Google touts Android security but many devices still unpatched

The release of Google’s Android operating system opened a new world of opportunity for aggressively-priced smart phones and tablets. It also brought a new world of security headaches for CISOs who had to deal with employees connecting their own devices to the network after downloading apps from who knows where.

After an initial few years of  updates being delivered to a limited number of vendors Android security has been toughened and updates are being passed on through more manufacturers and carriers than before. However, there’s still a huge number of devices that still don’t get them for a variety of reasons, including vendors and carriers that don’t update older models.

In its latest annual security report on the OS, Google this week was proud to say that last year it released security patches to more devices (including smart watches and TVs) than ever before. “We made key security features like data encryption and verified boot the standard for over one hundred million users. In addition to making devices more secure, we actively protected users from application threats by reducing the impact of Potentially Harmful Applications (PHAs) inside and outside of Google Play and improving the quality of security in hundreds of thousands of applications. Overall, devices, apps, and users are safer than ever.”

Because the Google Verify Apps service scans all network-connected (Wi-Fi or cellular) devices at least once every six days, Google has determined that by Q4 2016, fewer than 0.71 per cent of devices had potentially harmful applications installed. Devices that exclusively download apps from Google Play — the safest source of Android applications — that number was 0.05 per cent, down from 0.15 percent in 2015. Verify Apps conducted 750 million daily checks in 2016, up from 450 million the previous year.

However, the good news is only for devices running recent versions of the OS. The current version is 7.0, release last year. According Google’s Web site 32.5 per cent of devices on the market are still running Android 5,0. Another 20.8 per cent are running version 4.4. However, because carriers pay attention first to the newest devices they are currently selling, older devices may not have been patched for three years or more.

The report notes that last year Google continued providing security patches for Android 4.4 and higher. The report maintains that the percentage of Android devices running Android 4.4 or higher increased from 70.8 per cent of active devices at the beginning of 2016 to 86.3 per cent of active devices at the end of 2016. As of December 2016, it says, 735 million of the 1.4 billion (yes, billion) Android devices report a 2016 security patch level.

The good news is that in 2015 Google began releasing monthly security bulletins and patches to the Android Open Source Project (AOSP). Device manufacturers, system on a chip providers and carriers are increasingly shipping  security updates. Still, the report can only say that by Q4 2016, over half of the top 50 devices worldwide had a recent security patch — not all, just half of the top 50 selling devices.

Assuming users limit themselves to downloading apps from Google Play, one of the strongest defences for the ecosystems is Google’s ability to catch potentially harmful applications. The report says last year such applications accounted for 0.16 per cent. of the just over 1 million apps in the store.

Still, Google admitted in a blog accompanying the release of the report that there’s more to be done. “About half of devices in use at the end of 2016 had not received a platform security update in the previous year,” the blog said. We’re working to increase device security updates by streamlining our security update program to make it easier for manufacturers to deploy security patches and releasing A/B updates to make it easier for users to apply those patches.”

While Google has added a number of new features to Android — including Verify Apps, which scans apps not downloaded from Google Play, and, if enabled, scans every device at least once every six days — wise CISOs still invest in mobile device management software for best protection.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now