Google is spending millions of their own dollars to freely help other companies (and themselves!) enhance their security and close holes malicious actors can exploit.
Now replace "Google" with any other company or independent researcher of your choice. If you're no longer angry, you're being biased solely because its Google and not someone you like.
The other folk have given some (correct) reasons why I read an opinion in your message. But, here was my thought process. If I was wrong in how I understood your message, my apologies.
>On the surface it appears
This implies an ulterior motive.
>expose flaws
As mentioned, "expose" is an emotionally charged word with negative connotation.
>in competitor's products.
P0 does not just focus on competitors products, by any stretch.
Your statement also fails to convey that they notified Apple with industry accepted disclosure practices in order to fix the vulnerabilities, rather than just "expose flaws".
Your message shows how this situation can be framed to create a negative opinion towards Google. The wording of "on the surface it appears" implies that showing that was the purpose of the message.
"Expose" is a loaded term in many cultures. In particular it means to reveal something which the other party was trying to hide, usually in an adversarial way.
I suspect it's large companies, given the names provided.
Really, I don't get peoples hatred for Project Zero. Sure, hate the companies, but can you seriously argue that companies spending money on security research is a bad thing? Even if gasp they might get some good publicity from that research?
I guess the issue is that very little discovered internally will ever be publicly disclosed. It feels like a tactic to make themselves look more secure than others when that is not likely the case.
That being said, I think the same behavior is to be expected from any company large enough to need a dedicated security research team.
Project Zero absolutely covers vulnerabilities in Google products. Just take a look at the blog archives (https://googleprojectzero.blogspot.com/). Chrome and Chromium seem to be frequent features, but they cover other Google properties as well.
> I guess the issue is that very little discovered internally will ever be publicly disclosed. It feels like a tactic to make themselves look more secure than others when that is not likely the case.
Agreed, and I don't think for a second Google as a whole is any different in this regard.
But who cares? Security issues are being found, Security issues are being publicized, Security issues are being fixed.
Project Zero, as a small part of Google, is finding bugs in everyones software - including Google's - and holding them to the same standards, standards which are widely regarded as being acceptable standards for disclosure.
The rest of Google, should they discover an issue without Project Zero's help, presumably behave just as most of other companies do - so hate them all equally, that's fine - and I agree, but Project Zero is different to Google as a whole, and just is not something to hate IMO.
> good reason to want iPhone customers to feel unsafe
How does fixing vulnerabilities in your iPhone make you feel unsafe?
> apple blamed for issues
Apple is being blamed for the issues because Apple is to blame for the issues. They made the product. Who is to blame about the security issues in an Apple product, if not Apple?
And if you rule out "all companies like Google", you've basically ruled out everyone with enough capital to donate to research, depending on your definition of "like Google".
And really, it absolutely is a donation. The ROI on Project Zero is likely 50x or more less than if that money went to the marketing team.
If you don't want to engage in discussion why are you even commenting here in the first place?
You are saying that this gives more power to google and someone asked if you could elaborate on why you think that. Not everyone has the same background and what may be obvious power to you may not be to others. This forum is supposed to be participated in with good faith.
Thankfully there are many ways to participate. But maybe I was a bit short. My point is that if you don't 'meet me half way' I can't do the subject justice in a forum where a significant number of the comments arguing that point is hidden. That increases my effort to make an effective argument and diminishes my returns for that effort. Especially since I don't feel that strongly about it. You are better off trying to find a blog post about it that won't disappear in a couple of hours.
But on the other hand meta isn't that interesting either. If large companies wanted to do security research that wasn't objectionable to people they could do so by consensus, standards and agreements. No one could really question that. Instead the idea is largely that "the ends justify the means". That is what people tend to disagree with. That large companies can unilaterally decide how things are done, not just for themselves but in a way that affects other companies or their users. It doesn't really matter if it is for good or best practice because it is about them, especially as large companies in the industry, having that influence.
It's how it's used. Like how when Epic decided Fortnite should skip the Google Play Store and it's 30% cut, Project Zero suddenly was interested in checking the security of games (which you rarely if ever see), so they could find a vulnerability in it and feed it out to Google's favored press outlets with a constructed story about how Epic is compromising everyone's security by not using the Play Store. (Don't mind all the stories about malware in the Play Store, of course.)
As soon as a company slighted Google, it was immediately a Project Zero target, and that should tell you everything you need to know about why people are annoyed with them.
IMO, your making an pretty large assumption here - you're describing the intent as malicious without anything concrete to back it up. If I was a security researcher, and someone decided to do something out of the norm, I'd probe it! There's nothing here to suggest malicious intent, only a security researcher doing what a security researcher does.
> with a constructed story about how Epic is compromising everyone's security
Did Epic compromise everyone's (or, at least their users) security? My memory of that incident is, yes - they did. If that's true, if the code was buggy and had a path to a security exploit, how is it a "constructed story"?
If I recall the issue in question, the only way it would be vulnerable to anything was... if someone already had another malicious app installed on their phone. Which is to say, you could get infected by already being infected, which is... not much of a vulnerability.
Which is to say, you could get infected by already being infected, which is... not much of a vulnerability.
It's a pretty big vulnerability when you allow the malicious intent of one app to escalate to an actual malicious capability so I don't think you're accurately recalling the issue in question.
I mean, if the first malicious app has less permissions than Fortnite, it could potentially gain Fortnite's permissions through the vulnerability. But the first malicious app likely could've just asked for those permissions itself, it's not like Fortnite has egregious permissions as it is, and neither can run as root.
Which is to say, there's the possibility for minor problems that should be fixed, but it's far from the "Epic is terribly insecure, trust the malware-ridden Play Store instead" rhetoric we got from this particularly aggressive media campaign.
>Epic is terribly insecure, trust the malware-ridden Play Store instead" rhetoric we got from this particularly aggressive media campaign.
Did p0 say that anywhere?
Given that if I search fortnite on the play store, I get a special warning message that it can't be downloaded on play (which was added specifically to prevent fortnite clones), I'm less than convinced that there was a unified campaign by Google to undermine epic, as you seem to be suggesting.
It means malicious apps can target Fortnite as a vector for malwarin', stealing your Epic account, etc. The vuln got media attention because Tim Sweeney got it into his head to publicly grump at P0 because they wouldn't hold off disclosure past the point of patch release. If it wasn't a big deal, why do you think he did that?
My biggest question would be how many security vulnerabilities Google uncovered and disclosed on their own platform. If they are being good and helping other companies - great! But if they're also profiting by FUD'ing them - then we should call them something other than white hats.. grey hats maybe?
Well, Apple released a patch for all phones back to the 4s released in 2011. What are the chances that security patches for Android phones make it to phones released even two years ago?
Even Microsoft released a patch recently to a security vulnerability found in Windows XP.
The point is that this is a pretty small portion of all security updates. Compare to iOS, where updating the browser or iMessage (both with very large vulnerability surfaces) requires a system update.
There is a large difference. One is an automatic app update while the user continues working. The other requires the user to stop everything they're doing and reboot their device.
Or the user can just tell it to update later on when they aren’t using it.
With the benefit that all necessary components are updated together and that Apple can push out any updates world wide without waiting on the carriers....,
> Or the user can just tell it to update later on when they aren’t using it.
This is how devices stay vulnerable.
> With the benefit that all necessary components are updated together
The whole app is already updated atomically. There is no benefit here.
> and that Apple can push out any updates world wide without waiting on the carriers
The same as a Pixel or Android One device. The only difference is that app security updates are artificially slower on iOS due to poor design, and for apps like browsers, this is a fatal flaw.
As opposed to most Android phones that never get system updates? As opposed to Apple releasing an update two weeks ago for all iOS devices back to 2011?
The whole app is already updated atomically. There is no benefit here.
The Safari app is also used as an out of process web view for other apps as is the messenger app...
The same as a Pixel or Android One device. The only difference is that app security updates are artificially slower on iOS due to poor design, and for apps like browsers, this is a fatal flaw.
It’s estimated that Google may sell 1-2 million phones a year and Android One phones are not much more ubiquitous. Even then Google only promises updates for two years.
> As opposed to most Android phones that never get system updates?
Don't buy them. Problem solved. Do you avoid Linux entirely because there exist Linux-based routers that are never updated? No, you buy Linux-based routers that are updated.
In this case, the choice is between properly updated Android phones, poorly updated userspace iOS phones, and poorly updated base system Android phones. The obvious choice is a phone from the first group.
> The Safari app is also used as an out of process web view for other apps as is the messenger app...
As is Chrome on Android. Since Android is designed in a way that apps can gracefully recover from arbitrary processes being killed, this does not matter. Chrome gets updated, the process restarts, and the page the user was viewing in the web view reappears. If the app wasn't in the foreground, the user won't even notice.
So their are approximately 2.5 billion Android devices in the world and less than 2% are sold by Google and they are the only ones getting updated and you don’t think that’s a problem?
But yet every single Windows PC sold by any vendor can still get updates directly from Microsoft.
In this case, the choice is between properly updated Android phones, poorly updated userspace iOS phones, and poorly updated base system Android phones. The obvious choice is a phone from the first group.
You are really claiming that Android has a better update strategy than iOS and is more secure? Which Android phones from 2011 are still getting updates? 2013? 2015? Heck 2017?
It's a problem, just like the routers that aren't getting updated. It's not my problem.
> You are really claiming that Android has a better update strategy than iOS and is more secure?
Yes. I've already explained why, and you haven't refuted it.
> Which Android phones from 2011 are still getting updates?
I don't use eight year old phones, so this doesn't matter to me. If you use old phones, you could argue that iOS is marginally more secure than the Android options; but that argument is irrelevant to the purchase decisions of 99% of the people here who do upgrade devices regularly for whom there are Android options that are much more secure than iOS phones.
If you use old phones, you could argue that iOS is marginally more secure than the Android options; but that argument is irrelevant to the purchase decisions of 99% of the people here who do upgrade devices regularly for whom there are Android options that are much more secure than iOS phones.
The average replacement time for cell phones in the US is 32 months.
> The average replacement time for cell phones in the US is 32 months.
That is not my replacement cycle nor the replacement cycle for most of the readers of this forum. It has no bearing on my purchase decisions nor the purchase decisions of most of the readers of this forum. For people who upgrade regularly, which is a group that includes me and most of the people on this forum, Android One and Pixel devices are more secure than iOS devices, and you appear to agree.
> 8 months longer than Google has promised updates.
Android One phones get security updates at least three years after release.
That is not my replacement cycle nor the replacement cycle for most of the readers of this forum.
Well as long as it caters to you and the rest of the people on HN (have you done a survey?), I guess that’s all that matters - not the other 2 billion people in the world....
Android One and Pixel devices are more secure than iOS devices, and you appear to agree.
Android One phones still have to wait on the manufacturer to update their phones. Yes, but they pinky promise they will. From the article I posted.
I’ve never had to wait on a manufacturer to get updates from my Windows PCs. Heck I still get updates for my Mac Mini running Windows 7 and Apple definitely had nothing to do with it. Why is the Android architecture so piss poor that they can’t figure this out? This- an OS vendor licensing to OEMs and providing update - has been a solved problem for PCs for well over 30 years.
From the earlier article I posted.
While updates do still have to go through each phone’s manufacturer, there’s much less to check and update, so updates will generally arrive much faster. It won’t be a day one patch like you’d expect on the Google Pixel range
Each Android One phone is guaranteed to get at least three years worth of security updates from its release date, and up to two years of major Android releases, too.
Android One phones get security updates at least three years after release.
The iPhone 5s (2013) received 5 years worth of OS updates.
The 4s (2011) just received a bug fix earlier this month.
The 6s (2015) is still a more performant phone than any midrange Android phone released this year and can hold its own against high end Android phones that are two years newer. It would be a pity to replace it if it were an Android phone just because Google couldn’t figure out how to update third party devices. My son is still using it.
> I guess that’s all that matters - not the other 2 billion people in the world....
I already explained the choices. For us, the obvious choice is a properly updating Android device. Any user who chose an iPhone or non-updating Android phone made a poor security choice. Any user who has a longer than three year upgrade cycle has no good options unless they use a community-maintained Android build.
> Android One phones still have to wait on the manufacturer to update their phones. Yes, but they pinky promise they will.
They are guaranteed monthly security updates. If you have an example of one that hasn't had monthly security updates, that would be a breach of contract with at least the user and possibly with Google who certified the device as Android One.
Windows updates aren't guaranteed to work with arbitrary device manufacturers' custom drivers.
> [Irrelevant stuff about how long iOS devices are updated]
The comment you replied to was a correction to your claim about how long Android One devices are updated. That is the maximum period a user can get a secure device for because we have already established that all alternatives have non-working security update systems.
>The 6s (2015) is still a more performant phone than any midrange Android phone released this year and can hold its own against high end Android phones that are two years newer.
You have conceded that iOS is worse for security, so now you want to argue about performance. Android has iOS beat there, too. Here is a midrange Android phone one generation older than the iPhone 6 beating it at the most common task for phone users — opening apps: https://youtu.be/hPhkPXVxISY
Here is a midrange Android phone of the same generation as the iPhone 6s beating it in the same test: https://youtu.be/B5ZT9z9Bt4M
Of course if you want to get off topic, a more interesting discussion than performance is usability, and Android is multiple generations ahead of iOS for what you can do with it and has been since at least the Verizon Droid, which came with driving navigation and voice control.
You have conceded that iOS is worse for security, so now you want to argue about performance. Android has iOS beat there, too. Here is a midrange Android phone one generation older than the iPhone 6 beating it at the most common task for phone users — opening apps: https://youtu.be/hPhkPXVxI*
I’m not arguing performance for performance sake. I’m arguing that a four year phone is still performant compared to many newer Android phones and it is getting both* security updates and os upgrades 24 months and 12 months longer than the tiny percentage of Android phones that get either. It also doesn’t have to wait for a third party OEM to decide to push updates.
I’m also criticizing Google for not knowing how to push updates to phones running its operating system without OEM intervention - something Microsoft figured out 30 years ago with PCs.
But you don’t need to speculate how fast iOS users update their phones.
There are plenty of sites showing how many iOS users have updated operating systems compared to Android users:
> So do have a cite showing that a larger percentage of Android users are running an up to date OS?
You keep coming back to this irrelevant point. Many Android phones are insecure, just as all iPhones are. Don't buy them.
> I’m also criticizing Google for not knowing how to push updates to phones running its operating system without OEM intervention - something Microsoft figured out 30 years ago with PCs.
Who cares? Don't buy them. Besides, I already pointed out in my previous post that Microsoft didn't solve this problem. Do you blame Linus for all the routers that don't get updated, or do you just not buy them?
> I’m arguing that a four year phone is still performant compared to many newer Android phones and it is getting both*
So is a five year old midrange Android phone, which is also as insecure as any iPhone. Don't buy them.
Of course I'm biased. Google is a huge multinational corporation with a vested interest in keeping me on their platform. They're not researching vulnerabilities in Apple's products out of the goodness of their hearts, and although I agree that they're probably doing the right thing in this case, the fact that they're releasing the vulnerabilities at all probably has some ulterior motives.
Project Zero also regularly publishes on flaws in Google's own products. Check out https://googleprojectzero.blogspot.com: they do a fair amount of reports on Chrome, ChromeOS, Android, etc.
Project Zero regularly exposes flaws in Google products, as well as non-competitor's products (e.g. AV, Tavis Ormandy's AV rants are always enjoyable).
I'm not a fan of Google at all and don't use their products unless I absolutely have to, but everything I've seen so far about P0 has been stellar technically and ethically.
I find it all funny because one of the biggest reasons people don't switch from iOS is because of iMessage. It is nice to see that Google is helping Apple in finding the exploits and not exploiting it themselves as far as we know.
It is the entities spending millions of dollars to find exploits but then not disclosing them that we should be concerned about. This makes Apple stronger not weaker.
It really is brilliant. As others have pointed out, Google finds both vulnerabilities in its own products with project zero, as well in its competitors' products.
There is no reason to assume project zero is biased if one considers second order effects of this security research.
What kind of press releases get picked up by the media 9 out of 10 times? Not the ones about google finding flaws in google products. Google just makes clever use of the medias' bias for conflict.
If Google is responsively disclosing the issues to vendors, why? I would find it hard to believe totalitarian governments like Russia or China would do the same.
Hopefully Apple does the same thing and obliges Google to operate with a whole lot more security. (Not that anyone should use Google in any case because of the industry leading flagrance of their privacy issues. But I digress.)
