Good to know that at least Google is very concerned with MacOS security ;-)

A sizable percentage of their employees use macs, so it's not surprising.

I can't think of any Google product that isn't dogfooded by Googlers, to be frank.

When I attended Google IO a couple of years back, I was surprised how many Android team members were using iPhones.

Well if they want security, Android has only been half serious since 6 (entire systematic disk encryption, half-serious permissions...).

I've had a corporate Android phone since Ice-Cream Sandwich. I assume people that started before me used earlier versions too.

Maybe they want to have their enemy close. :D

<insert tsun zu quote here>

Adsense? I don't remember seeing internal advertisements powered by Adsense. :P

This made me imagine Googlers annoucing donuts in meeting room x to others via adsense.

I think part of the reason why Google even decided to make its own phones is because of security. If you read about their BeyondCorp enterprise security architecture, it emphasizes smartphone security quite a bit and how devices without timely updates, for instance, will be banned from the network (Google's own internal network that is).

Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security.

https://cloud.google.com/beyondcorp/

> I think part of the reason why Google even decided to make its own phones is because of security.

Huh. I think the main reason some people (myself included) go out of their way to avoid Google products as much as possible is because of security.

Google's security != your security.

I do trust Google to "get security right"[1]. I just don't trust them to secure things I don't want to share with them. Which happens to be a huge percentage of data on and generated by my phone.

[1] In the colloquial sense that people tend to use that phrase.

Do you mean privacy? I don't have issues with Google's handling of security.

That's privacy (ie google collects your data), not security (some random hacker collects your data).

There is a link albeit not a first order one. If your privacy gets invaded enough, then random third parties will get your data (legally, from google) and then some random hacker will collect it.

Why wouldn't they use their Nexuses? They even push the updates out themselves.

Not everyone has a Nexus or Pixel. It's BYOD except for Corp phones.

I was responding to this: "Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security."

My question was why Google would be relying on iPhones when they could just use Nexuses(then) or Pixels(now), since they are pushing their own updates (especially security).

Happens at FB (more or less). Employees get ad credits, because it's an incredibly important part of the platform.

well somebody's got to do it

Google has long been Apple's security division. Often I wonder if Apple has any security people at all. The last Safari update had 11 CVEs from Google. Most of Apple's updates credit one or more issues to Google, and often Apple credits OSS-Fuzz, which is also a Google project.

>Often I wonder if Apple has any security people at all.

It just feels like they don't since they don't let their security people have social media presences. For example, their recent hire Jonathan Zdziarski

It looks like you were cut off there…

No, reread it as "For example, [consider] their recent hire Jonathan Zdziarski[, whom you'll see is a leading iOS security researcher from a cursory Google search]"

The GP just omitted a bunch of implied statement, which isn't immediately obvious especially if you don't natively speak English.

He forgot a period at the end, so it does look like he got cut off potentially.

You don't credit internal employees in this way. These bugs were reported through official channels.

No, just for this OS

High Sierra was released in June 2017. So that's still 6+ months without security patches. Not sure if that's a great track record or poor patching planning?