INTERVIEW: Did Google dodge the Android pwnbullet?

New exploit mitigations in Android look pretty good...
25 Oct 2012 » Risky Business Extra

This podcast is an interview I did with Accuvant's Joshua Drake, aka jduck. His Breakpoint presentation was on the topic of Android security.

As regular listeners of the Risky Business podcast would know, we're pretty much convinced Android was rushed to market -- it was insecure, immature, way too open and a big, glaring risk to its users. Combine that with the inherent problems with the Android ecosystem and you had a recipe for disaster.

For those unfamiliar with those ecosystem problems, Android is very difficult to patch. Android users must wait for Google to update the OS, then ship the updates to the manufacturers who customise them for their hardware, then in turn they have to pass them on to the carriers, who may or may not customise those OS builds for compatibility with their apps and then pass the updates out over the air. Long story short, most Android devices wind up remaining unpatched.

Well, things have changed. As Joshua outlined in his presentation, Google has built a lot of exploit mitigations into the mobile OS and they're starting to look pretty effective. Is it possible that Google has dodged what many saw as an inevitable bullet?