Is Android as easy to secure as the latest AV-TEST results appear to suggest?

An independent IT security research facility has reviewed Android, and despite constant charges of insecurity, found the mobile platform to be far from wanting ?

 Is the AV-TEST right on this one?
Is the AV-TEST right on this one?

The AV-TEST Institute is an independent IT security research facility based in Germany. It is perhaps best known for putting antivirus software under the labs-based microscope. If Android is as insecure as everyone says, how come 19 out of the 26 antivirus security apps in the latest test got a perfect score?

That score of 13 was comprised of six points for 'protection' and another six for 'usability' with another single point added for extra features. It's the protection score that interests us most, as ten of the apps managed to detect 100 percent of the latest malware samples in real time, and 100 percent of those discovered in the previous four weeks.  What's more, the remaining nine apps detected at least 99.7 percent and the industry average across all tested apps is a pretty high bar at 99 percent anyway.

Does this mean that even with 90 percent or more of mobile malware targeting the Android platform, actually pretty much any Android can be 'secured' with the installation of an app? Does it mean, perhaps, that the AV-TEST researchers are looking at the wrong threats?

If it is, indeed, the case that simply throwing malware samples at apps is pretty meaningless as far as the real world of Android insecurity is concerned, the obvious follow up question has to be if antivirus apps aren't the answer then what is?

ESET has one of those AV-TEST perfect score apps, and it comes as little surprise that the company told SCMagazineUK.com that installing a good multi-layered and regularly updating internet security application will protect you better than those that don't do this.

However, ESET Security Specialist Mark James also admitted that "you still could be installing over the top of potentially a weak insecure operating system" which could potentially mean users are less secure than they think. "Focusing on one aspect is just not enough", James concludes "running the latest cutting edge security software on an unpatched outdated foundation is asking for problems..."

Jose Lopes, senior security consultant at Nettitude, told SC that while he agrees Android antivirus apps are "an added bonus to the security posture of a device" realistically they are just Android apps. In fact, they might even give the user a false sense of security which is never a good thing. "User awareness (or lack of it) is by far the biggest culprit for Android's insecurity" Lopes concludes, adding "because the system gives the user that much power, contrary to its counterpart from Cupertino."

Giovanni Vigna, CTO and co-founder at Lastline, reckons that we should be happy that so many Android antivirus apps are able to achieve such good coverage across the current spread of threats.

However, he was also keen to point out, in conversation with SC, that this is in part because their adoption is still very limited and the bad guys haven't actually been substantially affected by them. "Once the use of mobile AVs becomes more widespread", Vigna insists "I am sure that we will see more sophisticated approaches to evasion." As such, he reckons, that it's therefore important to analyse the ability of mobile-centred security apps to detect a variety of behaviours, not only the overtly malicious ones.

Mark James, meanwhile, brought the conversation back around to patching. Ground that we have covered many times before.  The problem with Android isn't the availability or effectiveness of security apps but rather the inability to implement timely system vulnerability patching.

"Unless you're running the Nexus phone" James argues "you're at the mercy of your manufacturer to the speed and effectiveness of said patch and depending on the phone itself you may never actually see that patch." Motorola Moto Z users are you still sitting comfortably? That many, and likely a large majority in fact, of Android users are oblivious to this really doesn't help matters.

Lopes concluded by insisting that, despite its many security enhancements, Android Nougat isn't going to change that Android insecurity picture. Which isn't to say that Google shouldn't be applauded for moving the security goalposts a bit closer together in Nougat with enhancements such as seamless updates, further MediaServer hardening (breaking it into smaller lumps for easier patching being the most obvious) and the always-on VPN (preventing specified apps from connecting unless via a VPN) for corporates.

The trouble is that even with these advances there's too much pissing in the wind; after all, nobody will be using Nougat. Think that's a bit of an overstatement? Maybe. But consider this: as of last month only 13.5 percent of the Android base was using Marshmallow. How long will it take Nougat to capture more share than that is an unknown.

What is known is that Nougat levels of security will not be available to large swathes of the droidscape, and when we say not available we probably really mean never available. With or without an antivirus app that can score 100 percent during independent testing, that is always bad news…