Carrier-dependent parts of the OS???)

Legislation might be tricky, but I hope Google at least does something on its own.

Android 9 (aka Pie) is available in a Go edition, so I wouldn't count on 8.1 being the most secure version. And since the June 2019 security update covers multiple Android versions, you're a few months out of date on that front as well. In short: your phone is likely wide open to a bunch of potential attacks.

Carrier Service updates tend to focus on things like, say, cellular connection info and maybe carrier-specific features and apps. Not so much the OS itself as functionality layered on top.

This is basically the textbook example of what I was warning about: many Android vendors purposefully skip updates. If you want consistent security updates on Android, go with a Pixel (maybe OnePlus if it's as consistent as it claims). Otherwise, the problems might never stop.

 

[VirtualLarry]

Android 9 (aka Pie) is available in a Go edition, so I wouldn't count on 8.1 being the most secure version. And since the June 2019 security update covers multiple Android versions, you're a few months out of date on that front as well. In short: your phone is likely wide open to a bunch of potential attacks.

Carrier Service updates tend to focus on things like, say, cellular connection info and maybe carrier-specific features and apps. Not so much the OS itself as functionality layered on top.

This is basically the textbook example of what I was warning about: many Android vendors purposefully skip updates. If you want consistent security updates on Android, go with a Pixel (maybe OnePlus if it's as consistent as it claims). Otherwise, the problems might never stop.

Thanks for the info. Arg. It updated when I got my phone(s), but it didn't update to the June 2019 update. It says "up to date" when I check.

 

[thilanliyan]

I'm thinking the Pixel phones are the most secure. My Note 9 has been getting monthly updates, but it's about a month behind the Pixel phones.

 

[Rifter]

As long as you root it and install and configure a decent firewall most android devices are secure enough IMO.

 

[Commodus]

As long as you root it and install and configure a decent firewall most android devices are secure enough IMO.

You do realize what you just said, right? That Android is secure so long as you do something that's often unsupported (and certainly not a normal state) and install software you shouldn't have to run in the first place?

I like Android, but there's this weird acceptance of mediocrity among some fans when it comes to issues like security. You shouldn't ever have to root your phone for security purposes; if you do, that's a failure of the vendor or the entire platform.

 

[Kaido]

You do realize what you just said, right? That Android is secure so long as you do something that's often unsupported (and certainly not a normal state) and install software you shouldn't have to run in the first place?

I like Android, but there's this weird acceptance of mediocrity among some fans when it comes to issues like security. You shouldn't ever have to root your phone for security purposes; if you do, that's a failure of the vendor or the entire platform.

I think Android is cool & use it in various projects, but I don't care for their security model as my primary smartphone device. It's pretty much exactly the same as running a Windows personal computer...throw on Malwarebytes & Glasswire & have a solid backup system & yeah, you can have a pretty solid machine, security-wise, but it's a little bit trickier to get that level of control on an Android device. Plus, I don't want to have to worry about doing any of that stuff on my mobile device, you know?

My buddy just got a OnePlus 7 Pro & it's an amazing device...full screen with no notch or camera dot or bezel interruptions, 90hz refresh rate, lots of really cool features, plus a reasonable price. But long-term support from phone vendors on Android updates, as well as the permissions issues with apps...it just gets a little flaky in my book. My whole digital life is stored on my phone & while Apple's model isn't perfect either, I vastly prefer the walled-garden approach. It's a similar concept to Roku...yeah, you can hack a Fire Stick, but I like the simplicity & ease of using Roku to pop open Netflix & start watching a show.

It really boils down to what you want to do with your gadget & how fussy you want the experience to be. I think it's a little bit crazy that you really should be running an antivirus/firewall app on your smartphone, personally. Again, I like Android, I think it's cool, and I use it in various projects, but security-wise on my personal device, where I don't want to have to think about or mess with the settings so that I can just easily use it, I'll stick with iOS for now.

 

[lxskllr]

I treat android like I did windows pcs. Lock down the browser, and vet programs I install. I've never had an issue with android, and the single issue I had with windows was caused by me not thinking once.

 

[Kaido]

I treat android like I did windows pcs. Lock down the browser, and vet programs I install. I've never had an issue with android, and the single issue I had with windows was caused by me not thinking once.

Yup, that's the way to do it - and 99% of people absolutely do NOT do it that way, lol.

 

[Rifter]

You do realize what you just said, right? That Android is secure so long as you do something that's often unsupported (and certainly not a normal state) and install software you shouldn't have to run in the first place?

I like Android, but there's this weird acceptance of mediocrity among some fans when it comes to issues like security. You shouldn't ever have to root your phone for security purposes; if you do, that's a failure of the vendor or the entire platform.

The reality of the situation is that older devices get abandoned by the manufacturers and the only way to keep them up to date and secure is to run aftermarket roms that are still getting updated. This is a good thing that you can root because then you are not solely relying on your device manufacturer for updates.

Personally i look at this as a plus anyways as you need to root to run the good firewalls anyways. I usually leave my main phone unrooted as long as its getting updates, then root when i have to, all my old phones and tablets are rooted and mainly running non stock roms and im happy this is an option so i can keep them secure.

 

[dainthomas]

Just got June security update on the Note8. Hopefully it continues past the two year mark. I really don't want to root since I'd lose Samsung Pay and secure folder which I use frequently.

I suppose I could get the Note10, but I was hoping to not have a phone payment for a while.

 

[Commodus]

The reality of the situation is that older devices get abandoned by the manufacturers and the only way to keep them up to date and secure is to run aftermarket roms that are still getting updated. This is a good thing that you can root because then you are not solely relying on your device manufacturer for updates.

Personally i look at this as a plus anyways as you need to root to run the good firewalls anyways. I usually leave my main phone unrooted as long as its getting updates, then root when i have to, all my old phones and tablets are rooted and mainly running non stock roms and im happy this is an option so i can keep them secure.

For devices that have lost official support, sure. My concern on that front, of course, is about the length of support. Two years isn't really adequate, since you're hosed if you want to keep your phone for longer than the term of a standard contract or instalment plan. Contrast that with iOS, where your phone will get updates for a good four or five years later.

And I'm sorry, but if you have to root to get "the good firewalls," that's a failure of the platform. I don't think Android is particularly vulnerable when it's kept up to date, but it's still a problem if you have to 'hack' your phone to get security you're comfortable with.

 

[Zaap]

The paranoia and FUD expressed here is hilarious if not a little sad. Relax. No one is after your damn phone. You're probably as likely to get struck by lightning as you are have some big bad hacker read all your sexts or whatever the fear is.

Use a VPN in public places and don't be a purposeful nitwit with your device (visiting suspect web locations doing illegal things ) and you'll be fine.

 

[Kaido]

The paranoia and FUD expressed here is hilarious if not a little sad. Relax. No one is after your damn phone. You're probably as likely to get struck by lightning as you are have some big bad hacker read all your sexts or whatever the fear is.

Use a VPN in public places and don't be a purposeful nitwit with your device (visiting suspect web locations doing illegal things ) and you'll be fine.

 

[Commodus]

The paranoia and FUD expressed here is hilarious if not a little sad. Relax. No one is after your damn phone. You're probably as likely to get struck by lightning as you are have some big bad hacker read all your sexts or whatever the fear is.

Use a VPN in public places and don't be a purposeful nitwit with your device (visiting suspect web locations doing illegal things ) and you'll be fine.

The issue isn't that people are specifically targeting your phone or that people are being completely clueless, it's that you may get caught up in a malware campaign or make an innocent mistake. Some malware can spread without your doing much of anything intentional, like worms; and as we've seen here on AnandTech, there can be bad ads on good sites.

Personal responsibility goes a long way, but your phone shouldn't be vulnerable to old exploits just because your OEM didn't feel like issuing an available security patch that month.

 

[Zaap]

I've seen developers explain a million times why their apps need read/write privledges in order to function and pretty much 999x out of 1000 there's absolutely nothing nefarious going on. There are plenty of repuputable developers who aren't looking to get kicked off the play store for making stealth spyware apps.

Also plenty of app choices that report to you exactly what's going on on your device and what apps are doing what. Again... a little knowledge goes way farther than blind paranoia.

 

[Zaap]

The issue isn't that people are specifically targeting your phone or that people are being completely clueless, it's that you may get caught up in a malware campaign or make an innocent mistake. Some malware can spread without your doing much of anything intentional, like worms; and as we've seen here on AnandTech, there can be bad ads on good sites.

Personal responsibility goes a long way, but your phone shouldn't be vulnerable to old exploits just because your OEM didn't feel like issuing an available security patch that month.

Security patches aren't what really keeps a device safe, it's mainly user action.

Most of Android's problem is that it's a platform used on many more devices than iOS. Every study done about malware on the platform shows that the biggest problems come from third world users who use older, almost completely insecure devices. Simply put: iPhones are generally too expensive for those markets. So if you're still using an older Android phone from years ago that hasn't been updated in ages, then sure, be a little paranoid. (You'd probably still be fine though, as your chances are about 1 in 10 million of being compromised.) But a modern Android flagship used in the first world? Please. Stop being so paranoid.

On Android, it's possible to side-load apk files from nefarious sources, so many problems are user-related. If you go stealing apps as is possible on Android, then your milage may vary.

Google also allows a lot more types of apps on the Play store, like emulators and such. The trade off is: more choice and access to apps not available on iOS, vs. a much more vetted app store. It's a risk most Android users are OK with, because we prefer more choice, and know that actual harmful malware isn't really all that common. Sure it's possible, but the same is true with most any device. The real thing is how likely is it to be worried about in a paranoid and silly way.

Looking up malware campaigns, one can find them on both platforms:

https://techcrunch.com/2019/06/11/banking-apps-security-flaws/

So just for that example, the likelihood of you being targeted via flaws in your banking app software is pretty much equally likely on either platform.

Now, and I going to use this to wring my hands and say "ERMYGERD!!! your iPhone isn't safe to use!!!"?

No. Because that'd be the paranoid and silly reaction.

It's possible, but is it likely? If just the possibility is making people so fearful- maybe just don't use a smartphone at all. Problem solved.