Software developers still reeling from the constant security failures throughout the open-source stack in 2014 can take at least some comfort from the proceedings at this year’s RSA Conference in San Francisco. Most of the solutions, talks and products discussed at the show are not focused on the developer-induced security flaws that caused such a ruckus last year.
Instead, most of the vendors and speakers at this year’s conference focused on practical threat assessment, mitigation and compliance. These topics covered security in the cloud, enterprise identity management, and tools to help map out just where an attack is coming from, live.
Mobile was an expectedly hot topic at the show as well, and Adrian Ludwig, from Google’s Android Security team, gave a talk yesterday detailing the state of Android security.
Google uses its applications, such as Gmail and Chrome, to monitor the security state of Android devices around the world. As a result, said Ludwig, Google has more than a billion sensors out there from which to draw data.
Ludwig said Google is “looking at potentially harmful applications. We break that down, region by region, and by types of apps. The traditional PC model of thinking about malware is that all malware is kind of the same: It can compromise your device at a holistic level. In Android, because of sandboxing, for a developer who wants to protect e-mail, we see maybe 10 to 20 out of every million installs of something that would go after that data. You compare that to how many devices are lost every day or stolen, and you start to realize that this is the real threat: physical-world threats.”
According to Ludwig’s numbers, only 1% of all Android devices installed a potentially hazardous application in 2014. When that number is restricted to Android devices that only install applications from the Google Play Store, that number shrinks to 0.15%. That number also shrank in 2014, with the fourth quarter seeing half the number of hazardous installs that the first quarter saw.
Ludwig said that the security landscape for the Internet of Things is similar to that of Android, but that there are a few areas where improvement is needed in order to ensure secure networks and devices. “Hardware security for consumers is a disaster,” he said.
“The business model for hardware security is incompatible with large-scale systems. So what we’re really interested in is how can we get the advantages of hardware security at scale, and how can we do that in a heterogeneous environment when you may not trust the devices in that environment.”