What is more safe for browsing the web: PC or smartphone?Browsing on a USB OS (Linux) safe from malware?Is a website published in an obscure directory comparably secure to being placed behind a login?The Peer-To-Peer WebiLivid infection/ iLivid behaviour analysisHow to view the content from script that loads from a web pageSecured Web BrowsingSoftware for testing XSS and other web sites vulnerabilitiesWhat is the best way for scanning possibly infected external drive in Debian?What is the responsible thing to do when I care about a vulnerability more than the team behind the system?What type of malware can see my browsing activity?
How can I make dummy text (like lipsum) grey?
Why do galaxies collide?
Why does string strummed with finger sound different from the one strummed with pick?
When the match time is called, does the current turn end immediately?
Can a person still be an Orthodox Jew and believe that the Torah contains narratives that are not scientifically correct?
Could you live in underground lava tubes on Venus?
Why do academics prefer Mac/Linux?
What is this rubber on gear cables
Do we see some Unsullied doing this in S08E05?
Quadratic/polynomial problem
What is the velocity distribution of the exhaust for a typical rocket engine?
Is it standard for US-based universities to consider the ethnicity of an applicant during PhD admissions?
How long do Aarakocra live?
Do high-wing aircraft represent more difficult engineering challenges than low-wing aircraft?
Is it standard to have the first week's pay indefinitely withheld?
Why does the U.S military use mercenaries?
Canadian citizen who is presently in litigation with a US-based company
Usage of the relative pronoun "dont"
Using a Snow jacket for non snow conditions?
Why can't I share a one use code with anyone else?
Why are there five extra turns in tournament Magic?
How could it be that 80% of townspeople were farmers during the Edo period in Japan?
Promotion comes with unexpected 24/7/365 on-call
Why is so much ransomware breakable?
What is more safe for browsing the web: PC or smartphone?
Browsing on a USB OS (Linux) safe from malware?Is a website published in an obscure directory comparably secure to being placed behind a login?The Peer-To-Peer WebiLivid infection/ iLivid behaviour analysisHow to view the content from script that loads from a web pageSecured Web BrowsingSoftware for testing XSS and other web sites vulnerabilitiesWhat is the best way for scanning possibly infected external drive in Debian?What is the responsible thing to do when I care about a vulnerability more than the team behind the system?What type of malware can see my browsing activity?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
The scenario is: somebody without concern about security is navigating through the web. This person will access doubtful websites, like adult content or media sharing, for example.
Between a pc with Windows and a smartphone with android, which one is a less bad option for this person? If the answer change depending on windows or android versions, please specify this versions.
malware websites
asked May 5 at 1:14
MycroftMycroft
337310
|
show 4 more comments
The scenario is: somebody without concern about security is navigating through the web. This person will access doubtful websites, like adult content or media sharing, for example.
Between a pc with Windows and a smartphone with android, which one is a less bad option for this person? If the answer change depending on windows or android versions, please specify this versions.
malware websites
asked May 5 at 1:14
MycroftMycroft
337310
3
Not completely serious: I'd go with windows and a web stack like Virtualbox - OpenBSD - chromium with w^x and pledge ;)
– Uroc327
May 5 at 13:44
23
My pessimistic view is that somebody without concern about security will fail miserably no matter which platform that person use. (Similar to incompetent players in computer games. They can throw away a game even when it is a guaranteed win.)
– Alex Vong
May 5 at 17:05
3
If you're not concerned about security, surely you'd just go with the one that's the most convenient? If someone has enough concern about security to care about the answer to this question, they should probably instead spend a bit of time reading up on best security practices and trying to understand what's actually happening on their device, which would make either option a whole lot more secure than either would've been without that knowledge.
– NotThatGuy
May 5 at 18:15
4
Safe from what threats? What is your threat model?
– jpmc26
May 6 at 2:43
2
Note that if you use an ad blocker and stick to larger and more professional sites like the ones of the Mindgeek network, adult content actually has very little malware, because these larger sites are actively maintained by professional developers who know security best practises and put them into action. I believe I once read a study that compared adult content to religious sites and found that the religious sites are a lot riskier in terms of malware, because they tend to be maintained poorly (if at all), usually by a family member or friend who does it as a side activity.
– Nzall
May 6 at 6:29
|
show 4 more comments
The scenario is: somebody without concern about security is navigating through the web. This person will access doubtful websites, like adult content or media sharing, for example.
Between a pc with Windows and a smartphone with android, which one is a less bad option for this person? If the answer change depending on windows or android versions, please specify this versions.
malware websites
asked May 5 at 1:14
MycroftMycroft
337310
The scenario is: somebody without concern about security is navigating through the web. This person will access doubtful websites, like adult content or media sharing, for example.
Between a pc with Windows and a smartphone with android, which one is a less bad option for this person? If the answer change depending on windows or android versions, please specify this versions.
malware websites
malware websites
asked May 5 at 1:14
MycroftMycroft
337310
asked May 5 at 1:14
MycroftMycroft
337310
edited May 6 at 4:39
Mycroft
asked May 5 at 1:14
MycroftMycroft
337310
asked May 5 at 1:14
MycroftMycroft
337310
asked May 5 at 1:14
MycroftMycroft
337310
337310
3
Not completely serious: I'd go with windows and a web stack like Virtualbox - OpenBSD - chromium with w^x and pledge ;)
– Uroc327
May 5 at 13:44
23
My pessimistic view is that somebody without concern about security will fail miserably no matter which platform that person use. (Similar to incompetent players in computer games. They can throw away a game even when it is a guaranteed win.)
– Alex Vong
May 5 at 17:05
3
If you're not concerned about security, surely you'd just go with the one that's the most convenient? If someone has enough concern about security to care about the answer to this question, they should probably instead spend a bit of time reading up on best security practices and trying to understand what's actually happening on their device, which would make either option a whole lot more secure than either would've been without that knowledge.
– NotThatGuy
May 5 at 18:15
4
Safe from what threats? What is your threat model?
– jpmc26
May 6 at 2:43
2
Note that if you use an ad blocker and stick to larger and more professional sites like the ones of the Mindgeek network, adult content actually has very little malware, because these larger sites are actively maintained by professional developers who know security best practises and put them into action. I believe I once read a study that compared adult content to religious sites and found that the religious sites are a lot riskier in terms of malware, because they tend to be maintained poorly (if at all), usually by a family member or friend who does it as a side activity.
– Nzall
May 6 at 6:29
|
show 4 more comments
3
Not completely serious: I'd go with windows and a web stack like Virtualbox - OpenBSD - chromium with w^x and pledge ;)
– Uroc327
May 5 at 13:44
23
My pessimistic view is that somebody without concern about security will fail miserably no matter which platform that person use. (Similar to incompetent players in computer games. They can throw away a game even when it is a guaranteed win.)
– Alex Vong
May 5 at 17:05
3
If you're not concerned about security, surely you'd just go with the one that's the most convenient? If someone has enough concern about security to care about the answer to this question, they should probably instead spend a bit of time reading up on best security practices and trying to understand what's actually happening on their device, which would make either option a whole lot more secure than either would've been without that knowledge.
– NotThatGuy
May 5 at 18:15
4
Safe from what threats? What is your threat model?
– jpmc26
May 6 at 2:43
2
Note that if you use an ad blocker and stick to larger and more professional sites like the ones of the Mindgeek network, adult content actually has very little malware, because these larger sites are actively maintained by professional developers who know security best practises and put them into action. I believe I once read a study that compared adult content to religious sites and found that the religious sites are a lot riskier in terms of malware, because they tend to be maintained poorly (if at all), usually by a family member or friend who does it as a side activity.
– Nzall
May 6 at 6:29
3
3
Not completely serious: I'd go with windows and a web stack like Virtualbox - OpenBSD - chromium with w^x and pledge ;)
– Uroc327
May 5 at 13:44
Not completely serious: I'd go with windows and a web stack like Virtualbox - OpenBSD - chromium with w^x and pledge ;)
– Uroc327
May 5 at 13:44
23
23
My pessimistic view is that somebody without concern about security will fail miserably no matter which platform that person use. (Similar to incompetent players in computer games. They can throw away a game even when it is a guaranteed win.)
– Alex Vong
May 5 at 17:05
My pessimistic view is that somebody without concern about security will fail miserably no matter which platform that person use. (Similar to incompetent players in computer games. They can throw away a game even when it is a guaranteed win.)
– Alex Vong
May 5 at 17:05
3
3
If you're not concerned about security, surely you'd just go with the one that's the most convenient? If someone has enough concern about security to care about the answer to this question, they should probably instead spend a bit of time reading up on best security practices and trying to understand what's actually happening on their device, which would make either option a whole lot more secure than either would've been without that knowledge.
– NotThatGuy
May 5 at 18:15
If you're not concerned about security, surely you'd just go with the one that's the most convenient? If someone has enough concern about security to care about the answer to this question, they should probably instead spend a bit of time reading up on best security practices and trying to understand what's actually happening on their device, which would make either option a whole lot more secure than either would've been without that knowledge.
– NotThatGuy
May 5 at 18:15
4
4
Safe from what threats? What is your threat model?
– jpmc26
May 6 at 2:43
Safe from what threats? What is your threat model?
– jpmc26
May 6 at 2:43
2
2
Note that if you use an ad blocker and stick to larger and more professional sites like the ones of the Mindgeek network, adult content actually has very little malware, because these larger sites are actively maintained by professional developers who know security best practises and put them into action. I believe I once read a study that compared adult content to religious sites and found that the religious sites are a lot riskier in terms of malware, because they tend to be maintained poorly (if at all), usually by a family member or friend who does it as a side activity.
– Nzall
May 6 at 6:29
Note that if you use an ad blocker and stick to larger and more professional sites like the ones of the Mindgeek network, adult content actually has very little malware, because these larger sites are actively maintained by professional developers who know security best practises and put them into action. I believe I once read a study that compared adult content to religious sites and found that the religious sites are a lot riskier in terms of malware, because they tend to be maintained poorly (if at all), usually by a family member or friend who does it as a side activity.
– Nzall
May 6 at 6:29
|
show 4 more comments
4 Answers
4
active
oldest
votes
First, here I compare an up-to-date Android phone which receives regular updates with a Windows PC which receives regular updates. While this might be the normal case if you buy a PC with Windows 10 it is not guaranteed if you just buy a cheap Android phone. Thus, I assume that you use a vendor and product known for its good product support, like phones from Google or the Android One phones. Even then the phones will only get updates for a few years, which is usually not as long as a PC would get updates. Thus, you might need to replace the phone after a few years with another one.
With this in mind ...
The security features of the underlying OS in terms of protecting the applications itself are basically the same, i.e. both provide hardening of the kernel, offer layered security with sandboxes inside the browser etc.
One major disadvantage of Windows compared to Android is that in Windows all applications started by a user essentially run as the same user and can thus affect each other. This means that a compromised word document could lead to the installation of malware which could read the password store of the web browser. In Android instead the different apps are more isolated between each other since they are running as different users and data have to be explicitly shared between the applications except for data stored on some common storage where all apps have access.
Another advantage of Android is that applications are usually installed from the Google Play Store and the user needs to be explicitly go into the settings and allow apps from third-party places to be installed. And while Windows has some kind of app store too it is currently common to install apps just downloaded from the internet, from some CD-ROM or an USB drive. This attack vector is actively used to trick users into installing some apps, because they are allegedly needed to view a video on some (usually illegal) video sharing site, allegedly are the security update for Adobe Flash which is needed or similar. While an app store like the Google Play Store might contain bad apps too (and often did in the past) it is still much less likely to get a bad app from the app store than one would get from just downloading something from the internet. And, as explained in the previous point, the harm a malicious application can do in Windows is significantly higher than what it can do in Android.
Additionally entire classes of attack vectors which affect PC's are not relevant on Android phones: there is no Flash, no Java applets, no macros in Office documents, no EXE, SCR, ..., which means many of the typical malicious payloads in mails will simply not work. Credential phishing done through mail or by tricking users when browsing the web is relevant on both platforms though.
One main disadvantage of a phone vs. a PC is the smaller screen size and therefore reduced information and the ways information can be displayed by interacting with the device. For example there is no such thing as hover over a link or click right for a context menu in order to receive more information about the real link vs the claimed link. Often the URL of the visited site is also not shown to save crucial screen space for the actual content. But, given your intended non-technical audience this loss of information might not be that much of a problem since this kind of audience can probably not deal with this detail of information anyway.
But in summary I think that an Android phone which is currently up-to-date and will be kept-up-to-date (which means buying a new one after some years) is the better choice for a non-technical person with only a few needs in terms of communication, i.e. basically web browsing, mail and messaging.
edited May 6 at 18:45
Braiam
16015
answered May 5 at 6:07
Steffen UllrichSteffen Ullrich
124k16217284
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
May 6 at 23:17
add a comment |
It depends on the user's behavior.
Windows is extremely susceptible to people who open spam emails, double-click an attached file, and click away that UAC prompt so they can view naughtygirl.jpg.exe.
Windows is also very susceptible to people falling for malicious "you got a virus, install our tool to remove it" advertisements.
A phone makes it easier than Windows to download apps which use unethical-but-legal exploits, usually gambling/addiction based in app monetization. Some people will claim that has nothing to do with security, but if the user suddenly loses $1000 without realizing, that should be considered a security issue.
A phone is far more likely to be on an outdated OS version with known critical vulnerabilities.
Windows is more likely to run sophisticated Anti-Virus software, which will also provide some protection against some other attacks, depending on the specific AntiVirus software.
If the risk of data corruption is considered a security concern, some phones with some SD cards are more susceptible to random file system corruption than an average Windows machine.
Phones often have superior built-in backup solutions compared to Windows, which will addresses some security concerns.
Phones are more likely to be lost or stolen.
There are some malicious websites that grab phone numbers of the visiting device, and then falsely state you subscribed to a premium SMS service. Only works if the service provider cooperates with the scam, so it depends on your country and service provider.
The above list is incomplete, and everything on the list can affect both phones and Windows machines, but statistically speaking each of them is more of a problem on one platform than the other. Many of the issues can also be specifically addressed with settings, 3rd party software, or user education.
In conclusion, it's close enough that the difference in security can be ignored when deciding which device to get. More relevant arguments are form factor, user preference, and Windows Update's tendency to reboot the PC without asking.
answered May 5 at 12:46
PeterPeter
3,19731023
1
Love this answer, because it's the only one mentioning subscription scam. I believe this kind of scam is quite common at least in Russia.
– svgrafov
May 5 at 17:35
For the naughtygirl.jpg.exe: MacOS has for many years displayed such filenames with the double extension, even if the user turned on "hide extensions", so this would never be displayed as naughtygirl.jpg.
– gnasher729
May 5 at 22:25
5
@gnasher729 Unfortunately, MacOS is still vulnerable to RTL unicode reversal which is far more stealthy than using a double extension like that.
– forest
May 5 at 22:34
@forest: That's beside the point. You have to assume the user is technically illiterate, because technically illiterate people are a substantial subset of the population. Therefore, attackers will target technically illiterate people unless you specifically defend them. This is why web browsers and operating systems are increasingly removing the "disable this security feature" buttons - it's the only surefire way to prevent the user from clicking on them! The technically illiterate user knows nothing of.exeand.jpg, they just know there's a "naughty girl" and they want to see her.
– Kevin
May 7 at 6:12
add a comment |
This is actually a complex question. PC web browsers typically have better sandboxing, and security is a bigger focus. The operating system will expose numerous security features for the browser to use. However, a modern smartphone is also much more resistant against harm caused by the compromise of an application such as a browser. Because of how integrated and monolithic smartphone operating systems are, each individual app can be run as its own user, isolated from every other program. PCs do not come close to this level of isolation and a compromised browser is game over.
answered May 5 at 3:32
forestforest
42.1k18136151
4
"each individual app can be run as its own user, isolated from every other program" In theory, yes. In practice there are a lot of apps that want access to things they shouldn't need access to, defeating a large part of the security.
– Mast
May 5 at 16:48
4
PC browsers have better sandboxing? I thought Android sandboxed every app by default, while PCs don't (everything runs with the same user's permissions).
– Federico Poloni
May 5 at 18:18
@FedericoPoloni I meant things like seccomp. While the OS exposes equally good sandboxing technologies, mobile browsers are not designed to make use of them as well as PC browsers.
– forest
May 5 at 22:33
@forest I appreciate your answer, but you only showed pros and cons in both options. If you have to recommend windows or android for navigation, which would be? You can answer, for example, "I would recommend android from the version X or most recents".
– Mycroft
May 6 at 4:22
@Mycroft That would depend entirely on your threat model.
– forest
May 6 at 5:49
|
show 2 more comments
If you're unable to prevent the user from doing stupid things, they will catch some malware at some point. The best thing you can do is preventing that from happening too often, and providing a way to reset to a "known good" state easily.
Which is why Uroc327's "not completely serious" suggestion should be taken a bit more seriously: use a PC, install virtualbox, create a vm and a "known good" snapshot, confine web browsing to that virtual machine, automatically reset the machine to the snapshot every time it gets started. And to migitate against most malware from the web, use Linux instead of Windows in that virtual machine. Make sure you aren't using any shared folders so whatever happens in the virtual machine can't infect the "main" PC.
This won't help against all kinds of attacks (javascript crypto miners can still eat up your cpu), but it will help against most - neither the nude_celebrity.jpg.exe file nor the "your pc is infected, download this" scam will even run withing the virtual linux machine. And browser extension malware which opens "your PC is locked, pay 1 Bitcoin to get it unlocked" scare screens can be removed by just resetting to your known good snapshot.
This still gives your user a big screen (a smartphone is great for looking something up while you're away, but not for seriously browsing the web), and eliminates the problem with in-app-purchases or paid apps that you'll inadvertently get with Android and/or IOS.
Source: I did that with my (80+ yo) Dad's computer last year, and the number of "something is messed up with the computer again" support calls dropped significantly since then.
answered May 6 at 17:59
Guntram BlohmGuntram Blohm
1,369710
Thank you for you answer. Is there a way to always force a broswer to run inside virtualbox? Or virtualbox needs to be started before?
– Mycroft
May 6 at 23:50
1
@Mycroft you need to start virtualbox first.
– chris-l
May 7 at 1:55
Virtualbox needs to be started first. But if you set the system inside virtualbox to auto-login, and the browser inside the virtualbox to autostart on login, you can still simulate a "click one icon to start a browser" experience to the user.
– Guntram Blohm
May 7 at 5:11
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209531%2fwhat-is-more-safe-for-browsing-the-web-pc-or-smartphone%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
First, here I compare an up-to-date Android phone which receives regular updates with a Windows PC which receives regular updates. While this might be the normal case if you buy a PC with Windows 10 it is not guaranteed if you just buy a cheap Android phone. Thus, I assume that you use a vendor and product known for its good product support, like phones from Google or the Android One phones. Even then the phones will only get updates for a few years, which is usually not as long as a PC would get updates. Thus, you might need to replace the phone after a few years with another one.
With this in mind ...
The security features of the underlying OS in terms of protecting the applications itself are basically the same, i.e. both provide hardening of the kernel, offer layered security with sandboxes inside the browser etc.
One major disadvantage of Windows compared to Android is that in Windows all applications started by a user essentially run as the same user and can thus affect each other. This means that a compromised word document could lead to the installation of malware which could read the password store of the web browser. In Android instead the different apps are more isolated between each other since they are running as different users and data have to be explicitly shared between the applications except for data stored on some common storage where all apps have access.
Another advantage of Android is that applications are usually installed from the Google Play Store and the user needs to be explicitly go into the settings and allow apps from third-party places to be installed. And while Windows has some kind of app store too it is currently common to install apps just downloaded from the internet, from some CD-ROM or an USB drive. This attack vector is actively used to trick users into installing some apps, because they are allegedly needed to view a video on some (usually illegal) video sharing site, allegedly are the security update for Adobe Flash which is needed or similar. While an app store like the Google Play Store might contain bad apps too (and often did in the past) it is still much less likely to get a bad app from the app store than one would get from just downloading something from the internet. And, as explained in the previous point, the harm a malicious application can do in Windows is significantly higher than what it can do in Android.
Additionally entire classes of attack vectors which affect PC's are not relevant on Android phones: there is no Flash, no Java applets, no macros in Office documents, no EXE, SCR, ..., which means many of the typical malicious payloads in mails will simply not work. Credential phishing done through mail or by tricking users when browsing the web is relevant on both platforms though.
One main disadvantage of a phone vs. a PC is the smaller screen size and therefore reduced information and the ways information can be displayed by interacting with the device. For example there is no such thing as hover over a link or click right for a context menu in order to receive more information about the real link vs the claimed link. Often the URL of the visited site is also not shown to save crucial screen space for the actual content. But, given your intended non-technical audience this loss of information might not be that much of a problem since this kind of audience can probably not deal with this detail of information anyway.
But in summary I think that an Android phone which is currently up-to-date and will be kept-up-to-date (which means buying a new one after some years) is the better choice for a non-technical person with only a few needs in terms of communication, i.e. basically web browsing, mail and messaging.
edited May 6 at 18:45
Braiam
16015
answered May 5 at 6:07
Steffen UllrichSteffen Ullrich
124k16217284
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
May 6 at 23:17
add a comment |
First, here I compare an up-to-date Android phone which receives regular updates with a Windows PC which receives regular updates. While this might be the normal case if you buy a PC with Windows 10 it is not guaranteed if you just buy a cheap Android phone. Thus, I assume that you use a vendor and product known for its good product support, like phones from Google or the Android One phones. Even then the phones will only get updates for a few years, which is usually not as long as a PC would get updates. Thus, you might need to replace the phone after a few years with another one.
With this in mind ...
The security features of the underlying OS in terms of protecting the applications itself are basically the same, i.e. both provide hardening of the kernel, offer layered security with sandboxes inside the browser etc.
One major disadvantage of Windows compared to Android is that in Windows all applications started by a user essentially run as the same user and can thus affect each other. This means that a compromised word document could lead to the installation of malware which could read the password store of the web browser. In Android instead the different apps are more isolated between each other since they are running as different users and data have to be explicitly shared between the applications except for data stored on some common storage where all apps have access.
Another advantage of Android is that applications are usually installed from the Google Play Store and the user needs to be explicitly go into the settings and allow apps from third-party places to be installed. And while Windows has some kind of app store too it is currently common to install apps just downloaded from the internet, from some CD-ROM or an USB drive. This attack vector is actively used to trick users into installing some apps, because they are allegedly needed to view a video on some (usually illegal) video sharing site, allegedly are the security update for Adobe Flash which is needed or similar. While an app store like the Google Play Store might contain bad apps too (and often did in the past) it is still much less likely to get a bad app from the app store than one would get from just downloading something from the internet. And, as explained in the previous point, the harm a malicious application can do in Windows is significantly higher than what it can do in Android.
Additionally entire classes of attack vectors which affect PC's are not relevant on Android phones: there is no Flash, no Java applets, no macros in Office documents, no EXE, SCR, ..., which means many of the typical malicious payloads in mails will simply not work. Credential phishing done through mail or by tricking users when browsing the web is relevant on both platforms though.
One main disadvantage of a phone vs. a PC is the smaller screen size and therefore reduced information and the ways information can be displayed by interacting with the device. For example there is no such thing as hover over a link or click right for a context menu in order to receive more information about the real link vs the claimed link. Often the URL of the visited site is also not shown to save crucial screen space for the actual content. But, given your intended non-technical audience this loss of information might not be that much of a problem since this kind of audience can probably not deal with this detail of information anyway.
But in summary I think that an Android phone which is currently up-to-date and will be kept-up-to-date (which means buying a new one after some years) is the better choice for a non-technical person with only a few needs in terms of communication, i.e. basically web browsing, mail and messaging.
edited May 6 at 18:45
Braiam
16015
answered May 5 at 6:07
Steffen UllrichSteffen Ullrich
124k16217284
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
May 6 at 23:17
add a comment |
First, here I compare an up-to-date Android phone which receives regular updates with a Windows PC which receives regular updates. While this might be the normal case if you buy a PC with Windows 10 it is not guaranteed if you just buy a cheap Android phone. Thus, I assume that you use a vendor and product known for its good product support, like phones from Google or the Android One phones. Even then the phones will only get updates for a few years, which is usually not as long as a PC would get updates. Thus, you might need to replace the phone after a few years with another one.
With this in mind ...
The security features of the underlying OS in terms of protecting the applications itself are basically the same, i.e. both provide hardening of the kernel, offer layered security with sandboxes inside the browser etc.
One major disadvantage of Windows compared to Android is that in Windows all applications started by a user essentially run as the same user and can thus affect each other. This means that a compromised word document could lead to the installation of malware which could read the password store of the web browser. In Android instead the different apps are more isolated between each other since they are running as different users and data have to be explicitly shared between the applications except for data stored on some common storage where all apps have access.
Another advantage of Android is that applications are usually installed from the Google Play Store and the user needs to be explicitly go into the settings and allow apps from third-party places to be installed. And while Windows has some kind of app store too it is currently common to install apps just downloaded from the internet, from some CD-ROM or an USB drive. This attack vector is actively used to trick users into installing some apps, because they are allegedly needed to view a video on some (usually illegal) video sharing site, allegedly are the security update for Adobe Flash which is needed or similar. While an app store like the Google Play Store might contain bad apps too (and often did in the past) it is still much less likely to get a bad app from the app store than one would get from just downloading something from the internet. And, as explained in the previous point, the harm a malicious application can do in Windows is significantly higher than what it can do in Android.
Additionally entire classes of attack vectors which affect PC's are not relevant on Android phones: there is no Flash, no Java applets, no macros in Office documents, no EXE, SCR, ..., which means many of the typical malicious payloads in mails will simply not work. Credential phishing done through mail or by tricking users when browsing the web is relevant on both platforms though.
One main disadvantage of a phone vs. a PC is the smaller screen size and therefore reduced information and the ways information can be displayed by interacting with the device. For example there is no such thing as hover over a link or click right for a context menu in order to receive more information about the real link vs the claimed link. Often the URL of the visited site is also not shown to save crucial screen space for the actual content. But, given your intended non-technical audience this loss of information might not be that much of a problem since this kind of audience can probably not deal with this detail of information anyway.
But in summary I think that an Android phone which is currently up-to-date and will be kept-up-to-date (which means buying a new one after some years) is the better choice for a non-technical person with only a few needs in terms of communication, i.e. basically web browsing, mail and messaging.
edited May 6 at 18:45
Braiam
16015
answered May 5 at 6:07
Steffen UllrichSteffen Ullrich
124k16217284
First, here I compare an up-to-date Android phone which receives regular updates with a Windows PC which receives regular updates. While this might be the normal case if you buy a PC with Windows 10 it is not guaranteed if you just buy a cheap Android phone. Thus, I assume that you use a vendor and product known for its good product support, like phones from Google or the Android One phones. Even then the phones will only get updates for a few years, which is usually not as long as a PC would get updates. Thus, you might need to replace the phone after a few years with another one.
With this in mind ...
The security features of the underlying OS in terms of protecting the applications itself are basically the same, i.e. both provide hardening of the kernel, offer layered security with sandboxes inside the browser etc.
One major disadvantage of Windows compared to Android is that in Windows all applications started by a user essentially run as the same user and can thus affect each other. This means that a compromised word document could lead to the installation of malware which could read the password store of the web browser. In Android instead the different apps are more isolated between each other since they are running as different users and data have to be explicitly shared between the applications except for data stored on some common storage where all apps have access.
Another advantage of Android is that applications are usually installed from the Google Play Store and the user needs to be explicitly go into the settings and allow apps from third-party places to be installed. And while Windows has some kind of app store too it is currently common to install apps just downloaded from the internet, from some CD-ROM or an USB drive. This attack vector is actively used to trick users into installing some apps, because they are allegedly needed to view a video on some (usually illegal) video sharing site, allegedly are the security update for Adobe Flash which is needed or similar. While an app store like the Google Play Store might contain bad apps too (and often did in the past) it is still much less likely to get a bad app from the app store than one would get from just downloading something from the internet. And, as explained in the previous point, the harm a malicious application can do in Windows is significantly higher than what it can do in Android.
Additionally entire classes of attack vectors which affect PC's are not relevant on Android phones: there is no Flash, no Java applets, no macros in Office documents, no EXE, SCR, ..., which means many of the typical malicious payloads in mails will simply not work. Credential phishing done through mail or by tricking users when browsing the web is relevant on both platforms though.
One main disadvantage of a phone vs. a PC is the smaller screen size and therefore reduced information and the ways information can be displayed by interacting with the device. For example there is no such thing as hover over a link or click right for a context menu in order to receive more information about the real link vs the claimed link. Often the URL of the visited site is also not shown to save crucial screen space for the actual content. But, given your intended non-technical audience this loss of information might not be that much of a problem since this kind of audience can probably not deal with this detail of information anyway.
But in summary I think that an Android phone which is currently up-to-date and will be kept-up-to-date (which means buying a new one after some years) is the better choice for a non-technical person with only a few needs in terms of communication, i.e. basically web browsing, mail and messaging.
edited May 6 at 18:45
Braiam
16015
answered May 5 at 6:07
Steffen UllrichSteffen Ullrich
124k16217284
edited May 6 at 18:45
Braiam
16015
edited May 6 at 18:45
Braiam
16015
edited May 6 at 18:45
Braiam
16015
16015
answered May 5 at 6:07
Steffen UllrichSteffen Ullrich
124k16217284
answered May 5 at 6:07
Steffen UllrichSteffen Ullrich
124k16217284
answered May 5 at 6:07
Steffen UllrichSteffen Ullrich
124k16217284
124k16217284
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
May 6 at 23:17
add a comment |
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
May 6 at 23:17
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
May 6 at 23:17
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
May 6 at 23:17
add a comment |
It depends on the user's behavior.
Windows is extremely susceptible to people who open spam emails, double-click an attached file, and click away that UAC prompt so they can view naughtygirl.jpg.exe.
Windows is also very susceptible to people falling for malicious "you got a virus, install our tool to remove it" advertisements.
A phone makes it easier than Windows to download apps which use unethical-but-legal exploits, usually gambling/addiction based in app monetization. Some people will claim that has nothing to do with security, but if the user suddenly loses $1000 without realizing, that should be considered a security issue.
A phone is far more likely to be on an outdated OS version with known critical vulnerabilities.
Windows is more likely to run sophisticated Anti-Virus software, which will also provide some protection against some other attacks, depending on the specific AntiVirus software.
If the risk of data corruption is considered a security concern, some phones with some SD cards are more susceptible to random file system corruption than an average Windows machine.
Phones often have superior built-in backup solutions compared to Windows, which will addresses some security concerns.
Phones are more likely to be lost or stolen.
There are some malicious websites that grab phone numbers of the visiting device, and then falsely state you subscribed to a premium SMS service. Only works if the service provider cooperates with the scam, so it depends on your country and service provider.
The above list is incomplete, and everything on the list can affect both phones and Windows machines, but statistically speaking each of them is more of a problem on one platform than the other. Many of the issues can also be specifically addressed with settings, 3rd party software, or user education.
In conclusion, it's close enough that the difference in security can be ignored when deciding which device to get. More relevant arguments are form factor, user preference, and Windows Update's tendency to reboot the PC without asking.
answered May 5 at 12:46
PeterPeter
3,19731023
1
Love this answer, because it's the only one mentioning subscription scam. I believe this kind of scam is quite common at least in Russia.
– svgrafov
May 5 at 17:35
For the naughtygirl.jpg.exe: MacOS has for many years displayed such filenames with the double extension, even if the user turned on "hide extensions", so this would never be displayed as naughtygirl.jpg.
– gnasher729
May 5 at 22:25
5
@gnasher729 Unfortunately, MacOS is still vulnerable to RTL unicode reversal which is far more stealthy than using a double extension like that.
– forest
May 5 at 22:34
@forest: That's beside the point. You have to assume the user is technically illiterate, because technically illiterate people are a substantial subset of the population. Therefore, attackers will target technically illiterate people unless you specifically defend them. This is why web browsers and operating systems are increasingly removing the "disable this security feature" buttons - it's the only surefire way to prevent the user from clicking on them! The technically illiterate user knows nothing of.exeand.jpg, they just know there's a "naughty girl" and they want to see her.
– Kevin
May 7 at 6:12
add a comment |
It depends on the user's behavior.
Windows is extremely susceptible to people who open spam emails, double-click an attached file, and click away that UAC prompt so they can view naughtygirl.jpg.exe.
Windows is also very susceptible to people falling for malicious "you got a virus, install our tool to remove it" advertisements.
A phone makes it easier than Windows to download apps which use unethical-but-legal exploits, usually gambling/addiction based in app monetization. Some people will claim that has nothing to do with security, but if the user suddenly loses $1000 without realizing, that should be considered a security issue.
A phone is far more likely to be on an outdated OS version with known critical vulnerabilities.
Windows is more likely to run sophisticated Anti-Virus software, which will also provide some protection against some other attacks, depending on the specific AntiVirus software.
If the risk of data corruption is considered a security concern, some phones with some SD cards are more susceptible to random file system corruption than an average Windows machine.
Phones often have superior built-in backup solutions compared to Windows, which will addresses some security concerns.
Phones are more likely to be lost or stolen.
There are some malicious websites that grab phone numbers of the visiting device, and then falsely state you subscribed to a premium SMS service. Only works if the service provider cooperates with the scam, so it depends on your country and service provider.
The above list is incomplete, and everything on the list can affect both phones and Windows machines, but statistically speaking each of them is more of a problem on one platform than the other. Many of the issues can also be specifically addressed with settings, 3rd party software, or user education.
In conclusion, it's close enough that the difference in security can be ignored when deciding which device to get. More relevant arguments are form factor, user preference, and Windows Update's tendency to reboot the PC without asking.
answered May 5 at 12:46
PeterPeter
3,19731023
1
Love this answer, because it's the only one mentioning subscription scam. I believe this kind of scam is quite common at least in Russia.
– svgrafov
May 5 at 17:35
For the naughtygirl.jpg.exe: MacOS has for many years displayed such filenames with the double extension, even if the user turned on "hide extensions", so this would never be displayed as naughtygirl.jpg.
– gnasher729
May 5 at 22:25
5
@gnasher729 Unfortunately, MacOS is still vulnerable to RTL unicode reversal which is far more stealthy than using a double extension like that.
– forest
May 5 at 22:34
@forest: That's beside the point. You have to assume the user is technically illiterate, because technically illiterate people are a substantial subset of the population. Therefore, attackers will target technically illiterate people unless you specifically defend them. This is why web browsers and operating systems are increasingly removing the "disable this security feature" buttons - it's the only surefire way to prevent the user from clicking on them! The technically illiterate user knows nothing of.exeand.jpg, they just know there's a "naughty girl" and they want to see her.
– Kevin
May 7 at 6:12
add a comment |
It depends on the user's behavior.
Windows is extremely susceptible to people who open spam emails, double-click an attached file, and click away that UAC prompt so they can view naughtygirl.jpg.exe.
Windows is also very susceptible to people falling for malicious "you got a virus, install our tool to remove it" advertisements.
A phone makes it easier than Windows to download apps which use unethical-but-legal exploits, usually gambling/addiction based in app monetization. Some people will claim that has nothing to do with security, but if the user suddenly loses $1000 without realizing, that should be considered a security issue.
A phone is far more likely to be on an outdated OS version with known critical vulnerabilities.
Windows is more likely to run sophisticated Anti-Virus software, which will also provide some protection against some other attacks, depending on the specific AntiVirus software.
If the risk of data corruption is considered a security concern, some phones with some SD cards are more susceptible to random file system corruption than an average Windows machine.
Phones often have superior built-in backup solutions compared to Windows, which will addresses some security concerns.
Phones are more likely to be lost or stolen.
There are some malicious websites that grab phone numbers of the visiting device, and then falsely state you subscribed to a premium SMS service. Only works if the service provider cooperates with the scam, so it depends on your country and service provider.
The above list is incomplete, and everything on the list can affect both phones and Windows machines, but statistically speaking each of them is more of a problem on one platform than the other. Many of the issues can also be specifically addressed with settings, 3rd party software, or user education.
In conclusion, it's close enough that the difference in security can be ignored when deciding which device to get. More relevant arguments are form factor, user preference, and Windows Update's tendency to reboot the PC without asking.
answered May 5 at 12:46
PeterPeter
3,19731023
It depends on the user's behavior.
Windows is extremely susceptible to people who open spam emails, double-click an attached file, and click away that UAC prompt so they can view naughtygirl.jpg.exe.
Windows is also very susceptible to people falling for malicious "you got a virus, install our tool to remove it" advertisements.
A phone makes it easier than Windows to download apps which use unethical-but-legal exploits, usually gambling/addiction based in app monetization. Some people will claim that has nothing to do with security, but if the user suddenly loses $1000 without realizing, that should be considered a security issue.
A phone is far more likely to be on an outdated OS version with known critical vulnerabilities.
Windows is more likely to run sophisticated Anti-Virus software, which will also provide some protection against some other attacks, depending on the specific AntiVirus software.
If the risk of data corruption is considered a security concern, some phones with some SD cards are more susceptible to random file system corruption than an average Windows machine.
Phones often have superior built-in backup solutions compared to Windows, which will addresses some security concerns.
Phones are more likely to be lost or stolen.
There are some malicious websites that grab phone numbers of the visiting device, and then falsely state you subscribed to a premium SMS service. Only works if the service provider cooperates with the scam, so it depends on your country and service provider.
The above list is incomplete, and everything on the list can affect both phones and Windows machines, but statistically speaking each of them is more of a problem on one platform than the other. Many of the issues can also be specifically addressed with settings, 3rd party software, or user education.
In conclusion, it's close enough that the difference in security can be ignored when deciding which device to get. More relevant arguments are form factor, user preference, and Windows Update's tendency to reboot the PC without asking.
answered May 5 at 12:46
PeterPeter
3,19731023
edited May 5 at 12:52
answered May 5 at 12:46
PeterPeter
3,19731023
answered May 5 at 12:46
PeterPeter
3,19731023
answered May 5 at 12:46
PeterPeter
3,19731023
3,19731023
1
Love this answer, because it's the only one mentioning subscription scam. I believe this kind of scam is quite common at least in Russia.
– svgrafov
May 5 at 17:35
For the naughtygirl.jpg.exe: MacOS has for many years displayed such filenames with the double extension, even if the user turned on "hide extensions", so this would never be displayed as naughtygirl.jpg.
– gnasher729
May 5 at 22:25
5
@gnasher729 Unfortunately, MacOS is still vulnerable to RTL unicode reversal which is far more stealthy than using a double extension like that.
– forest
May 5 at 22:34
@forest: That's beside the point. You have to assume the user is technically illiterate, because technically illiterate people are a substantial subset of the population. Therefore, attackers will target technically illiterate people unless you specifically defend them. This is why web browsers and operating systems are increasingly removing the "disable this security feature" buttons - it's the only surefire way to prevent the user from clicking on them! The technically illiterate user knows nothing of.exeand.jpg, they just know there's a "naughty girl" and they want to see her.
– Kevin
May 7 at 6:12
add a comment |
1
Love this answer, because it's the only one mentioning subscription scam. I believe this kind of scam is quite common at least in Russia.
– svgrafov
May 5 at 17:35
For the naughtygirl.jpg.exe: MacOS has for many years displayed such filenames with the double extension, even if the user turned on "hide extensions", so this would never be displayed as naughtygirl.jpg.
– gnasher729
May 5 at 22:25
5
@gnasher729 Unfortunately, MacOS is still vulnerable to RTL unicode reversal which is far more stealthy than using a double extension like that.
– forest
May 5 at 22:34
@forest: That's beside the point. You have to assume the user is technically illiterate, because technically illiterate people are a substantial subset of the population. Therefore, attackers will target technically illiterate people unless you specifically defend them. This is why web browsers and operating systems are increasingly removing the "disable this security feature" buttons - it's the only surefire way to prevent the user from clicking on them! The technically illiterate user knows nothing of.exeand.jpg, they just know there's a "naughty girl" and they want to see her.
– Kevin
May 7 at 6:12
1
1
Love this answer, because it's the only one mentioning subscription scam. I believe this kind of scam is quite common at least in Russia.
– svgrafov
May 5 at 17:35
Love this answer, because it's the only one mentioning subscription scam. I believe this kind of scam is quite common at least in Russia.
– svgrafov
May 5 at 17:35
For the naughtygirl.jpg.exe: MacOS has for many years displayed such filenames with the double extension, even if the user turned on "hide extensions", so this would never be displayed as naughtygirl.jpg.
– gnasher729
May 5 at 22:25
For the naughtygirl.jpg.exe: MacOS has for many years displayed such filenames with the double extension, even if the user turned on "hide extensions", so this would never be displayed as naughtygirl.jpg.
– gnasher729
May 5 at 22:25
5
5
@gnasher729 Unfortunately, MacOS is still vulnerable to RTL unicode reversal which is far more stealthy than using a double extension like that.
– forest
May 5 at 22:34
@gnasher729 Unfortunately, MacOS is still vulnerable to RTL unicode reversal which is far more stealthy than using a double extension like that.
– forest
May 5 at 22:34
@forest: That's beside the point. You have to assume the user is technically illiterate, because technically illiterate people are a substantial subset of the population. Therefore, attackers will target technically illiterate people unless you specifically defend them. This is why web browsers and operating systems are increasingly removing the "disable this security feature" buttons - it's the only surefire way to prevent the user from clicking on them! The technically illiterate user knows nothing of
.exe and .jpg, they just know there's a "naughty girl" and they want to see her.– Kevin
May 7 at 6:12
@forest: That's beside the point. You have to assume the user is technically illiterate, because technically illiterate people are a substantial subset of the population. Therefore, attackers will target technically illiterate people unless you specifically defend them. This is why web browsers and operating systems are increasingly removing the "disable this security feature" buttons - it's the only surefire way to prevent the user from clicking on them! The technically illiterate user knows nothing of
.exe and .jpg, they just know there's a "naughty girl" and they want to see her.– Kevin
May 7 at 6:12
add a comment |
This is actually a complex question. PC web browsers typically have better sandboxing, and security is a bigger focus. The operating system will expose numerous security features for the browser to use. However, a modern smartphone is also much more resistant against harm caused by the compromise of an application such as a browser. Because of how integrated and monolithic smartphone operating systems are, each individual app can be run as its own user, isolated from every other program. PCs do not come close to this level of isolation and a compromised browser is game over.
answered May 5 at 3:32
forestforest
42.1k18136151
4
"each individual app can be run as its own user, isolated from every other program" In theory, yes. In practice there are a lot of apps that want access to things they shouldn't need access to, defeating a large part of the security.
– Mast
May 5 at 16:48
4
PC browsers have better sandboxing? I thought Android sandboxed every app by default, while PCs don't (everything runs with the same user's permissions).
– Federico Poloni
May 5 at 18:18
@FedericoPoloni I meant things like seccomp. While the OS exposes equally good sandboxing technologies, mobile browsers are not designed to make use of them as well as PC browsers.
– forest
May 5 at 22:33
@forest I appreciate your answer, but you only showed pros and cons in both options. If you have to recommend windows or android for navigation, which would be? You can answer, for example, "I would recommend android from the version X or most recents".
– Mycroft
May 6 at 4:22
@Mycroft That would depend entirely on your threat model.
– forest
May 6 at 5:49
|
show 2 more comments
This is actually a complex question. PC web browsers typically have better sandboxing, and security is a bigger focus. The operating system will expose numerous security features for the browser to use. However, a modern smartphone is also much more resistant against harm caused by the compromise of an application such as a browser. Because of how integrated and monolithic smartphone operating systems are, each individual app can be run as its own user, isolated from every other program. PCs do not come close to this level of isolation and a compromised browser is game over.
answered May 5 at 3:32
forestforest
42.1k18136151
4
"each individual app can be run as its own user, isolated from every other program" In theory, yes. In practice there are a lot of apps that want access to things they shouldn't need access to, defeating a large part of the security.
– Mast
May 5 at 16:48
4
PC browsers have better sandboxing? I thought Android sandboxed every app by default, while PCs don't (everything runs with the same user's permissions).
– Federico Poloni
May 5 at 18:18
@FedericoPoloni I meant things like seccomp. While the OS exposes equally good sandboxing technologies, mobile browsers are not designed to make use of them as well as PC browsers.
– forest
May 5 at 22:33
@forest I appreciate your answer, but you only showed pros and cons in both options. If you have to recommend windows or android for navigation, which would be? You can answer, for example, "I would recommend android from the version X or most recents".
– Mycroft
May 6 at 4:22
@Mycroft That would depend entirely on your threat model.
– forest
May 6 at 5:49
|
show 2 more comments
This is actually a complex question. PC web browsers typically have better sandboxing, and security is a bigger focus. The operating system will expose numerous security features for the browser to use. However, a modern smartphone is also much more resistant against harm caused by the compromise of an application such as a browser. Because of how integrated and monolithic smartphone operating systems are, each individual app can be run as its own user, isolated from every other program. PCs do not come close to this level of isolation and a compromised browser is game over.
answered May 5 at 3:32
forestforest
42.1k18136151
This is actually a complex question. PC web browsers typically have better sandboxing, and security is a bigger focus. The operating system will expose numerous security features for the browser to use. However, a modern smartphone is also much more resistant against harm caused by the compromise of an application such as a browser. Because of how integrated and monolithic smartphone operating systems are, each individual app can be run as its own user, isolated from every other program. PCs do not come close to this level of isolation and a compromised browser is game over.
answered May 5 at 3:32
forestforest
42.1k18136151
answered May 5 at 3:32
forestforest
42.1k18136151
answered May 5 at 3:32
forestforest
42.1k18136151
answered May 5 at 3:32
forestforest
42.1k18136151
42.1k18136151
4
"each individual app can be run as its own user, isolated from every other program" In theory, yes. In practice there are a lot of apps that want access to things they shouldn't need access to, defeating a large part of the security.
– Mast
May 5 at 16:48
4
PC browsers have better sandboxing? I thought Android sandboxed every app by default, while PCs don't (everything runs with the same user's permissions).
– Federico Poloni
May 5 at 18:18
@FedericoPoloni I meant things like seccomp. While the OS exposes equally good sandboxing technologies, mobile browsers are not designed to make use of them as well as PC browsers.
– forest
May 5 at 22:33
@forest I appreciate your answer, but you only showed pros and cons in both options. If you have to recommend windows or android for navigation, which would be? You can answer, for example, "I would recommend android from the version X or most recents".
– Mycroft
May 6 at 4:22
@Mycroft That would depend entirely on your threat model.
– forest
May 6 at 5:49
|
show 2 more comments
4
"each individual app can be run as its own user, isolated from every other program" In theory, yes. In practice there are a lot of apps that want access to things they shouldn't need access to, defeating a large part of the security.
– Mast
May 5 at 16:48
4
PC browsers have better sandboxing? I thought Android sandboxed every app by default, while PCs don't (everything runs with the same user's permissions).
– Federico Poloni
May 5 at 18:18
@FedericoPoloni I meant things like seccomp. While the OS exposes equally good sandboxing technologies, mobile browsers are not designed to make use of them as well as PC browsers.
– forest
May 5 at 22:33
@forest I appreciate your answer, but you only showed pros and cons in both options. If you have to recommend windows or android for navigation, which would be? You can answer, for example, "I would recommend android from the version X or most recents".
– Mycroft
May 6 at 4:22
@Mycroft That would depend entirely on your threat model.
– forest
May 6 at 5:49
4
4
"each individual app can be run as its own user, isolated from every other program" In theory, yes. In practice there are a lot of apps that want access to things they shouldn't need access to, defeating a large part of the security.
– Mast
May 5 at 16:48
"each individual app can be run as its own user, isolated from every other program" In theory, yes. In practice there are a lot of apps that want access to things they shouldn't need access to, defeating a large part of the security.
– Mast
May 5 at 16:48
4
4
PC browsers have better sandboxing? I thought Android sandboxed every app by default, while PCs don't (everything runs with the same user's permissions).
– Federico Poloni
May 5 at 18:18
PC browsers have better sandboxing? I thought Android sandboxed every app by default, while PCs don't (everything runs with the same user's permissions).
– Federico Poloni
May 5 at 18:18
@FedericoPoloni I meant things like seccomp. While the OS exposes equally good sandboxing technologies, mobile browsers are not designed to make use of them as well as PC browsers.
– forest
May 5 at 22:33
@FedericoPoloni I meant things like seccomp. While the OS exposes equally good sandboxing technologies, mobile browsers are not designed to make use of them as well as PC browsers.
– forest
May 5 at 22:33
@forest I appreciate your answer, but you only showed pros and cons in both options. If you have to recommend windows or android for navigation, which would be? You can answer, for example, "I would recommend android from the version X or most recents".
– Mycroft
May 6 at 4:22
@forest I appreciate your answer, but you only showed pros and cons in both options. If you have to recommend windows or android for navigation, which would be? You can answer, for example, "I would recommend android from the version X or most recents".
– Mycroft
May 6 at 4:22
@Mycroft That would depend entirely on your threat model.
– forest
May 6 at 5:49
@Mycroft That would depend entirely on your threat model.
– forest
May 6 at 5:49
|
show 2 more comments
If you're unable to prevent the user from doing stupid things, they will catch some malware at some point. The best thing you can do is preventing that from happening too often, and providing a way to reset to a "known good" state easily.
Which is why Uroc327's "not completely serious" suggestion should be taken a bit more seriously: use a PC, install virtualbox, create a vm and a "known good" snapshot, confine web browsing to that virtual machine, automatically reset the machine to the snapshot every time it gets started. And to migitate against most malware from the web, use Linux instead of Windows in that virtual machine. Make sure you aren't using any shared folders so whatever happens in the virtual machine can't infect the "main" PC.
This won't help against all kinds of attacks (javascript crypto miners can still eat up your cpu), but it will help against most - neither the nude_celebrity.jpg.exe file nor the "your pc is infected, download this" scam will even run withing the virtual linux machine. And browser extension malware which opens "your PC is locked, pay 1 Bitcoin to get it unlocked" scare screens can be removed by just resetting to your known good snapshot.
This still gives your user a big screen (a smartphone is great for looking something up while you're away, but not for seriously browsing the web), and eliminates the problem with in-app-purchases or paid apps that you'll inadvertently get with Android and/or IOS.
Source: I did that with my (80+ yo) Dad's computer last year, and the number of "something is messed up with the computer again" support calls dropped significantly since then.
answered May 6 at 17:59
Guntram BlohmGuntram Blohm
1,369710
Thank you for you answer. Is there a way to always force a broswer to run inside virtualbox? Or virtualbox needs to be started before?
– Mycroft
May 6 at 23:50
1
@Mycroft you need to start virtualbox first.
– chris-l
May 7 at 1:55
Virtualbox needs to be started first. But if you set the system inside virtualbox to auto-login, and the browser inside the virtualbox to autostart on login, you can still simulate a "click one icon to start a browser" experience to the user.
– Guntram Blohm
May 7 at 5:11
add a comment |
If you're unable to prevent the user from doing stupid things, they will catch some malware at some point. The best thing you can do is preventing that from happening too often, and providing a way to reset to a "known good" state easily.
Which is why Uroc327's "not completely serious" suggestion should be taken a bit more seriously: use a PC, install virtualbox, create a vm and a "known good" snapshot, confine web browsing to that virtual machine, automatically reset the machine to the snapshot every time it gets started. And to migitate against most malware from the web, use Linux instead of Windows in that virtual machine. Make sure you aren't using any shared folders so whatever happens in the virtual machine can't infect the "main" PC.
This won't help against all kinds of attacks (javascript crypto miners can still eat up your cpu), but it will help against most - neither the nude_celebrity.jpg.exe file nor the "your pc is infected, download this" scam will even run withing the virtual linux machine. And browser extension malware which opens "your PC is locked, pay 1 Bitcoin to get it unlocked" scare screens can be removed by just resetting to your known good snapshot.
This still gives your user a big screen (a smartphone is great for looking something up while you're away, but not for seriously browsing the web), and eliminates the problem with in-app-purchases or paid apps that you'll inadvertently get with Android and/or IOS.
Source: I did that with my (80+ yo) Dad's computer last year, and the number of "something is messed up with the computer again" support calls dropped significantly since then.
answered May 6 at 17:59
Guntram BlohmGuntram Blohm
1,369710
Thank you for you answer. Is there a way to always force a broswer to run inside virtualbox? Or virtualbox needs to be started before?
– Mycroft
May 6 at 23:50
1
@Mycroft you need to start virtualbox first.
– chris-l
May 7 at 1:55
Virtualbox needs to be started first. But if you set the system inside virtualbox to auto-login, and the browser inside the virtualbox to autostart on login, you can still simulate a "click one icon to start a browser" experience to the user.
– Guntram Blohm
May 7 at 5:11
add a comment |
If you're unable to prevent the user from doing stupid things, they will catch some malware at some point. The best thing you can do is preventing that from happening too often, and providing a way to reset to a "known good" state easily.
Which is why Uroc327's "not completely serious" suggestion should be taken a bit more seriously: use a PC, install virtualbox, create a vm and a "known good" snapshot, confine web browsing to that virtual machine, automatically reset the machine to the snapshot every time it gets started. And to migitate against most malware from the web, use Linux instead of Windows in that virtual machine. Make sure you aren't using any shared folders so whatever happens in the virtual machine can't infect the "main" PC.
This won't help against all kinds of attacks (javascript crypto miners can still eat up your cpu), but it will help against most - neither the nude_celebrity.jpg.exe file nor the "your pc is infected, download this" scam will even run withing the virtual linux machine. And browser extension malware which opens "your PC is locked, pay 1 Bitcoin to get it unlocked" scare screens can be removed by just resetting to your known good snapshot.
This still gives your user a big screen (a smartphone is great for looking something up while you're away, but not for seriously browsing the web), and eliminates the problem with in-app-purchases or paid apps that you'll inadvertently get with Android and/or IOS.
Source: I did that with my (80+ yo) Dad's computer last year, and the number of "something is messed up with the computer again" support calls dropped significantly since then.
answered May 6 at 17:59
Guntram BlohmGuntram Blohm
1,369710
If you're unable to prevent the user from doing stupid things, they will catch some malware at some point. The best thing you can do is preventing that from happening too often, and providing a way to reset to a "known good" state easily.
Which is why Uroc327's "not completely serious" suggestion should be taken a bit more seriously: use a PC, install virtualbox, create a vm and a "known good" snapshot, confine web browsing to that virtual machine, automatically reset the machine to the snapshot every time it gets started. And to migitate against most malware from the web, use Linux instead of Windows in that virtual machine. Make sure you aren't using any shared folders so whatever happens in the virtual machine can't infect the "main" PC.
This won't help against all kinds of attacks (javascript crypto miners can still eat up your cpu), but it will help against most - neither the nude_celebrity.jpg.exe file nor the "your pc is infected, download this" scam will even run withing the virtual linux machine. And browser extension malware which opens "your PC is locked, pay 1 Bitcoin to get it unlocked" scare screens can be removed by just resetting to your known good snapshot.
This still gives your user a big screen (a smartphone is great for looking something up while you're away, but not for seriously browsing the web), and eliminates the problem with in-app-purchases or paid apps that you'll inadvertently get with Android and/or IOS.
Source: I did that with my (80+ yo) Dad's computer last year, and the number of "something is messed up with the computer again" support calls dropped significantly since then.
answered May 6 at 17:59
Guntram BlohmGuntram Blohm
1,369710
answered May 6 at 17:59
Guntram BlohmGuntram Blohm
1,369710
answered May 6 at 17:59
Guntram BlohmGuntram Blohm
1,369710
answered May 6 at 17:59
Guntram BlohmGuntram Blohm
1,369710
1,369710
Thank you for you answer. Is there a way to always force a broswer to run inside virtualbox? Or virtualbox needs to be started before?
– Mycroft
May 6 at 23:50
1
@Mycroft you need to start virtualbox first.
– chris-l
May 7 at 1:55
Virtualbox needs to be started first. But if you set the system inside virtualbox to auto-login, and the browser inside the virtualbox to autostart on login, you can still simulate a "click one icon to start a browser" experience to the user.
– Guntram Blohm
May 7 at 5:11
add a comment |
Thank you for you answer. Is there a way to always force a broswer to run inside virtualbox? Or virtualbox needs to be started before?
– Mycroft
May 6 at 23:50
1
@Mycroft you need to start virtualbox first.
– chris-l
May 7 at 1:55
Virtualbox needs to be started first. But if you set the system inside virtualbox to auto-login, and the browser inside the virtualbox to autostart on login, you can still simulate a "click one icon to start a browser" experience to the user.
– Guntram Blohm
May 7 at 5:11
Thank you for you answer. Is there a way to always force a broswer to run inside virtualbox? Or virtualbox needs to be started before?
– Mycroft
May 6 at 23:50
Thank you for you answer. Is there a way to always force a broswer to run inside virtualbox? Or virtualbox needs to be started before?
– Mycroft
May 6 at 23:50
1
1
@Mycroft you need to start virtualbox first.
– chris-l
May 7 at 1:55
@Mycroft you need to start virtualbox first.
– chris-l
May 7 at 1:55
Virtualbox needs to be started first. But if you set the system inside virtualbox to auto-login, and the browser inside the virtualbox to autostart on login, you can still simulate a "click one icon to start a browser" experience to the user.
– Guntram Blohm
May 7 at 5:11
Virtualbox needs to be started first. But if you set the system inside virtualbox to auto-login, and the browser inside the virtualbox to autostart on login, you can still simulate a "click one icon to start a browser" experience to the user.
– Guntram Blohm
May 7 at 5:11
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209531%2fwhat-is-more-safe-for-browsing-the-web-pc-or-smartphone%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
Not completely serious: I'd go with windows and a web stack like Virtualbox - OpenBSD - chromium with w^x and pledge ;)
– Uroc327
May 5 at 13:44
23
My pessimistic view is that somebody without concern about security will fail miserably no matter which platform that person use. (Similar to incompetent players in computer games. They can throw away a game even when it is a guaranteed win.)
– Alex Vong
May 5 at 17:05
3
If you're not concerned about security, surely you'd just go with the one that's the most convenient? If someone has enough concern about security to care about the answer to this question, they should probably instead spend a bit of time reading up on best security practices and trying to understand what's actually happening on their device, which would make either option a whole lot more secure than either would've been without that knowledge.
– NotThatGuy
May 5 at 18:15
4
Safe from what threats? What is your threat model?
– jpmc26
May 6 at 2:43
2
Note that if you use an ad blocker and stick to larger and more professional sites like the ones of the Mindgeek network, adult content actually has very little malware, because these larger sites are actively maintained by professional developers who know security best practises and put them into action. I believe I once read a study that compared adult content to religious sites and found that the religious sites are a lot riskier in terms of malware, because they tend to be maintained poorly (if at all), usually by a family member or friend who does it as a side activity.
– Nzall
May 6 at 6:29