Android was the most vulnerable system last year, but Google doesn't think that means the system is unsafe

Recently, TheBestVPN compiled a "Vulnerability Alert" containing common systems or products on the market based on official data published by the "National Vulnerability Database of the National Institute of Standards and Technology". This includes the systems/products with the most vulnerabilities in the past twenty years.

More vulnerabilities were found in products launched by established technology companies such as Microsoft and IBM. Among them, products developed by Microsoft have been found to have 6,814 vulnerabilities in the past 20 years (1999-2019), ranking first. The complete list of the top five is as follows:

• Microsoft — 6,814 vulnerabilities
• Oracle — 6,115 vulnerabilities
• IBM — 4,679 vulnerabilities
• Google — 4,572 vulnerabilities
• Apple — 4,512 vulnerabilities

But in the past year, a total of 414 vulnerabilities were disclosed in the Android system developed by Google, making it the system with the most vulnerabilities in 2019. According to the report, 525 and 843 vulnerabilities were discovered in the Android system in 2016 and 2017, respectively, making it the system with the most vulnerabilities in these two years.

Faced with such results, a Google spokesperson expressed a different view in response to foreign media: "We are committed to increasing transparency and publishing public security bulletins on Android system security issues every month to strengthen the security of the entire ecosystem. We disagree with those who regard the number of resolved security issues as the basis for measuring system security. This is actually the result of the Android ecosystem operating as expected openly."

As an open source system, Android is free for third-party manufacturers to use, which means that Google has lost the ability to coordinate software and hardware, resulting in more and more security vulnerabilities caused by third-party manufacturers' irregular operations or third-party hardware. After all, unlike the closed nature of iOS, the open source nature of Android means that it needs to be "more friendly" to more chips and hardware, and hardware defects from upstream mobile phone manufacturers may also be passed on to devices using the Android system.

[[317881]]

In March this year, Google fixed a security vulnerability backdoor in the CPU firmware. The vulnerability allowed malicious programs to gain access to Android devices using MediaTek 64-bit chips through a simple script, thus affecting hundreds of smartphones, tablets and smart set-top boxes.

Coincidentally, the "QuadRooter vulnerability" in Qualcomm's GPU driver that was exposed in 2016 was also a security issue from an upstream mobile phone manufacturer. And because Qualcomm had a higher market share, this vulnerability affected about 900 million Android devices worldwide at the time.

One of the "QuadRooter vulnerabilities" even allows attackers to hide malicious code in the Exif data of an image, and the attack will be carried out when the victim's device opens the image. This low interaction, low difficulty of exploitation, and low perception also made this vulnerability one of the most severe vulnerabilities of the year.

[[317882]]

In addition, the irregular development of the Android system by third-party OEM manufacturers is also one of the reasons for security vulnerabilities. In order to achieve differentiation in the market, many Android device manufacturers will customize the system, such as MIUI, EMUI, ColorOS, etc. in China. Some of these manufacturers will even modify the Android kernel code for some exclusive functions, and in the process of adding code, it is inevitable that the security risk of the entire system will increase.

In 2015, Google's security personnel discovered multiple vulnerabilities in the Samsung Galaxy S6 Edge while studying the security of the code added by OEM manufacturers to Android. Attackers can use these vulnerabilities to create files with system privileges, steal user emails, and execute code in the kernel, while adding privileged and non-privileged applications.

[[317883]]

In fact, this kind of security vulnerability caused by OEM mobile phone manufacturers modifying the code privately is very common among Android mobile phone manufacturers. In order to prevent this from happening, Google even issued a warning to some OEM manufacturers in February this year. Google Project Zero researchers said that many smartphone manufacturers represented by Samsung directly access the Android kernel through hardware by adding downstream custom drivers, which will cause more vulnerabilities and make many existing security features in the Linux kernel invalid.

Android's open source nature has made it surpass other OSes in one fell swoop and become the mobile phone operating system with the highest market share. But while enjoying this bonus, the "side effects" of open source are also plaguing Google, and its fragmentation and security issues are increasingly attracting attention. But as consumers, it seems that there is nothing we can do except maintain safe usage habits and ensure timely updates of the system.