The release of Google’s Android operating system opened a new world of opportunity for aggressively-priced smart phones and tablets. It also brought a new world of security headaches for CISOs who had to deal with employees connecting their own devices to the network after downloading apps from who knows where.
After an initial few years of updates being delivered to a limited number of vendors Android security has been toughened and updates are being passed on through more manufacturers and carriers than before. However, there’s still a huge number of devices that still don’t get them for a variety of reasons, including vendors and carriers that don’t update older models.
In its latest annual security report on the OS, Google this week was proud to say that last year it released security patches to more devices (including smart watches and TVs) than ever before. “We made key security features like data encryption and verified boot the standard for over one hundred million users. In addition to making devices more secure, we actively protected users from application threats by reducing the impact of Potentially Harmful Applications (PHAs) inside and outside of Google Play and improving the quality of security in hundreds of thousands of applications. Overall, devices, apps, and users are safer than ever.”
Because the Google Verify Apps service scans all network-connected (Wi-Fi or cellular) devices at least once every six days, Google has determined that by Q4 2016, fewer than 0.71 per cent of devices had potentially harmful applications installed. Devices that exclusively download apps from Google Play — the safest source of Android applications — that number was 0.05 per cent, down from 0.15 percent in 2015. Verify Apps conducted 750 million daily checks in 2016, up from 450 million the previous year.
However, the good news is only for devices running recent versions of the OS. The current version is 7.0, release last year. According Google’s Web site 32.5 per cent of devices on the market are still running Android 5,0. Another 20.8 per cent are running version 4.4. However, because carriers pay attention first to the newest devices they are currently selling, older devices may not have been patched for three years or more.
The report notes that last year Google continued providing security patches for Android 4.4 and higher. The report maintains that the percentage of Android devices running Android 4.4 or higher increased from 70.8 per cent of active devices at the beginning of 2016 to 86.3 per cent of active devices at the end of 2016. As of December 2016, it says, 735 million of the 1.4 billion (yes, billion) Android devices report a 2016 security patch level.
The good news is that in 2015 Google began releasing monthly security bulletins and patches to the Android Open Source Project (AOSP). Device manufacturers, system on a chip providers and carriers are increasingly shipping security updates. Still, the report can only say that by Q4 2016, over half of the top 50 devices worldwide had a recent security patch — not all, just half of the top 50 selling devices.
Assuming users limit themselves to downloading apps from Google Play, one of the strongest defences for the ecosystems is Google’s ability to catch potentially harmful applications. The report says last year such applications accounted for 0.16 per cent. of the just over 1 million apps in the store.
Still, Google admitted in a blog accompanying the release of the report that there’s more to be done. “About half of devices in use at the end of 2016 had not received a platform security update in the previous year,” the blog said. We’re working to increase device security updates by streamlining our security update program to make it easier for manufacturers to deploy security patches and releasing A/B updates to make it easier for users to apply those patches.”
While Google has added a number of new features to Android — including Verify Apps, which scans apps not downloaded from Google Play, and, if enabled, scans every device at least once every six days — wise CISOs still invest in mobile device management software for best protection.