A new report from Google Inc. claims that the Android ecosystem is as safe as it's ever been, though some experts question key data points that support Google's conclusions.
The first official Android Security Report takes a detailed look at all of the data collected regarding Android vulnerabilities found in the past year, assesses the overall security of the ecosystem and describes the advances in Android platform security that most users don't have yet.
The report is broken down into three major sections: the data that Android's chief steward, search giant Google, collected regarding malicious apps; vulnerabilities patched; and the newest security features added to the Android system.
According to Google, fewer than 1% of Android devices were infected with malware in 2014, and those who only use the Google Play Store for apps are at much lower risk, although common update issues are still apparent for enterprise.
In an interview with SearchSecurity, Google's lead for Android security, Adrian Ludwig, described Google's Android security model as a "layered approach," where some security features are built into the open source system layer, and some reside in the so-called "surface layer" which is represented by Google Play services. Not to be confused with the Google Play Store app repository, Google Play services is the set of APIs and tools used by developers to facilitate application integration with the Android platform and Google services.
"The value of the surface layer is the ability to collect data, which helps with the roadmap," Ludwig said. "It should also help others identify opportunities for improving apps, or give confidence in the platform based on the threats known. "
Google Play services have become increasingly important to Android security, as a number of security-specific services serve to protect the device and its applications. According to Google, there are more than 1 billion devices protected by Google Play services, covering the vast majority of Android devices in the wild in most regions of the world.
Various Google Play services search for what Google calls a potentially harmful application (PHA), including checking the app signature, analyzing static and dynamic code for potentially harmful behavior, and conducting heuristic analysis of app qualities.
The two main security features of Google Play services that exist on devices -- Verify Apps and Safety Net -- are available on Android versions 2.3 and higher, which equates to about 99.5% of the devices in use.
Verify Apps is a service that scans apps for malicious code during installation, regardless of whether an app was installed through the Google Play Store or via sideloading. According to Google, more than 200 million devices per day were scanned by Verify Apps for the week prior to Nov. 11, 2014.
Google found that in 2014 as a whole, less than 1% of all devices had a PHA installed, and by October that number dropped to its lowest point of the year at less than 0.5%. Users who only installed apps through the Google Play Store were found to have a PHA installed less than 0.15% of the time. Google also found that PHA installation from outside the Google Play Store decreased 60% from Q1 to Q4 of 2014.
"Although we are finding more apps, and the ecosystem is growing -- both good and bad -- the exposure rate for PHA is going down," Ludwig said. "The likelihood that a user will install a PHA is getting lower, which makes the whole ecosystem safer."
Yair Amit, chief technology officer of Tel Aviv, Israel-based security vendor Skycure Security, said that Google has done a "very good job" in patching vulnerabilities and protecting against malware, but noted that malware is evolving, and mobile security will have to as well.
"While in the past, concepts like signature-based antivirus for mobile devices worked decently," Amit said, "today classic tools are easily bypassed by modern mobile malware, hence putting corporations in a significant risk."
According to Liviu Arsene, a senior e-threat researcher at Romaina-based antimalware firm Bitdefender, Google's data collection on threats should be a benefit to Android users if it enhances the ability to patch vulnerabilities before they go viral.
"This is great stuff for companies, as IT departments that use MDMs to manage entire fleets of devices will no longer be focused on mitigating vulnerabilities, but on managing policies," Arsene said. "However, all this depends on whether Google is able to timely issue security updates without relying on OEMs to deliver their own firmware updates, which usually takes months or sometimes never happens at all."
Google noted that rooting and sideloading significantly increased the likelihood that a PHA would be found on an Android device, but also noted that the risks were often region-specific. Including rooting, the U.S. and UK still saw PHA levels below 0.5%, while China saw the level spike to 3.5% and Russia saw a spike to just under 2.5%.
Ludwig said that the majority of the malicious apps it observed arrived on devices from sources other than the Google Play Store, implying that an enterprise with an MDM strategy forbidding sideloading would be at a much lower risk.
"One thing that jumped out at me is the substantial difference between devices installing apps from within Google Play and those installing from outside," Ludwig said. "It's nearly seven times safer installing from within Google Play."
Amit agreed that installing only from Google Play is safer than installing Android apps from third-party sources, but said that alternative sources can become more popular at any time, which could lead to unintended risk.
"The moment one allows his Android device to install from third-party stores, his device will not only allow the installation from trusted sources such as Amazon Store," Amit said, "but also from much more concerning sources, such as emails, SMS and websites that propagate mobile malware."
The other major on-device safety feature of Google Play services is Safety Net, which Ludwig described as an "umbrella brand" for a collection of technologies that mostly deal with threat intelligence data collection, and verifying that a device has a security model consistent with what Google expects from Android devices.
The one action that Safety Net can take to protect a device is to dynamically change a device's configuration settings, including updating blacklists.
"Safety Net is focused more on understanding what types of attacks we're seeing, like the frequency of SSL attacks," said Ludwig, "so we can determine the best way to stop those problems."
Google noted in the Android Security Report that Safety Net analyzes 400 million network connections per day. Ludwig said that most of these connections are initiated by Safety Net to check for any attempts to manipulate the connection from the outside, including man-in-the-middle attacks and network rerouting.
"The idea here is to pick out programming patterns that indicate malicious intent," said Beardsley. "I'm sure it helps lighten the load for the humans who are ultimately responsible for screening."
Android vulnerability patches
According to Google, the Android security team provided patches for 30 high, 41 moderate and eight low-severity vulnerabilities. There were no vulnerabilities found in 2014 that Google classified as critical. Of those 79 patches, 73 have already been released to the Android Open Source Project (AOSP) and six will be released in the next AOSP update. Experts noted that patches being released to AOSP doesn't necessarily mean that the patches were pushed to user devices by manufacturers or carriers.
Amit expressed skepticism regarding the way that Google rated these vulnerabilities, noting that the "high-risk" category for Google included vulnerabilities that could lead to remote code execution and local privilege escalation.
"Such vulnerabilities pose a clear danger to personal and corporate mobile devices and the data on them," said Amit. "The way Google chose to rate critical vulnerabilities involves active exploitation. As measuring whether a vulnerability was actively exploited can be rather tricky, this definition is problematic."
The report makes note of high-profile flaws patched in 2014, including Heartbleed and FakeID. Google said that the only significant exploitation of any known vulnerabilities in the report was a local privilege-escalation flaw in futex syscall, but Google said this vulnerability was found in rooting tools, which are of lower concern to enterprises.
Google said that it often works with vulnerability researchers and set up an acknowledgement page for the more than 40 security researchers involved in the patches that have already been provided.
Arsene said that this kind of communication between Google, researchers and developers shows promise for the future.
"In light of recent vulnerabilities (e.g. Heartbleed) Google quickly issued a network monitor tool and set of best-practice guidelines aimed at helping developers mitigate potential security risks," Arsene said. "The Android community has always been a tight bunch and the Android team has a pretty good track record at listening to the people."
Despite all of the vulnerabilities patched, Google's report does hint at one of the common complaints in the Android ecosystem of slow software updates by manufacturers in admitting that "there are devices that have not been patched for all publicly known vulnerabilities."
According to Tod Beardsley, a security researcher at Boston-based vendor Rapid7 LLC., the slow update cycle isn't the only trouble that users need to worry about with Android vulnerability patches; the lack of a clearly stated end-of-life (EOL) policy, which leaves older versions of Android vulnerable because many devices don't get updated, is also troubling.
"The most obvious example of the lack of an EOL was the WebView brouhaha of December 2014," Beardsley said. "More recently, Google has now 'frozen' Chrome on Android 4.0.4, even though it is still possible to be on a 4.0.4 phone, bought less than two years ago, with no avenue for upgrade depending on your economic circumstances."
Google also used the report to highlight the new Android security features and capabilities in Android 5.0 Lollipop. These updates include improved full-disk encryption (FDE) and stronger SELinux enforcement.
SELinux is described by Arsene as a kernel module that enforces access control security policies, making sure that the security of your data won't be compromised by malware or vulnerabilities. This feature ensures secure app isolation by limiting the app privileges, while migrating the entire system security to the kernel level.
Beardsley described the improvement as an example of "how seriously Google takes privilege separation and the sanctity of the sandbox."
According to Google, starting with Android 5.0, disk encryption improvements include protection of the user password against brute-force attacks using scrypt, and, where available, the key is bound to the hardware keystore to prevent off-device password brute-forcing attacks. On devices that ship with Android 5.0 out-of-the-box, full-disk encryption can be enabled by default to improve protection of data on lost or stolen devices.
However, experts say that the benefits of full-disk encryption have been hampered in a number of ways. According to Nikolay Elenkov, author of Android Security Internals, there are two main troubles with the full-disk encryption implementation.
"Android 5.0 didn't ship with hardware-accelerated disk encryption, even on devices that support this, so most people came to associate it with performance problems, rather than security," said Elenkov. "Another unfortunate fact is that Android 5.1 actually makes it easier for vendors to disable the default FDE via a system property."
In response to this, Google noted that implementing full encryption by default is difficult in a diverse hardware ecosystem like Android.
"Due to performance issues on some hardware, we are not yet at encryption by default on every new Lollipop device," a Google spokesperson said. "We continue to strongly recommend encryption but for Lollipop, it's at the device manufacturer's discretion whether it is on by default."
The common complaint from experts is that the majority of Android users won't see these features for a long time because of how slowly OS updates filter out to devices. As of March 2, according to Google's official numbers (which will be updated again on April 6), Android 5.0 Lollipop accounted for just 3.3% of the Android ecosystem. Google declined to comment on expert concerns on this topic.
"The lag between Google's implementation of new security features and the reality of these features getting into the hands of users seriously undercuts Google's security story with Android," said Beardsley. "So, while mandatory capabilities of full-disk encryption and a Play-updatable WebView are great security advances for Android, barely anyone will see them, since they're only available on Lollipop."
Arsene concurred, saying that when only a small percentage of Android users currently benefit from these advancement, security risks are still just as likely to happen as before. He also noted that even the best path for enterprise to get access to these features was relatively unfeasible.
"Companies that want to adopt Android Lollipop and benefit from the full spectrum of security features will have to either manually upgrade all their current Android device or invest in some new hardware that comes preinstalled with Android 5.0," Arsene said. "As you might have guessed it, budgets for these types of upgrades are not something easy to come by, especially when you have 500 employees and above."
Learn more about Android 5.0 Lollipop security features
Dig Deeper on Alternative operating system security
Atlassian CISO Adrian Ludwig shares DevOps security outlook
Google: Triada backdoors were pre-installed on Android devices
Android Security & Privacy 2018 report: Continued maturation of Google’s security efforts
What we learned about mobile security from real-world mobile threat defense customer data