Why You Should Get Your Android Phone from Google
Left to right, the Google Nexus One, Nexus S, Galaxy Nexus and Nexus 4.
CREDIT: Android Open Source Project/Creative Commons
To keep your Android phone free of malware, keep it pure Google — or, at least, get rid of the bloatware.
Every Android phone has its quirks because every manufacturer — be it Samsung, Motorola, HTC or dozens of other handset makers — wants to offer something different, said Jon Oberheide, co-founder and chief technology officer at Duo Security in Ann Arbor, Mich.
"They each try to do something special," Oberheide said.
The problem is that "something special" can mean including lots of apps that aren't needed, or wanted, and lots of tweaks to the operating system.
All these adjustments to Google's stock Android software also increase the number of ways a phone can be attacked.
For example, a relatively innocuous app that organizes contacts might save its data in an easy-to-find file, leaving it vulnerable to hackers. Or an added launcher screen might let a stranger bypass the phone's PIN lock, granting access to email and social-media apps.
Worried about security? Go pure Google
One way to avoid such problems is to get the phone directly from Google. Chester Wisniewski, senior security adviser at the Vancouver, British Columbia office of the British anti-virus firm Sophos, said that's what he does.
"I got a Nexus  and the primary reason was that I didn't want the bloat," Wisniewskisaid.
He said his wife, though, had a Samsung Galaxy S, which had several apps from both the carrier (Bell Mobility) and Samsung, none of which were necessary. (She has since gotten a Nexus 4 as well.)
"All this stuff is taking up memory and adding to the vulnerability," Wisniewski said.
Both Oberheide and Wisniewski agreed the problem isn't that handset makers and carriers are being malicious, or even careless — it's just that they may not have the expertise that Google has to plug Android security holes.
Oberheide said it isn't only the user-visible apps that may be a problem. Sometimes the software "under the hood" can lead to issues.
For example, development teams might forget to remove the utilities they used to test the phone's systems on the device, leaving them embedded in the system software.
"Oftentimes the [device maker] has a development team on a device and they might have special debuggers and utilities, which allows them to develop and debug more efficiently," Oberheide said. "Some of these routines get left behind."
Those "tools" of the development team can be appropriated by hackers, giving them extra privileges on the phone's system.
Google, on the other hand, has many more software experts — essentially more pairs of eyes — working on Android to make sure that doesn't happen.
Wisniewski said it isn't just the fact that there are "extras" on the phones. It's also that so many are hard to remove.
"I don't want to have to root my device," he said, to get rid of something that isn't necessary.
Stay up to date
Another advantage of a "pure" Android system is that Google can push out updates and fixes faster. In that sense, Oberheide said, Google acts a bit like Apple, which pushes out iOS simultaneous updates to all compatible iPhones, iPads and iPods.
"Nexus One, Galaxy Nexus — they are all sort of guaranteed by Google to receive formal patches, also major versions of Android," he said.
Phones from the carriers can take longer to get fixes, because the manufacturers sometimes don't update their software as often. Some older Android phones, even those still under contract to carriers, may never get up to date.
The process of getting patches to the user involves at least three parties — Google, the handset maker and the cellular carrier, the last of which may add its own tweaks to the phone's Android build.
With iOS, on the other hand, the hardware and software are both under the tight control of Apple, which takes full responsibility for getting updates to the end user.
Does this mean that one should always avoid getting that cool handset from Motorola or Samsung? Not necessarily, said Wisniewski said — just be prepared to pay more for a handset that has the latest version of Android.
Oberheide noted that Android phones have had a reputation for poor security, because the platform was open source and because Google Play, formerly known as Android Market, initially didn't have a way to vet apps and remove malicious software.
That changed last year with the introduction of Google Bouncer, software that combs the app market for behavior that could indicate malware. (Yet even Bouncer has its flaws.)
Wisniewski said one smart move by Google was decoupling the operating system from the Web browser in the latest iterations of Android. Many attacks come via the browser, and unlinking it from the operating system reduced a big vulnerability.
But even if you get your phone from Google, that isn't a guarantee of absolute security. The latest version of Android, Jelly Bean, is a relatively secure system, but it isn't as safe as iOS.
That isn't because iOS security is necessarily better. It's because fewer hackers have spent time trying to crack iOS than they have Android.
"There's a difference between security and safety," Wisniewski said.