Stay in touch

Enter your email and get the latest news and researches on cybersecurity, receive invitations to private security events and conferences.

Android tops 2016 vulnerability list - security industry says "meh!"

By Davey Winder for PC & Tech AuthorityMonday, January 9, 2017

The Common Vulnerabilities and Exposures (CVE) statistics for 2016 are in and it doesn't make great reading for Google. Or does it? Davey Winder runs the numbers.

Android tops the CVE charts for most insecure product (ahead of Debian, Ubuntu and Adobe Flash) and Google comes second (behind Oracle but ahead of both Adobe and Microsoft) in the insecure vendor listings.

That's according to a summation of the stats for 2016.

If we dig a little deeper than the headline figures, and take the last couple of years into account, things don't get any the rosier for Google. Both Apple products, and Apple as a vendor, have become ‘more secure' over time using this metric whereas Google has gone in the opposite direction.

Measuring security by the number of distinct vulnerabilities disclosed across the year, however, is not really an accurate metric. We asked the IT security industry what it made of the numbers, and the ‘face value' headlines they have generated.

Ian Trump, global cyber security strategist for SolarWinds, was of the opinion that “the CVE numbers speak the truth” and “Android will always remain a security concern for Google”.

He went on to insist that there's little financial incentive for Google to improve the security of Android, and he wouldn't be surprised if Android was spun off from Google parent company Alphabet in the next few years.

Most everyone else disagreed, however. Take Craig Young, a security researcher at Tripwire, who said that “counting CVEs to gauge relative security levels is a fundamentally flawed practice”, adding it is “discredited by many in the industry including some of the engineers responsible for creating the CVE numbering system”.

Stephen Gates, chief research intelligence analyst at NSFOCUS, agrees. He told us that “just because a vendor has a high number of known vulnerabilities, does not mean they have inferior products”. A more meaningful metric, he suggested, would be the how quickly patches were issued.

Another nail in the coffin of the CVE charts as a measure of insecurity was hammered home by Jonathan Couch, SVP of Strategy at ThreatQuotient, who in conversation insisted that the real tell for these stats is “how many vulnerabilities were leveraged as actual exploits in the wild”.

After all, if the bad guys can't leverage a vulnerability to steal data, for financial or political gain, then it really doesn't matter much in the real world. Consider that Android vulnerabilities tend to require a malicious application to get into the official app store, past the checks that are made, and then for users to download and execute them. This exploit execution simply doesn't happen for most such vulnerabilities.

Then there's the open source factor to consider. Lawrence Munro, senior director of SpiderLabs EMEA at Trustwave, points out that “the approach of open source vs. closed source (Android (ASOP) vs. Apple iOS for example) influences the number of bug discoveries, as there's more to work with when you have the source code".

And, as High-Tech Bridge CEO Ilia Kolochenko adds, “Android is an open source, very popular, emerging and developing product, it's totally normal that new vulnerabilities are regularly discovered.

Indeed, open source projects will always get more bugs reported courtesy of many more eyes on the code. Read Full Article

User Comments and Opinions
Add Comment