Just because you're paranoid doesn't mean you can't, or won't be, pwned
Rarely a day that goes by without a new security threat, vulnerability or successfully executed hack hitting the headlines, bringing bad news for the affected companies and their users. Android has a particularly tough time, and there are increasing numbers of attacks aimed at vulnerabilities in Apple iOS, too
The latest in this long line of news that a Broadcom chipset widely used in Android devices and iPhones has a serious vulnerability that can be easily exploited by an attacker "by Wi-Fi proximity alone". That means you don't need to click a dodgy link, open an email or visit an infected website to lose control of your device.
While, in this case, that's a problem for both Android and iOS users, it's more frequently an issue for Google's OS. The price of its relative openness is vulnerabilities, whereas Apple's more locked down, end-to-end approach provides more security. Not perfect security, but widely regarded as ‘better'.
At risk, in most of these instances, is your personal data, the financial details you enter on your device without thinking twice, and your privacy. Security and privacy aren't synonymous, but they're pretty closely related and, for the purposes of the person on the receiving end of a breach, whether that breach is by a malicious actor or some government agency doesn't really make a lot of difference.
Even the paranoid get pwned
In the cases of vulnerable software, it's even harder for users to make an informed choice if security and privacy are their priorities. Take the repeated security holes found in LastPass this year alone, which could have compromised saved credentials, and even two-factor authentication codes.
That's not to pick on LastPass in particular - many other widely used password managers were found to have vulnerabilities too, including one I've paid for and used for several years.
Sometimes it's not vulnerabilities and weaknesses that present confusion and concern for users; take ant-virus software, for example. If you use anti-virus, a firewall or other anti-malware software, you might choose your Android anti-virus based on features, price or reviews.
What you won't really have much of an idea about is how effective each option really is - you pretty much have to take the company's word for it.
It's not just nefarious hackers trying to get at your data, either. Regulatory changes in the US and UK around data collection, and how it's used, has led to a rise in the use of virtual private networks (VPNs), even on mobile.
Again, however, the average user is shooting in the dark in picking one from the Google Play store, or anywhere else, for that matter.
Think your VPN is safe? It's probably not, at best, and may even come with malware-like properties, especially if it's free. But how should we choose a VPN? How can people achieve the not unreasonable task of keeping their private data private, other than without trusting the claims of services they'll probably never be able to verify.
It's a wide-ranging issue - and not one specific to Android, or smartphones. You're making decisions about what can access your device and data every time you install an app.
Just because some of apps claim to make your data more secure, doesn't mean they actually do. Earlier this year, this point was illustrated yet again by InfoSec researcher Jon Sawyer when he revealed that many ‘secure storage' apps that specifically claim to make your smartphone more private actually have almost no security whatsoever.
"These companies are selling products that claim to securely store your most intimate pieces of data, yet are at most snake oil," Sawyer said in the post. "You would have near equal protection just by changing the file extension and renaming the photos."
This, ultimately, isn't a new problem for computing in any form but with more data about every part of our lives being generated every day, it's one that will continue to be a growing concern.
Unfortunately, it's not one with an easy answer. That password manager that I pay for that was hacked? I still pay for it, and will continue to do so. In fact, it's due for renewal next month.
Preventing security vulnerabilities entirely is all but impossible, so the only viable option for security-conscious users is to stick with companies that respond quickly with fixes and disclosure when these inevitable problems.
With well over one billion Android devices in use, a similar number of PCs and laptops, security disclosures, anti-virus benchmarks and VPN tear-downs aren't on most normal people's reading lists, and potential threats to personal information won't even occur to many people.
And if it does, protecting it remains a total lottery for all but the most tech savvy of users.