News Stay informed about the latest enterprise technology news and product updates.

Google's second Android Security Report is a mixed bag

The second annual Android Security Report details a number of ways Google has been working to improve security on its mobile platform but also highlights persistent problems.

Google released its second annual Android Security Report, and it reported a number of ways Google continues to improve platform security, but issues with patches and upgrades still exist.

According to the report, Google has improved the various security products it has built into Google Play services, a software suite that is updated independently of the Android OS, meaning it covers the majority of Google Android devices in the wild.

"As of the end of 2015, there were over 1 billion devices protected by Google's security services, and over 400 million device security scans were conducted per day," Google wrote. "We believe this makes our security services the most widely deployed and used endpoint protection in the world."

Liviu Arsene, senior e-threat analyst for antimalware firm Bitdefender based in Romania, said this claim makes sense and is especially important "considering that not all of these users actually install or use any other alternative security solution for their Android devices."

One of the more important updates Google made this past year was in Verify Apps, a cloud-based service which checks every application prior to install to determine whether it is a potentially harmful application (PHA). Verify Apps will notify users at the time of install if an app is potentially harmful; Google claimed a change to this warning dialog resulted in 50% fewer installs of PHAs.

"Verify Apps can also remove an application without requiring the user to confirm the removal," Google wrote in the Android Security Report. "In 2015, we improved the ability of Verify Apps so that it can remove applications that register as Device Administrators. We also added the ability for Verify Apps to disable applications that have been installed onto the system partition following a compromise of the device security model."

Mike Pittenger, vice president of security strategy at Black Duck Software, said the ability for Verify Apps to remove apps that register as a Device Administrator is "an important enhancement … because users are typically complacent.

"[Users] hear about an app from a friend, on the Web, or through ads, and download it without checking declared permissions. There is no good reason for an aftermarket app to require administrative or root privileges to a user's device," Pittenger said. "This provides the app with access to virtually all of the data on a phone and could allow a malicious actor to control the device without the user's knowledge to install PHA or other malware."

Google noted that Verify Apps was able to find PHAs because its systems "were conducting ongoing automated analysis on over 35 million Android Application Packages (APKs). This includes every version of every application that has been published in Google Play and millions of APKs that were never published in Google Play. Each APK is analyzed multiple times."

Arsene said these scans are important because although it is recommended that users not install apps from outside of the official Google Play Store, "sideloading apps on Android is relatively easy; users often choose to do it because it allows them to install games or tools that they would otherwise have to pay for.

"There's also the fact that some countries, such as China, block Google and every single one of its services. This inevitably led to the creation of alternative app stores (nine different app stores in China alone) that generate billions on revenue," Arsene said. "Considering that Android leads the smartphone OS sales market share with over 76% in China alone, according to reports, this translates into millions of users actively installing apps outside Google Play."

Of these 35 million APKs Google scanned, the company said, "About 75% of the APKs within our system were not in active circulation (they have zero known installations), and another 10% currently had fewer than five installations."

"The fact that Google scans all apps -- even those with no installs -- shows they treat all applications with the same level of scrutiny," Arsene said. "However, the fact that there are so many apps with no installs could also point that many of them are either unappealing to users or simply don't deliver as expected."

The vulnerabilities are simply too complex to be identified by automated tools at this point.
Mike Pittengervice president of security strategy, Black Duck Software

Even with the prevalence of third-party app stores in regions like Asia and Russia, the Android Security Report noted that, "On average, less than 0.5% of devices had a PHA installed during 2015, and devices that only installed applications from Google Play averaged less than 0.15%."

Google also improved SafetyNet, which protects against network and application-based threats from apps that are successfully installed and allows devices to contribute security-related information to Google's cloud-based services.

"Starting in October 2014, SafetyNet used active network probes to identify cases where the system certificate store has been manipulated," the Android Security Report said. "Throughout 2015, SafetyNet found that fewer than two out of every million devices had installed a local certificate to [allow] man-in-the-middle network connections to Google services."

However, despite Google's efforts, the company admitted that pushing patches and software updates is still a challenge for a platform as diverse as Android. Google said, "The Android Security Team regularly provides security patches to manufacturers for Android 4.4.4 and higher so they can provide security updates to their devices; 70.8% of all active Android devices are on a version that we support with patches."

Google has previously estimated that there are somewhere around 1.4 billion active Android devices in the world, so even if all supported devices are getting the patches that Google provides, which experts say is unlikely, there would be at least 400 million devices in the wild that are not supported with the latest patches.

Arsene said that although enterprises with mobile device management solutions can minimize risk to unpatched devices to a certain extent, organizations should "use security technologies that augment native Android security capabilities.

"It is extremely likely for an exploit to be used in the wild, especially since there are more than 400 million Android devices in the world that don't run security-supported Android OS," Arsene said. "And we're talking here about serious vulnerabilities, some of which are easily exploitable."

Pittenger said that in a world where more employees are bringing their own devices, it is harder for users and enterprises to be aware of all the risky devices on a network.

"While it's promising that Android security is improving, we know that attackers view mobile devices as an attractive target. While Google is deploying static and dynamic analysis to identify security issues, these tools are not perfect. Most security vulnerabilities on software 'in the wild' continue to be found by security researchers," Pittenger said. "For reference, the National Vulnerability Database has reported on over 6,000 new vulnerabilities since 2014, just in open source components. No more than a handful of these have been discovered using tools like static and dynamic analysis. The vulnerabilities are simply too complex to be identified by automated tools at this point."

Next Steps

Get four tips for better Android mobile security.

Read about the top five security challenges for Android device management.

Learn the fundamentals of Android app security.

Dig Deeper on Platform security