Google has been a frequent target of criticism over security and privacy issues and how Android security updates filter out to users, butthe scale of its products has led Google to focus more on steering the ship rather than righting it.
Consider Android: an ecosystem of 2.5 billion active devices where 28.3% of devices run Android 8.x, 19.2% run Android 7.x, 16.9% runs Android 6.x, 14.5% runs Android 5.x, 10.4 runs the newest Android 9, and the remaining 10.7% runs Android 4.4 or older. This means less than 40% of active Android devices in the wild run a version of the operating system released in the past two years and just over 40% run a version of Android that is at least four years old. There are more active Android devices running a version of the OS from 2013 or older than there are running the latest version, which was released nine months ago.
The vast majority of the Android security updates and privacy improvements announced during the 2019 Google I/O developers conference are features coming to Android Q, which is currently in a developer beta. The security and privacy enhancements for Android Q were a main focus for Google and include improvements with encryption — all devices that run Q out of the box will have storage encrypted and TLS 1.3 will be enabled by default — overall platform hardening, biometric authentication and easier access to privacy controls. Even more forward-thinking, Google is readying secure support for electronic IDs with Android Q, despite international standards not yet being set and real-world support for electronic IDs also being nascent.
Only a single security-focused Android announcement at I/O impacts older versions of Android: a new Jetpack security library— supporting Android 6.0 and up — to help app developers with security best practices, such as data encryption, key generation and key validation.
Getting Android security updates and OS upgrades out to users has long been an issue on the platform and one that Google has attempted to attack in different ways. First, Google used Play services as a way to silently push security features to almost all Android devices running Google services and broke out security patch updates into monthly installments. With Android 8.0, or Oreo, Google introduced Project Treble, which effectively split the OS from any custom UI implementations added by OEMs, in order to speed up OS updates.
The newest effort, coming in Android Q, is Project Mainline, which is an effort to split out specific components from the Android OS — like media components which “accounted for nearly 40%of recently patched vulnerabilities” according to Google — and update them silently via the Play Store.
Despite Android 9, or Pie, being such a small share of the ecosystem, Google claims Project Treble accelerated adoption of Pie by 2.5 times compared to Oreo. Google also claimed an 84% year-over-year increase in devices getting the Android security update packs in Q4 2018.
Security and OS updates are in the hands of dozens of OEMs collectively managing hundreds, if not thousands, of different device models in the wild. Given this reality, Google’s options for making meaningful, immediate impacts on security and privacy are somewhat limited. Google could break the fundamental nature of the platform and take back control, risking damage to relationships with OEMs, or slowly steer the ship by finding ways to take back control over security and privacy improvements.
Google is trusting in the work done in the past and betting on OS and monthly patch trends continuing with Android Q, and ultimately betting that the inevitable march of time will bring better security to the Android ecosystem as a whole.