The future of mobile security rests with platform providers, Adrian Ludwig, lead engineer for Android security at Google, argued at the Structure Security conference in San Francisco on Wednesday.
“Historically, we’ve expected that everyone on a device would protect themselves — back to feudal Italy, the way you were safe was to build a wall,” Ludwig said.
No one, however, thinks that way anymore — perhaps a certain presidential candidate.
Now, in the midst of the shift to mobile and cloud, it makes sense for platform providers to start taking responsibility for security.
“The level of investment and corporate portfolio in security should go down,” Ludwig said. “There’s the expectation that to protect yourself, you have to hire a bunch of ninjas — we just don’t have ninjas.”
At Google, Ludwig said, “We believe being open as possible will ultimately lead to better security.”
Android apps that go through the Google Play store go through a comprehensive vetting system, he said, but problems do arise from apps uploaded through third party app stores.
“Another part of openness is realizing if you’re going to have an ecosystem as big as Android, you need to have visibility as to what’s going on on those devices,” he said.
Most of Android’s billion users have some level of interaction with an endpoint security system that allows Google to watch for malware and other problems. Still, a big challenge for Android has been working with its partners to get devices updated. Samsung, Ludwig said, has done a good job improving this process, and now updates several hundred device models on a monthly basis.