Security Improvements Make Android More Attractive to Business

24.3.2017 securityweek Android
Google Outlines State of Android Security With 2016 Year In Review Report

Accepting Android as a staff BYOD (Bring Your Own Device) option has always been tempered by security officers' understanding that it is less secure than iOS. In the last year, Google has made serious efforts to reduce that perception. The Android Security 2016 Year in Review report (PDF), published this week by Google, describes two areas the company has particularly improved Android security: updates, and the elimination of malicious apps.

Security updates, or patches, have always been a problem in the Android ecosphere. The difficulty is the sheer number of different Android manufacturers involved; some of whom rarely distribute the monthly updates provided by Google. Over the last year, Google has worked on improving this. It has concentrated on two areas: improving the discovery and responsible disclosure of vulnerabilities in its partners' products; and improving the speed and regularity of device patching.

Android Smartphone in BusinessIt has achieved what can be described as partial success. "As of December 2016," says the report, "735 million Android devices report a 2016 security patch level." The downside is it still leaves a similar number that did not. Nevertheless, "Over the course of the year, Android device manufacturers became more efficient at delivering monthly security updates, including expanding their security programs to accept and address security vulnerabilities specific to their devices."

New models of Google's own products, Pixel and Nexus, and several of the major manufacturers such as Samsung and LG, have introduced automatic updating. At the end of 2016, Android 7.1.1 introduced new features to improve updating generally with automatic updates. "To do this," says Google, "devices have two system images: one for the currently active system and one to receive an updated image. When an update is available, the device downloads the new system image in the background. The device seamlessly switches to the new software update the next time it reboots... As more new phones are sold with Android 7.1.1, this feature will become available on a wider variety of devices."

Google also improved its ability to detect and remove potentially harmful apps (PHAs), such as trojans, spyware and phishing apps, both on the device and from within the Google Play Store. "The goal," says Google, "is to provide the right protection at the moment it is needed by the user." During 2016, Google's security services performed over 790 million device security scans daily, covering phones, tablets, watches and TVs. This is up from around 450 million in the previous year.

Similar attention is given to the apps in Google Play, and PHA installations from Play have fallen dramatically: trojan installs fell by 51.5%, hostile downloaders by 54.6%, backdoors by 30.5%, and phishing apps by 73.4%. "By the end of 2016," claims Google, "only 0.05 percent of devices that downloaded apps exclusively from Play contained a PHA; down from 0.15 percent in 2015."

Google accepts that there is still work to do, especially to protect those devices that install apps from outside of Play -- and it expects to do this in the present year. "We believe that advances in machine learning and automation can help reduce PHA rates significantly in 2017, both inside and outside of Google Play."

As it stands, according to Google's figures, users of mainstream Google devices that limit app installations to Google Play are increasingly secure; and already significantly more secure than last year. This has to be good news for all organizations with -- or considering -- an Android-based BYOD policy for staff.