Android has always had an image issue when it comes to security, and for good reason. The problem became more visible when a high-security vulnerability was discovered that was estimated to have affected close to a billion Android devices. Since around that time, Google has been more vigilant about its approach to security, issuing monthly security updates, and working more closely with OEMs to expedite their own update processes.
In 2018, Google celebrated ten years of Android, and it's an understatement to say that a lot has changed since version 1.0. Not only does the OS now have over two billion active users but the world is much more critical about its privacy and security in the digital space. Luckily, Google is well aware of this and has for the past five years, issued its "Year in Review" report, detailing how it protects its Android users.
As you can imagine, keeping track of Android and its security isn't an easy task. But one way that Google does this is by detecting Potentially Harmful Applications (PHAs). Google Play Protect can detect threats from the Play Store and also from apps that are installed from external sources. Since 2014, the trend when it comes to installation of PHAs has remained on average under one percent. This year, things remained under that value, with just 0.08 percent of devices that used the Play Store exclusively to install apps being infected with one PHA or more. The rate of infections was eight times higher for those that downloaded apps from an external source, with the number coming in at 0.68 percent.
Each year, the percentage of PHA afflicted devices drops, but that isn't all just thanks to Play Protect and can also be attributed to powerful APIs like BiometricPrompt, Protected Confirmation, StrongBox Keymaster, and various bug bounty programs. The bug bounty programs have allowed researchers from around the world to discover and submit vulnerabilities, while also being handsomely rewarded for their work. Beyond APIs, the OS also makes use of encryption, hardware-backed security, verified boot, sandboxing, and an array of other features to keep things as secure as possible.
A common pain point for users was that Google would update its OS but device manufacturers would be slow or sometimes would never even issue an update. In order to expedite the update process, Project Treble was introduced in its more current versions of Android, which has allowed companies to issue updates faster, with the report stating that "In the 4th quarter of 2018 we had 84% more devices receiving a security update than in the same quarter the prior year".
It might be hard to believe, but last year, we found out that even brand new Android products can have vulnerabilities right out of the box. In 2018, Google launched its Build Test Suite (BTS) with partnered OEMs in order to combat this problem, allowing them to submit build images in order to detect security issues and possible PHAs prior to it going out to users. Since implementing BTS, 242 builds with PHAs were prevented from going out in the wild.
Sadly, there are a wide variety of tactics used when it comes to injecting PHAs into an Android device. While Google does its best to protect its users, it's always up to the user to be vigilant when browsing online or installing applications. If you want the full details of the report, you can visit the source link below or if the report and this article are too much, you can always watch the video above where Dave Kleidermacher, who is VP of Android Security & Privacy, discuss some of the major points from the report.