How KitKat Update Doesn't Fix Android's Fatal Flaw

Android 4.4 KitKat brings not only a new look and feel to Google's mobile operating system, but adds drastic security enhancements.

Will those improvements finally make Android a match for Apple iOS, which has had an unbroken six-year streak of being malware-free?

Experts fear it won't. None of the security features added in KitKat address Android's central flaw, which is also one of its top selling points — the fact that it allows users to install apps from any source.

MORE: 7 Best Smartphones on the Market Right Now

Here's an overview of the security features added in KitKat, some of which won't be immediately apparent to users.

— The Security-Enhanced Linux module, introduced in Android 4.3 Jelly Bean, runs in "enforcing" rather than merely "passive" mode, acting as an OS policeman and making sure apps and users don't do anything they're not supposed to.

— Support for next-generation elliptic-curve cryptography, preparing Android for the possible "cryptopocalypse" as older forms of cryptography fail.

— User alerts if a new digital-certificate authority is added to a device's list of trusted authorities. Flagging such additions makes it more difficult for attackers — and corporate and hotel Wi-Fi networks — to impersonate well-known online services via "man in the middle" attacks.

— File-system security checks to prevent unauthorized modifications and rootkit intrusions, which will also hinder Android hobbyists' attempt to "root" systems.

Despite those security enhancements, however, corporate security professionals still don't really trust Android. Nor, for that matter, do they trust Apple's iOS, said Roger Kay, principal analyst at Massachusetts-based Endpoint Technologies Associates.

But when it comes to Google's non-corporate customers, the fact that Android devices now offer top-flight internal security is a good selling point.

"There are a lot of people out there who do their own personal security calculations," Kay said. "Reassuring them that their devices now have commercial-grade security is well suited for them. They then can say, 'OK, I can do my banking via my mobile device and not worry too much.' They won't feel too threatened by what might happen."

Why sideloading apps is a permanent threat

Yet these new security enhancements don't really deal with the main security flaw in the Android operating system: the practice of sideloading, or installing apps from sources other than the official Google Play app store.

(Android users who want to avoid non-Google Play apps should go into Settings à Security and make sure "Unknown sources" is left unchecked.)

"So as long as sideloading is there, I don't know what else [users] can do," said Rob Enderle, principal analyst for the San Jose, Calif.-based market-research firm Enderle Group.

"But Google has included a security feature to better assure [users] that something hasn't gone in and changed the operating system to a degree that the change can't be detected," he added. "That's been a problem with Android, but Google has made it much more difficult to go in and apply a rootkit," a piece of malware that gets full control of an operating system.

MORE: Mobile Security Guide: Everything You Need to Know

Still, that doesn't change the major problem with Android security.

"Both Microsoft and Apple have fully curated, locked-in [mobile] app stores, so the apps are curated going in, and it's relatively hard to get malware on those devices," Enderle said.

"Android allows sideloading, so it's comparatively easy to get malware on the device," he added. "So while it's now harder to put rootkits on the device, tricking somebody into loading an application that actually tracks the individual's activities is still not very difficult at all."

Why walled-off Android just wouldn't be Android

Until Google can limit the Android user's choice of app sources and by default lock the device down, Enderle said, the operating system will be relatively exposed to malware.

But taking away the user's ability to freely choose apps would negate one of Android's top selling points over the more cloistered Apple iOS app universe.

"To lock down sideloading is relatively hard without locking down the app store altogether," he said. "That kind of destroys Android, so what you have to do is remove permissions to install apps. But what is the user going to do with the device if he can't install applications?"

Follow us @tomsguide, on Facebook and on Google+.

Linda Rosencrance is a freelance writer with more than a dozen years' experience covering IT. Her work has appeared on many sites, including Computerworld, TechNewsDaily, Tom's Guide, and more. She has also worked as an investigative journalist, and has written and published five true-crime books. She lives and works in Boston.

  • natcparis
    It looks to me like Android is not that much targeted by malware, right?
  • gmuser
    "Will those improvements finally make Android a match for Apple iOS, which has had an unbroken six-year streak of being malware-free?"

    This is such misinformation. iOS had bunch of malwares, and only claims about "no malware" were for non-jailbroken devices. But then you should have compared that to non-sideloading Android ... and note that by default, sideloading is NOT enabled, just like by default iOS devices are not jailbroken.

    AND even non-jailbroken iOS devices did have malware, like for example

    So, you have two false claims, or bad reporting, issues:
    1) you compare non-jailbroken iOS devices with Android devices where sideloading is enabled
    2) even for non-jailbroken devices, your claim of "six-year streak" is false

  • TFrog
    I agree with gmuser on the falsification of the article's claims but for another simple fact. NO and I mean NO operating system is without malware/virus issues. Even Linux which Android is loosely based on (Android uses the Linux kernel and a very sophisticated Java machine) has issues with virus' and malware. Maybe to a lesser extent than Windows or Apple but it's a case in point. Benjamin Franklin once stated that "there is no secret between three men unless the other two were dead."
  • gabrieldiego
    If Android becomes walled-off like iOS, it will lose its main diferential. There are many apps that are not in the App Store for n reasons (like TubeMate) that I still need to sideload. Still if one would prefer the security of walling-off, just don't set the option or mind the apps that you are side-loading.
  • house70
    So, the issue isn't the OS, but the user? Since the OS has that option disabled by default (just like, say, USB debugging), why the fear-mongering? Is really simple: you don't know what you're doing, leave everything at default (secure). You do know, tinker with it as you wish.