Am I being kept safe by Google? What evidence is there of that?<p>There appear to be 635 vulnerabilities publicly disclosed by 3rd parties in Android this year with 43 being critical and 139 being high or critical [1]. 224 in Chrome [2], though none being labeled high severity, though that is mostly due to the fact that things such as disclosed remote zero-click heap corruptions leave the final bit of actually getting full code execution as a trivial exercise to the reader.<p>There was a cool attack demonstrated a few weeks ago completely defeating the Google Titan M security chip [3], their custom-designed secure vault used to store your most sensitive secrets. It could be hacked through software alone to exfiltrate all of its secrets. Given its purpose their security process should have resulted it being designed by their best security experts and been their most secure consumer product. Beaten by three people with a year and a half.<p>I mean seriously, their flagship, in-house Android phones are advertised as only conforming to the absolute lowest levels of security [4][5]. Seriously, go read that [6] on page 9 they describe the arduous certification process where the auditor googles “Android” and sees that there are no unpatched vulnerabilities. This is their primary advertised third party audit of whole system Android security.<p>So, a company which produces products with loads of vulnerabilities, has their most secure products defeated by moderately resourced attackers, and only certifies their products with third parties to the absolute lowest levels of security is keeping me safe from hackers? Pull the other one.<p>[1] <a href="https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/year-2022/Google-Android.html" rel="nofollow">https://www.cvedetails.com/vulnerability-list/vendor_id-1224...</a><p>[2] <a href="https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/year-2022/Google-Chrome.html" rel="nofollow">https://www.cvedetails.com/vulnerability-list/vendor_id-1224...</a><p>[3] <a href="https://blog.quarkslab.com/attacking-titan-m-with-only-one-byte.html" rel="nofollow">https://blog.quarkslab.com/attacking-titan-m-with-only-one-b...</a><p>[4] <a href="https://support.google.com/pixelphone/answer/11062200?hl=en#zippy=" rel="nofollow">https://support.google.com/pixelphone/answer/11062200?hl=en#...</a><p>[5] <a href="https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11239" rel="nofollow">https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11239</a><p>[6] <a href="https://www.niap-ccevs.org/MMO/Product/st_vid11239-vr.pdf" rel="nofollow">https://www.niap-ccevs.org/MMO/Product/st_vid11239-vr.pdf</a>