The Shifting State of Android Security

In a Tuesday blog post, Google outlined some Play Store security stats, an unusual move for the company that signals a larger shift within Google.

The post—from Dave Kleidermacher, Head of Security, and Andrew Ahn, Google Play Product Manager—portrays Google as an active guardian. In 2017, it took down 700,000 apps that violated Google Play’s policies, a 70 percent increase in removals over the year before, it said.

By the Numbers

Having written about Android security for several years now, I can say it’s disappointing to see how fast low-quality and even malicious apps can spread through the Play Store. It wasn’t unusual to get tipped off to a malicious, or at least unsafe, app and see that thousands of people had already downloaded it. But Google says 99 percent of apps with what it calls “abusive content” are now snagged before they’re published.

“This was possible through significant improvements in our ability to detect abusive app content and behaviors—such as impersonation, inappropriate content, or malware—through new machine learning models and techniques,” Kleidermacher and Ahn wrote.

Google labels the really bad stuff—apps that can secretly send, receive, and intercept SMS messages for fraud and other nefarious activities—as Potentially Hazardous Apps (PHAs). They act as Trojans, or phish victims for personal information to send back to the bad guys. In short, these apps are designed to do actual harm.

Here, Google is less specific about improvements. “While small in volume, PHAs pose a threat to Android users and we invest heavily in keeping them out of the Play Store,” Kleidermacher and Ahn write in their blog post. “With the launch of Google Play Protect in 2017, we’ve reduced the rate of PHA installs by an order of magnitude compared to 2016.”

But Google is not just targeting apps. In 2017, it revoked the privileges of 100,000 so-called “bad developers” who filled the Google Play Store with the chaff that has plagued it for years. Google says it’s now more difficult for these bad actors to create new accounts and simply republish their apps—a great step toward cleaning up the Play Store.

Not all “bad” Play Store apps are malicious. Most are misleading and low quality, impersonating more popular apps from mainstream developers and making money with aggressive advertisements. Google says it took down over 250,000 apps that impersonated a different app in 2017.

Automated Guardians

A popular (but dubiously accurate) critique of the Play Store is that it has relied too heavily on automation to approve apps. Google, for its part, has told me before that humans were always involved at some level of its app approval process.

We’ve seen glimpses of this before. At the 2017 Google I/O conference, the company said 20,000 dedicated processors reviewed 500,000 apps a day for potential malware. The influence of machine learning and associated AI technology has only increased. A Google rep told me that the Play team is applying Machine Learning more broadly, using it to identify not just bad apps but the developer networks that create them.

Machine vision, the rep continued, is also improving the Google Play experience. The system can identify bad apps more accurately and do so at scale. “We have much more data than before for the models train on so can better detect nuances and hidden abuse,” the Google rep said. “And [machine learning] has helped make human reviewers be more effective.”

A Changing Tune

This news today is part of a larger shift I’ve seen over how Google handles Android. In the past, I’d always felt Android put hardware and software developers’ interests ahead of consumers.

For example, it took years for Google to implement an Apple-style permissions model, where users could approve or reject specific permissions for each app. Previously, Android required you to accept whatever the app requested if you wanted to use it. In Android 8.0 Oreo, stricter limitations on what apps can do in the background are intended to net users a better experience.

“The initial focus/priority for Google Play/Android was to enable developers [to] reach a big global audience and bring fast adoption of the platform,” a Google representative told me. “Now that Google Play has reached critical mass, we’ve definitely shifted gears to focus on building a trusted and safe store. We want to make sure users get a high quality experience.”

Leave a Reply

*