State of Android security
Great on Oreo, but most phones are missing out, reveals
Google has released its annual report on Android security and the message is clear: The devices running the latest version of Android are among the safest you can buy. Through a combination of features such as Google Play Protect and Instant Apps, the bug bounty program, and machine learning, Google says Android 8 “has achieved a strength of protection that now leads the industry”.
That’s great news if you’re using a Pixel or have a Galaxy S9 on the way. But if you have one of the
millions of phones that will never receive an Oreo update, the biggest issue with Android security is one that’s plagued the platform for a while: fragmentation. At last count, just 1 percent of Android users were running Oreo on their phones, compared to nearly 28 percent each on Nougat and Marshmallow. That means nearly 99 percent of Android phones aren’t as secure as they could be. But Google’s trying to change that narrative.
With each new Android release, Google does more and more to make out phones secure. So, if you’re one of the 1 percent using an Oreo phone, congratulations. Not only do you have the most recent features, you also have the safest Android phone you can buy. But Google is hopeful that it’s turned a corner. With Project Treble and the Pixel, phones running the latest version of Android should increase exponentially with Android P, so this time next year there could be more than 10 percent of Android phones that are up to date. And there’s also Android Go and Android One, both of which offer a “pure” version of Android with the promise of years of updates. So things are definitely looking up.
Protection at source
One area where all Android phones benefit from tight security is the Google Play Store. Last year, Google updated its digital storefront with a new security feature called Google Play Protect. A background process turned on by default, the security suite automatically runs a safety check on apps before they are downloaded from the Play Store and warns users
about any potentially harmful ones that could out your phone at risk.
According to Google, the probability of a user downloading a malicious app from the Play Store was sliced in half last year, from .04 percent to .02 percent. While the number was already extremely low, Google says that the odds of downloading a harmful app from Google Play in 2017 was “less likely than the odds of an asteroid hitting the earth”. Additionally, the proliferation of Instant Apps – which can be used without downloading anything – keeps limits the likelihood of installing harmful code on your device.
While Google Play Protect and Instant Apps are available for phones going back to Lollipop, most of
the other security enhancements Google delivered last year were mostly limited to Oreo. Among the features in the latest version of Android are stronger encryption and key storage, tighter sandboxing, kernel self-protection, and an updated version of Android Verified Boot.
But the biggest change in Android 8.0 security is to the handling of apps from sources other than the Play Store. Where users previously could easily access an Unverified Sources toggle to allow installations of non-Play Store-approved apps, in Oreo it’s a behind-the-scenes permission that automatically runs whenever an app is side-loaded. The means users can’t unwittingly turn it off, but it also means that a malicious app can’t do it either.
Google also paid out more than $1.25 million as part of its bug bounty program, but very few of them critical Oreo vulnerabilities. In fact, Google reports, at the 2017 Mobile Pwn2Own competition, none of the exploits were able to successfully compromise Google Pixel devices. That event was held in October, however, after the phones received their Oreo update.
All about that Treble
Overall, things might be looking up. While Android updates generally follow the same slow adoption rate, Google’s new Project Treble could ramp up the number of phones running Android P. The Oreo feature makes it easier for manufacturers to deliver updates to phones, so the phones running Android 8 should receive version 9 much quicker. That means everyone will be a whole lot safer.
Project Treble is a complete change to how update are delivered. Starting from the source, Project Treble gives manufacturers a clear way to update from Oreo to whatever Android P will be called, boiling down a multi-step process to just a single one. It also smooths over the various hardware tweaks, so Samsung will be able to push out updates to numerous phones, not just the Galaxy S9. Granted, phones will need to be running Oreo in order to take advantage of the new system, but it’s a good start.
And that means next year’s state of Android report could be a whole lot rosier.