In the list of big security flaws that could let hackers compromise phones, there’s one name that comes up a lot: Android.
In 2015, we learned that Google’s operating system for phones was vulnerable to the StageFright bug, which hackers could exploit just by sending a text message. In 2016, security researchers revealed that millions of Android phones were infected with malicious software called HummingBad, which hackers used to generate bogus ad revenue. In 2017, documents revealed by Wikileaks showed that the CIA had developed malicious software for Android phones.
According to David Kleidermacher, Google’s head of security for Android, Google Play and the Chrome operating system since May, the Android team is hard at work to make the worries surrounding these bugs a thing of the past.
In fact, Kleidermacher said, without naming any names, Android is now as safe as the competition.
That’s a big claim, considering that Android’s main competitor is Apple’s iPhone. This bold idea permeates the annual Android Security Report that Google released Thursday. “Android security made a significant leap forward in 2017 and many of our protections now lead the industry,” the report says on page one.
Echoing the report, Kleidermacher told CNET that Android flaws have become harder for researchers to find and that the software now protects users from malicious software so well the problems that used to leave users exposed to bad actors aren’t such a big problem anymore.
Android safeguards
For years, Google has fought the impression that Android phones are hard to protect from hackers. That’s because Android flaws are hard to fix and bad software is easy to download onto Android phones.
When someone finds a major Android flaw, the company has to send updated software to the companies that sell Android phones, and those companies have to deliver the updates. It can take a really long time, or not happen at all. On top of that, Android users can easily “self-own” — that is, they can download malicious software without meaning to — because they aren’t restricted to choosing apps from Google’s Play Store.
As Android security has matured, it has become more difficult and expensive for attackers to find high severity exploits.”
Google’s Android Security 2017 Year in Review
Apple doesn’t have either of those issues. It can deliver security updates directly to iPhones, and it prevents users from getting apps from outside of its App Store.
But Android isn’t moving toward Apple’s model. Instead, Kleidermacher said, it’s possible to address these issues by “retrofitting” security into Android phones. In other words, even if Android wasn’t originally designed with security as a top priority, it can be built in now.
Better than it was
How does Google know Android is getting safer? Follow the money. The company says it’s paying freelance bug hunters more money per flaw, which means it’s harder to find the flaws to begin with.
“As Android security has matured, it has become more difficult and expensive for attackers to find high severity exploits,” the report says.
In other words, the low-hanging fruit is gone. That was reflected in the results of a major annual phone hacking event, Mobile Pwn2Own: In 2017, good-guy hackers didn’t win rewards for any core Android flaws.
Kleidermacher chalks this up to the power of open-source code, a thought that’s echoed in the report.
“As a global, open-source project, Android has a community of defenders collaboratively locating the deeper vulnerabilities and developing mitigations,” the report says. “This community may be orders of magnitude larger and more effective than a closed-source project of a similar scale.”
Apple’s iOS is just such a closed-source project.
Security updates
To address the difficulties of patching major bugs like StageFright, Kleidermacher said, Android’s powers that be are requiring phone makers to agree to regular update schedules. Google has already come a long way in getting phone makers to provide regular updates, he said, and it’s going to keep improving.
The report doesn’t provide an exact number of how many Android devices are getting regular security updates, but it does give an idea. “The majority of the deployed devices for over 200 different Android models from over 30 device manufacturers are running a security update from the last 90 days,” the report says. In its 2016 Android security report, Google said that about half of Android devices received a security update by the end of the year.
It will get better, Kleidermacher said. “I think in 2018 we’re going to see quite a large increase in the overall percentage of devices getting these regular security updates.”
Keeping out those bad apps
Google is also pushing to get malicious apps off Android phones, but it’s not taking away your right to download apps from outside the Google Play store. Instead, it’s building in tools that can identify and turn off bad apps.
With its Google Play Protect service, Android can scan devices for apps it knows are bad and warn users of the risks. In 2017, Android stepped in 1.6 billion times and stopped users from downloading “potentially harmful apps,” as Google calls them. It also removed nearly 39 million bad apps from users’ phones.
These include apps that mirror the way HummingBad worked, generating clicks for advertisers without the user even knowing about it. They also include “hostile downloaders,” which seem like innocuous apps but then start downloading other apps that behave badly.
Protecting users from harmful apps is the most important thing Google can do to secure Android, Kleidermacher said. That’s because bad apps are more directly harmful to users than a bug like StageFright, which he said has never been used to attack a large number of Android users.
That’s good news, because while Google can’t protect every user from StageFright, it can use Google Play Protect to save you from bad apps even when you don’t get security updates on your Android phone.