Android Advisor

State of Android security

Great on Oreo, but most phones are missing out, reveals


Google has released its annual report on Android security and the message is clear: The devices running the latest version of Android are among the safest you can buy. Through a combinatio­n of features such as Google Play Protect and Instant Apps, the bug bounty program, and machine learning, Google says Android 8 “has achieved a strength of protection that now leads the industry”.

That’s great news if you’re using a Pixel or have a Galaxy S9 on the way. But if you have one of the

millions of phones that will never receive an Oreo update, the biggest issue with Android security is one that’s plagued the platform for a while: fragmentat­ion. At last count, just 1 percent of Android users were running Oreo on their phones, compared to nearly 28 percent each on Nougat and Marshmallo­w. That means nearly 99 percent of Android phones aren’t as secure as they could be. But Google’s trying to change that narrative.

With each new Android release, Google does more and more to make out phones secure. So, if you’re one of the 1 percent using an Oreo phone, congratula­tions. Not only do you have the most recent features, you also have the safest Android phone you can buy. But Google is hopeful that it’s turned a corner. With Project Treble and the Pixel, phones running the latest version of Android should increase exponentia­lly with Android P, so this time next year there could be more than 10 percent of Android phones that are up to date. And there’s also Android Go and Android One, both of which offer a “pure” version of Android with the promise of years of updates. So things are definitely looking up.

Protection at source

One area where all Android phones benefit from tight security is the Google Play Store. Last year, Google updated its digital storefront with a new security feature called Google Play Protect. A background process turned on by default, the security suite automatica­lly runs a safety check on apps before they are downloaded from the Play Store and warns users

about any potentiall­y harmful ones that could out your phone at risk.

According to Google, the probabilit­y of a user downloadin­g a malicious app from the Play Store was sliced in half last year, from .04 percent to .02 percent. While the number was already extremely low, Google says that the odds of downloadin­g a harmful app from Google Play in 2017 was “less likely than the odds of an asteroid hitting the earth”. Additional­ly, the proliferat­ion of Instant Apps – which can be used without downloadin­g anything – keeps limits the likelihood of installing harmful code on your device.

While Google Play Protect and Instant Apps are available for phones going back to Lollipop, most of

the other security enhancemen­ts Google delivered last year were mostly limited to Oreo. Among the features in the latest version of Android are stronger encryption and key storage, tighter sandboxing, kernel self-protection, and an updated version of Android Verified Boot.

But the biggest change in Android 8.0 security is to the handling of apps from sources other than the Play Store. Where users previously could easily access an Unverified Sources toggle to allow installati­ons of non-Play Store-approved apps, in Oreo it’s a behind-the-scenes permission that automatica­lly runs whenever an app is side-loaded. The means users can’t unwittingl­y turn it off, but it also means that a malicious app can’t do it either.

Google also paid out more than $1.25 million as part of its bug bounty program, but very few of them critical Oreo vulnerabil­ities. In fact, Google reports, at the 2017 Mobile Pwn2Own competitio­n, none of the exploits were able to successful­ly compromise Google Pixel devices. That event was held in October, however, after the phones received their Oreo update.

All about that Treble

Overall, things might be looking up. While Android updates generally follow the same slow adoption rate, Google’s new Project Treble could ramp up the number of phones running Android P. The Oreo feature makes it easier for manufactur­ers to deliver updates to phones, so the phones running Android 8 should receive version 9 much quicker. That means everyone will be a whole lot safer.

Project Treble is a complete change to how update are delivered. Starting from the source, Project Treble gives manufactur­ers a clear way to update from Oreo to whatever Android P will be called, boiling down a multi-step process to just a single one. It also smooths over the various hardware tweaks, so Samsung will be able to push out updates to numerous phones, not just the Galaxy S9. Granted, phones will need to be running Oreo in order to take advantage of the new system, but it’s a good start.

And that means next year’s state of Android report could be a whole lot rosier.

 ??  ??
 ??  ?? Instant Apps are full Play Store games and services that run without downloadin­g anything onto your phone
Instant Apps are full Play Store games and services that run without downloadin­g anything onto your phone
 ??  ??
 ??  ??

Newspapers in English

Newspapers from United Kingdom