Am I being kept safe by Google? What evidence is there of that?
There appear to be 635 vulnerabilities publicly disclosed by 3rd parties in Android this year with 43 being critical and 139 being high or critical [1]. 224 in Chrome [2], though none being labeled high severity, though that is mostly due to the fact that things such as disclosed remote zero-click heap corruptions leave the final bit of actually getting full code execution as a trivial exercise to the reader.
There was a cool attack demonstrated a few weeks ago completely defeating the Google Titan M security chip [3], their custom-designed secure vault used to store your most sensitive secrets. It could be hacked through software alone to exfiltrate all of its secrets. Given its purpose their security process should have resulted it being designed by their best security experts and been their most secure consumer product. Beaten by three people with a year and a half.
I mean seriously, their flagship, in-house Android phones are advertised as only conforming to the absolute lowest levels of security [4][5]. Seriously, go read that [6] on page 9 they describe the arduous certification process where the auditor googles “Android” and sees that there are no unpatched vulnerabilities. This is their primary advertised third party audit of whole system Android security.
So, a company which produces products with loads of vulnerabilities, has their most secure products defeated by moderately resourced attackers, and only certifies their products with third parties to the absolute lowest levels of security is keeping me safe from hackers? Pull the other one.
Oh, but they are going to protect everyone by creating their own built-in VPN [0] to "protect your online activity no matter what app or web browser you use." /s
For what it's worth, the whitepaper for their VPN makes some pretty strong claims to user privacy, with the VPN client being open source. Normally Google's privacy policies are fairly vague, but this seems to be very clear about the claims and what is/isn't logged. Maybe all the Cohort/Privacy Sandbox things makes IP somewhat irrelevant anyway, and they're just banking on folks who will continue to provide data through other Google services? I really can't speak for the true privacy implications of using the VPN, but I found this interesting.
Chromebooks offer some of the best consumer grade security around for PC hardware. Coreboot, firmware tamper detections, Disk encryption, tightened RBAC, kvm virtualization, lxc containerization, seamless a/b partition updating, optionally enable mandatory hardware 2fa keys... All on a simple touchscreen interface even Grandma can use and buy for as low as $100. Meanwhile, a huge number of Linux distributions still promote the use of x11 in their default experience. I'm not saying Google is without recourse, but they work harder than most with their security and it shows pretty clearly to me. Who are you trying to compare them to? Do they not send the formidable Project Zero on their internal projects regularly?
There appear to be 635 vulnerabilities publicly disclosed by 3rd parties in Android this year with 43 being critical and 139 being high or critical [1]. 224 in Chrome [2], though none being labeled high severity, though that is mostly due to the fact that things such as disclosed remote zero-click heap corruptions leave the final bit of actually getting full code execution as a trivial exercise to the reader.
There was a cool attack demonstrated a few weeks ago completely defeating the Google Titan M security chip [3], their custom-designed secure vault used to store your most sensitive secrets. It could be hacked through software alone to exfiltrate all of its secrets. Given its purpose their security process should have resulted it being designed by their best security experts and been their most secure consumer product. Beaten by three people with a year and a half.
I mean seriously, their flagship, in-house Android phones are advertised as only conforming to the absolute lowest levels of security [4][5]. Seriously, go read that [6] on page 9 they describe the arduous certification process where the auditor googles “Android” and sees that there are no unpatched vulnerabilities. This is their primary advertised third party audit of whole system Android security.
So, a company which produces products with loads of vulnerabilities, has their most secure products defeated by moderately resourced attackers, and only certifies their products with third parties to the absolute lowest levels of security is keeping me safe from hackers? Pull the other one.
[1] https://www.cvedetails.com/vulnerability-list/vendor_id-1224...
[2] https://www.cvedetails.com/vulnerability-list/vendor_id-1224...
[3] https://blog.quarkslab.com/attacking-titan-m-with-only-one-b...
[4] https://support.google.com/pixelphone/answer/11062200?hl=en#...
[5] https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11239
[6] https://www.niap-ccevs.org/MMO/Product/st_vid11239-vr.pdf