In an article titled "Why Almost Everything You Hear About Medicine is Wrong", Newseek profiles Dr. John P.A. Ioannidis, the newly appointed chief of Stanford University’s Prevention Research Center. Ioannidis is credited with debunking not just medical research findings but the very methodology of how that research is often conducted.
One especially frustrating problem Ioannidis contends with, "Even when a claim is disproved, it hangs around like a deadbeat renter you can’t evict."
If the venerable medical establishment struggles with false findings, it's no wonder the computer security industry has such problems. Case in point: recent headlines proclaiming Google's Android a greater risk to consumers compared to other smartphones.
Before we delve into why that's a myth, let's look back at what headlines were proclaiming less than a year ago. In March 2010, the Apple iPhone was declared riskier than Android, Blackberry or Nokia. That claim was based solely on an nCircle survey of 257 respondents. Just because over half of those 257 respondents thought the iPhone was riskier does not make it a fact. Indeed, such a statistically insignificant number of respondents doesn't actually even make it a valid opinion.
Now fast forward to today and it's Android's turn in the spotlight. Many turn to the discovery of the Android Gemini trojan in December 2010 as 'proof'. It's certainly convenient, but is it really proof? What most of the reports fail to acknowledge is that the Gemini trojan was found only in a couple of modified apps distributed on rogue networks in China. These weren't apps found on the Google Android Marketplace or any other valid distribution site.
So why was the truth ignored? Probably because it is far less glamorous: if you download from Chinese (or any other) warez sites, you stand a greater chance of getting trojaned goods. Not because you use an Android, or iPhone, or Windows, or any other device or OS. It's simply because there's no honor among thieves - if you deal with stolen goods, you stand a much greater chance of becoming a victim yourself.
Pundits of the "Android is riskier" claim also point to the number of Android apps that request specific types of permission which could be deemed a security risk. While those carrying that argument forth would like you to focus on "risk", the real focus should be on "request".
One of the earliest examples comes from SMobile's "Android Market Threat Analysis" paper published in June 2010. The authors of the paper breathlessly warn that "frighteningly, 29 applications were found to request the exact same permissions as applications that are known to be spyware" and "a full eight applications explicitly request a specific permission that would allow the device to brick itself, or render it absolutely unusable".
Sound scary? Breathe deeply and focus on the word "request". That's right - the apps all ask for your permission first because the Android security model requires it. And just because an app requests permission to brick your phone, it doesn't mean it's devious.
A particularly ironic example of this latter point is that SMobile (publishers of the paper) also make SMobile Security Shield for Android - which itself provides a remote wipe option (i.e. it can brick your Android). I guess what's good for the goose isn't good for the gander, if you're the one publishing the results.