Android phones have a lot of CVE numbers but does that mean they are more insecure?
Android phones have a lot of CVE numbers but does that mean they are more insecure?

Android tops the CVE charts for most insecure product (ahead of Debian, Ubuntu and Adobe Flash) and Google comes second (behind Oracle but ahead of both Adobe and Microsoft) in the insecure vendor listings.

That's according to a summation of the stats for 2016.

If we dig a little deeper than the headline figures, and take the last couple of years into account, things don't get any the rosier for Google. Both Apple products, and Apple as a vendor, have become ‘more secure' over time using this metric whereas Google has gone in the opposite direction.

Measuring security by the number of distinct vulnerabilities disclosed across the year, however, is not really an accurate metric. SC Media UK asked the IT security industry what it made of the numbers, and the ‘face value' headlines they have generated.

Ian Trump, global cyber security strategist for SolarWinds, was of the opinion that “the CVE numbers speak the truth” and “Android will always remain a security concern for Google”.  

He went on to insist that there's little financial incentive for Google to improve the security of Android, and he wouldn't be surprised if Android was spun off from Google parent company Alphabet in the next few years.

Most everyone else disagreed, however. Take Craig Young, a security researcher at Tripwire, who told SC that “counting CVEs to gauge relative security levels is a fundamentally flawed practice”, adding it is “discredited by many in the industry including some of the engineers responsible for creating the CVE numbering system”.

Stephen Gates, chief research intelligence analyst at NSFOCUS, agrees. He told SC that “just because a vendor has a high number of known vulnerabilities, does not mean they have inferior products”. A more meaningful metric, he suggested, would be the how quickly patches were issued.

Another nail in the coffin of the CVE charts as a measure of insecurity was hammered home by Jonathan Couch, SVP of Strategy at ThreatQuotient, who in conversation with SC insisted that the real tell for these stats is “how many vulnerabilities were leveraged as actual exploits in the wild”.

After all, if the bad guys can't leverage a vulnerability to steal data, for financial or political gain, then it really doesn't matter much in the real world. Consider that Android vulnerabilities tend to require a malicious application to get into the official app store, past the checks that are made, and then for users to download and execute them. This exploit execution simply doesn't happen for most such vulnerabilities.

Then there's the open source factor to consider. Lawrence Munro, senior director of SpiderLabs EMEA at Trustwave, points out that “the approach of open source vs. closed source (Android (ASOP) vs. Apple iOS for example) influences the number of bug discoveries, as there's more to work with when you have the source code".

And, as High-Tech Bridge CEO Ilia Kolochenko adds, “Android is an open source, very popular, emerging and developing product, it's totally normal that new vulnerabilities are regularly discovered.”

Indeed, open source projects will always get more bugs reported courtesy of many more eyes on the code.

But it's “hard to explain the precipitous increase of Android bugs compared with last year”, according to Drie CTO Tom Van Neerijnen.

Arian Evans, VP of product strategy at RiskIQ, is not so surprised, telling SC, “The recent spike in Android vulnerabilities isn't particularly concerning or surprising; in many ways, this may be a positive.” Indeed, Google only launched its official Android Bug Bounty programme in June 2015 so what we are seeing now is likely a result of the timing of this programme.

Paul Calatayud, CTO of FireMon, agrees and points to the time when the Apple OS was considered secure based upon the low number of disclosed vulnerabilities. Over time, as Apple increased in popularity in the workplace, the vulnerabilities started to be discovered. “I would look at this trend and pattern,” Calatayud says, “and apply it to Google as the main observation.”

Some would look outside of Google for the reason why Android tops the CVE listings for 2016. Jonathan Sander, VP of product strategy at Lieberman Software, told us, "Many of the vulnerabilities reported are sourced from their many, many partners involved in the Android ecosystem – from Qualcomm to Samsung and even another CVE chart-topper Linux."

So, should we be concerned by Google and Android taking such high positions in the CVE charts?

We'll leave the last word to MWR InfoSecurity's UK managing director John Fitzpatrick who says, “These numbers should be reassuring to Google customers; we should be concerned about the companies who are not assigning CVEs and question what security assurance activities they are undertaking."