State of An­droid se­cu­rity

Great on Oreo, but most phones are miss­ing out, reveals

Android Advisor - - Con­tents - MICHAEL SI­MON

Google has re­leased its an­nual re­port on An­droid se­cu­rity and the mes­sage is clear: The de­vices run­ning the lat­est ver­sion of An­droid are among the safest you can buy. Through a com­bi­na­tion of fea­tures such as Google Play Pro­tect and In­stant Apps, the bug bounty pro­gram, and ma­chine learn­ing, Google says An­droid 8 “has achieved a strength of pro­tec­tion that now leads the in­dus­try”.

That’s great news if you’re us­ing a Pixel or have a Galaxy S9 on the way. But if you have one of the

mil­lions of phones that will never re­ceive an Oreo up­date, the big­gest is­sue with An­droid se­cu­rity is one that’s plagued the plat­form for a while: frag­men­ta­tion. At last count, just 1 per­cent of An­droid users were run­ning Oreo on their phones, com­pared to nearly 28 per­cent each on Nougat and Marsh­mal­low. That means nearly 99 per­cent of An­droid phones aren’t as se­cure as they could be. But Google’s try­ing to change that nar­ra­tive.

With each new An­droid re­lease, Google does more and more to make out phones se­cure. So, if you’re one of the 1 per­cent us­ing an Oreo phone, congratulations. Not only do you have the most re­cent fea­tures, you also have the safest An­droid phone you can buy. But Google is hope­ful that it’s turned a cor­ner. With Project Tre­ble and the Pixel, phones run­ning the lat­est ver­sion of An­droid should in­crease ex­po­nen­tially with An­droid P, so this time next year there could be more than 10 per­cent of An­droid phones that are up to date. And there’s also An­droid Go and An­droid One, both of which of­fer a “pure” ver­sion of An­droid with the prom­ise of years of up­dates. So things are def­i­nitely look­ing up.

Pro­tec­tion at source

One area where all An­droid phones ben­e­fit from tight se­cu­rity is the Google Play Store. Last year, Google up­dated its dig­i­tal store­front with a new se­cu­rity fea­ture called Google Play Pro­tect. A back­ground process turned on by de­fault, the se­cu­rity suite au­to­mat­i­cally runs a safety check on apps be­fore they are down­loaded from the Play Store and warns users

about any po­ten­tially harm­ful ones that could out your phone at risk.

Ac­cord­ing to Google, the prob­a­bil­ity of a user down­load­ing a ma­li­cious app from the Play Store was sliced in half last year, from .04 per­cent to .02 per­cent. While the num­ber was al­ready ex­tremely low, Google says that the odds of down­load­ing a harm­ful app from Google Play in 2017 was “less likely than the odds of an as­ter­oid hit­ting the earth”. Ad­di­tion­ally, the pro­lif­er­a­tion of In­stant Apps – which can be used with­out down­load­ing any­thing – keeps lim­its the like­li­hood of in­stalling harm­ful code on your de­vice.

While Google Play Pro­tect and In­stant Apps are avail­able for phones go­ing back to Lol­lipop, most of

the other se­cu­rity en­hance­ments Google de­liv­ered last year were mostly lim­ited to Oreo. Among the fea­tures in the lat­est ver­sion of An­droid are stronger en­cryp­tion and key stor­age, tighter sand­box­ing, ker­nel self-pro­tec­tion, and an up­dated ver­sion of An­droid Ver­i­fied Boot.

But the big­gest change in An­droid 8.0 se­cu­rity is to the han­dling of apps from sources other than the Play Store. Where users pre­vi­ously could eas­ily ac­cess an Un­ver­i­fied Sources tog­gle to al­low in­stal­la­tions of non-Play Store-ap­proved apps, in Oreo it’s a be­hind-the-scenes per­mis­sion that au­to­mat­i­cally runs when­ever an app is side-loaded. The means users can’t un­wit­tingly turn it off, but it also means that a ma­li­cious app can’t do it ei­ther.

Google also paid out more than $1.25 mil­lion as part of its bug bounty pro­gram, but very few of them crit­i­cal Oreo vul­ner­a­bil­i­ties. In fact, Google re­ports, at the 2017 Mo­bile Pwn2Own com­pe­ti­tion, none of the ex­ploits were able to suc­cess­fully com­pro­mise Google Pixel de­vices. That event was held in Oc­to­ber, how­ever, after the phones re­ceived their Oreo up­date.

All about that Tre­ble

Over­all, things might be look­ing up. While An­droid up­dates gen­er­ally fol­low the same slow adop­tion rate, Google’s new Project Tre­ble could ramp up the num­ber of phones run­ning An­droid P. The Oreo fea­ture makes it eas­ier for man­u­fac­tur­ers to de­liver up­dates to phones, so the phones run­ning An­droid 8 should re­ceive ver­sion 9 much quicker. That means ev­ery­one will be a whole lot safer.

Project Tre­ble is a com­plete change to how up­date are de­liv­ered. Start­ing from the source, Project Tre­ble gives man­u­fac­tur­ers a clear way to up­date from Oreo to what­ever An­droid P will be called, boil­ing down a multi-step process to just a sin­gle one. It also smooths over the var­i­ous hard­ware tweaks, so Sam­sung will be able to push out up­dates to nu­mer­ous phones, not just the Galaxy S9. Granted, phones will need to be run­ning Oreo in or­der to take ad­van­tage of the new sys­tem, but it’s a good start.

And that means next year’s state of An­droid re­port could be a whole lot rosier.

In­stant Apps are full Play Store games and ser­vices that run with­out down­load­ing any­thing onto your phone

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.