Android suffers from a reality-based reputation problem, with reports of malicious apps stealing user data and critical security vulnerabilities that can take over user devices. Over the years, Google has been working to improve its mobile operating system with new security features, the release of monthly security updates, and better tools to detect and remove malicious apps both on devices and in the Google Play app store. As a result, Android is safer than you may believe, the company says in its annual Android Security Year in Review report.
Google deserves credit for improving Android security last year: The release of Safe Browsing API, file-based encryption, verified boot, and media server hardening has tremendously improved the overall security of Android devices.
But Google’s report shows mixed results for the overall state of Android security.
1. Mobile malware fears are overstated
There are lots and lots (and lots!) of warnings about malicious apps and mobile malware. They’re mostly found on unsanctioned third-party app marketplaces, but some manage to bypass security controls and sneak into Google Play.
Still, getting apps only from Google Play is very safe. Google calculates that 0.05 percent of all Android devices that got apps from only Google Play had a potentially harmful app installed at the end of 2016. Trojans accounted for more than half of such apps installed on Android devices in 2016.
A big fear factor from security vendors is device rooting, which gives apps access to core Google services and to other apps by bypassing Android’s security mechanisms. But Google found that “most devices are either rooted by the user or the manufacturer”—not by malware. Even user-initiated rooting is not common: 0.346 percent of all installs. A teeny-tiny portion of those installs—0.0001 percent—came from apps found on Google Play. As for apps that can root the device without user permission, they accounted for 0.002 percent of all installs in 2016.
Although most potentially harmful apps come from third-party markets, Google’s goal in 2017 is to better protect users even from those apps, too.
To be clear Google’s definition of potentially harmful apps does not include annoying apps, such as those that are overly aggressive in collecting device identifiers and metadata because they don’t “put Android users, user data, or devices at risk,” the report said.
2. Many devices don’t get security updates
Although the company releases security patches monthly, “about half of devices in use at the end of 2016 had not received a platform security” update, Google said—that is, they hadn’t received any updates at all.
Google relies on manufacturers and carriers to push out updates to most devices; Google can only ensure that its own Nexus and Pixel devices get updates on a regular schedule. Google is trying to make it easier for device makers and carriers to deliver security updates to their customers.
Users are more likely to get security updates if they use popular Android models, according to data gathered by Duo Labs, the research arm of mobile authentication provider Duo Security. Duo’s analysis suggests that, among the top 50 Android models used by businesses, 46 percent of devices received a security patch in the previous 90 days, and 81 percent had received one in the previous 180 days. Although it’s better to patch devices with each update, the Android updates are cumulative, so users who eventually update are covered up till that patch version.
Still, the overall numbers for Android security aren’t great. A substantial percentage of Android devices remain at risk. That’s even true for critical security vulnerabilities. For example, Duo found that at the end of 2016, 40 percent of affected Android devices hadn’t applied patches for four vulnerabilities (CVE-2016-2503, CVE-2016-2504, CVE-2016-2059, and CVE-2016-5340) that affected a widely used Qualcomm chip set, though the patches were released between July and October.
The percentage of unpatched Android devices is particularly troubling when you realize that the vast majority—96 percent—of Android devices support getting the monthly updates, said Rich Smith, R&D director of Duo Labs. “The unfortunate reality seems to be that carriers just have to wait 30 days for the hype to die down and then everyone forgets,” he said.
3. Google, LG, Samsung, and Sony are among the best at updating
Although Google didn’t say what devices are included in its “top 50 devices” list, the report gives some indication of what devices are receiving regular updates: Asus Zenfone 3, BQ Aquarius M5, Google Pixel, Google Pixel XL, LG V20, Motorola Moto Z Droid, Nexus 6P, Nexus 5, Nexus 5X, Nexus 6, OnePlus OnePlus3, Oppo A33W, Samsung Galaxy S7, Sony Xperia X Compact, and Vivo V3Max all had an update rate between 60 percent and 95 percent by the end of 2016.
Over 78 percent of “active flagship Android devices on the four mobile major network operators” had a security patch level from the last three months. Those devices include Samsung’s Galaxy S7, Galaxy S7 Edge, Galaxy S7 Active, Galaxy S6, Galaxy S6 Edge, Galaxy S6 Edge+, Galaxy S6 Active, Galaxy Note 5, Galaxy Note 4, Galaxy Note Edge, and Galaxy A5 (2016); LG’s G5, G4,G3, and V10; Lenovo’s Moto X Play, Moto X Style, Moto X Force, Droid Maxx 2, and Droid Turbo 2: Huawei’s Mate 8, Mate S, P8, and P9; and Sony’s Xperia Z4, Xperia Z5 Compact, and Xperia Z5 Premium.
Although the Android update process covers all devices running Android KitKat 4.4.4 and later, which accounts for 86.3 percent of all active Android devices worldwide, it’s a sure bet that updates still depend on geographic location, carrier, and manufacturer. Anyone in the market for a new device should consider that some manufacturers appear to be better about updates than others.
4. Users aren’t taking advantage of Smart Lock
Smart Lock, introduced back in 2014 as part of Android Lollipop 5.0, lets devices remain unlocked if it is in the user’s possession. Smart Lock depends on a combination of security signals, including facial recognition, trusted places such as the user’s home or office, and the presence of a paired Bluetooth device such as a smartwatch. The idea is to reduce the number of times a user has to manually entering a password, while still encouraging users to adopt a secure lock screen that protects the device when it’s not nearby. Google estimates that the use of Smart Lock can reduce the number of times people have to manually unlock the device by 90 percent.
But fewer than half of Android devices worldwide have enabled Smart Lock, according to the report. The country breakdown is even wackier—with Somalia having the highest adoption rate at 82 percent, followed by Samoa at 78 percent.
Smart Lock adoption rates get more interesting when you combined it with the data from Duo Labs. Duo found that 70.7 percent of Android devices it tracks have enabled Smart Lock. The difference is due to Google tracking all Android devices and Duo tracking ones used by businesses. Businesses tend to require the use of passwords, which they can enforce through Exchange or mobile management policies. Such requirements impose a burden on users that seems to drive them to using Smart Lock to ease that burden.