Google reports mixed progress on Android security – InfoWorld

Android suffers from a reality-based reputation problem, with reports of malicious apps stealing user data and critical security vulnerabilities that can take over user devices. Over the years, Google has been working to improve its mobile operating system with new security features, the release of monthly security updates, and better tools to detect and remove malicious apps both on devices and in the Google Play app store. As a result, Android is safer than you may believe, the company says in its annual Android Security Year in Reviewreport.

Google does deserve credit for improving Android security last year: The release of Safe Browsing API, file-based encryption, verified boot, and media server hardening has tremendously improved the overall security of Android devices.

But Googles report shows mixed results for the overall state of Android security.

There are lots and lots (and lots!) of warnings about malicious apps and mobile malware. Theyre mostly found on unsanctioned third-party app marketplaces, but some manage to bypass security controls and sneak into Google Play.

Still, getting apps only from Google Play is very safe. Google calculates that only 0.05 percent of all Android devices that got apps only from Google Play had a potentially harmful app installed at the end of 2016. Trojans accounted for more than half of such apps installed on Android devices in 2016.

A big fear factor from security vendors is device rooting, which gives apps access to core Google services and to other apps by bypassing Androids security mechanisms. But Google found that most devices are either rooted by the user or the manufacturernot by malware. And even user-initiated rooting is not all that common: just 0.346 percent of all installs. A teeny-tiny percent of those installs0.0001 percentcame from apps found on Google Play. As for apps that can root the device without user permission, they accounted for just 0.002 percent of all installs in 2016.

Although most potentially harmful apps come from third-party markets, Googles goal in 2017 is to better protect users even from those apps, too.

To be clear Googles definition of potentially harmful apps does not include annoying apps, such as those that are overly aggressive in collecting device identifiers and metadata because they dont put Android users, user data, or devices at risk, the report said.

Although the company releases security patches monthly, about half of devices in use at the end of 2016 had not received a platform security update, Google saidthat is, they hadnt received any updates at all.

Google relies on manufacturers and carriers to push out updates to most devices; Google can only ensure that its own Nexus and Pixel devices get updates on a regular schedule. So Google is trying to make it easier for device makers and carriers to deliver security updates to their customers.

Users are more likely to get security updates if they use popular Android models, according to data gathered by Duo Labs, the research arm of mobile authentication provider Duo Security. Duos analysis suggests that, among the top 50 Android models used by businesses, 46 percent of devices received a security patch in the previous 90 days, and 81 percent had received one in the previous 180 days. Although its better to patch devices with each update, the Android updates are cumulative, so users who eventually update are covered up till that patch version.

Still, the overall numbers for Android security arent great. A substantial percentage of Android devices remain at risk. Thats even true for critical security vulnerabilities. For example, Duo found that at the end of 2016,40 percent of affected Android devices hadnt applied patches for four vulnerabilities (CVE-2016-2503, CVE-2016-2504, CVE-2016-2059, and CVE-2016-5340) that affected a widely used Qualcomm chipset, even though the patches were released between July and October.

The percentage of unpatched Android devices is particularly troubling when you realize that the vast majority96 percentof Android devices support getting the monthly updates, said Rich Smith, R&D director of Duo Labs. The unfortunate reality seems to be that carriers just have to wait 30 days for the hype to die down and then everyone forgets, he said.

Although Google didnt say what devices are included in its top 50 devices list, the report gives some indication of what devices are receiving regular updates: Asus Zenfone 3, BQ Aquarius M5, Google Pixel, Google Pixel XL, LG V20, Motorola Moto Z Droid, Nexus 6P, Nexus 5, Nexus 5X, Nexus 6, OnePlus OnePlus3, Oppo A33W, Samsung Galaxy S7, Sony Xperia X Compact, and Vivo V3Max all had an update rate between 60 percent and 95 percent by the end of 2016.

Over 78 percent of active flagship Android devices on the four mobile major network operators had a security patch level from the last three months. Those devices include Samsungs Galaxy S7, Galaxy S7 Edge, Galaxy S7 Active, Galaxy S6, Galaxy S6 Edge, Galaxy S6 Edge+, Galaxy S6 Active, Galaxy Note 5, Galaxy Note 4, Galaxy Note Edge, and Galaxy A5 (2016); LGs G5, G4,G3, and V10; Lenovos Moto X Play, Moto X Style, Moto X Force, Droid Maxx 2, and Droid Turbo 2: Huaweis Mate 8, Mate S, P8, and P9; and Sonys Xperia Z4, Xperia Z5 Compact, and Xperia Z5 Premium.

Although the Android update process covers all devices running Android KitKat 4.4.4 and later, which accounts for 86.3 percent of all active Android devices worldwide, its a sure bet that updates still depend on geographic location, carrier, and manufacturer. So anyone in the market for a new device should consider that some manufacturers appear to be better about updates than others.

Smart Lock, introduced back in 2014 as part of Android Lollipop 5.0, lets devices remain unlocked if it is in the users possession. Smart Lock depends on a combination of security signals including facial recognition, trusted places such as the users home or office, and the presence of a paired Bluetooth device such as a smartwatch. The idea is to reduce the number of times a user has to manually entering a password, while still encouraging users to adopt a secure lock screen that protects the device when its not nearby. Google estimates that the use of Smart Lock can reduce the number of times people have to manually unlock the device by 90 percent.

But just fewer than half of Android devices worldwide have enabled Smart Lock, according to the report. The country breakdown is even more wackywith Somalia having the highest adoption rate at 82 percent, followed by Samoa at 78 percent.

Smart Lock adoption rates get more interesting when you combined it with the data from Duo Labs. Duo found that 70.7 percent of Android devices it tracks have enabled Smart Lock. The difference is due to Google tracking all Android devices and Duo tracking ones used by businesses. Businesses tend to require the use of passwords, which they can enforce through Exchange or mobile management policies. Such requirements impose a burden on users that seems to drive them to using Smart Lock to ease that burden.

Continued here:

Google reports mixed progress on Android security - InfoWorld