Android Security 2015 Year In Review: What Isn’t Google Telling You?

For the second year in a row, Google released its annual report which details “how Google Services protect the Android ecosystem.” On the surface, the Android Security 2015 Year In Review is a compelling argument for how Google’s advances in mobile security give users greater confidence that Android can protect sensitive data on smartphones and tablets. However, if you read between the lines, you can see that significant vulnerabilities still plague Android, leaving users worldwide exposed to risk.

Google’s reporting on Potentially Harmful Apps or PHAs says that overall, “PHAs were installed on fewer than 0.15% of devices that only get apps from Google Play.” Let’s assume for a moment that all of the 1.4 billion 30-day active Android devices[1] only get apps from Google Play and not third-party app marketplaces. That means there are about 2.1 million Android devices worldwide infected with PHAs that were downloaded directly from Google Play — a source of apps that is supposed to be safe and trusted.

Google also says “about 0.5% of devices that install apps from both Play and other sources had a PHA installed during 2015, similar to the data in last year’s report.” Arguably, it’s impossible to say with certainty how many Android users install apps from both Google Play and other gray-market sources, but let’s focus on China where these app markets are very popular.

GSMA reported in July 2015 that there were an estimated 1.3 billion mobile connections in China, of which 913 million, or 68%, are smartphones. In December 2015, China Internet Watch reported that 81.4% of smartphones in China were running some version of Android. That means there are roughly 740 million Android smartphone users in China. If we also assume that all of these users install apps from places other than Google Play and that about 0.5% of these devices have PHAs installed, that means there are nearly 4 million Android devices in China alone that are infected with risky or outright malicious apps.

Google goes on to say Android 6.0 Marshmallow introduced a “variety of new security protections and controls.” These include full disk encryption that extends to data on SD cards, updated app permissions that allow users to manage data shared with apps with more granularity, and a tool that lets users check if a device includes the most recent security updates. These improvements, though well-intentioned, have undesired performance impacts, and in some cases do little to help users secure their sensitive data on Android devices.

Everyday Android users likely won’t understand, let alone care about encryption. Nexus-branded Android devices now have encryption enabled by default, which certainly helps to keep devices secure, but it’s not enabled on most other Android devices. Turning on encryption requires the user to make changes to device settings that can have significant performance impacts, including longer boot times and reduced processing speed.

Encrypted removable media isn’t readable on other devices either, which creates headaches for users. So once Android encrypts data on an SD card, a user can’t easily move it to another smartphone or even another computer. Moreover, if the device that encrypted the data on the SD card becomes damaged or destroyed, the data is destroyed along with it, even if the SD card is unharmed.

Android’s updated app permission process does give users visibility into how much and what types of data they share with apps. Allowing users to allow or deny permissions one at a time is an empowering idea, but more often than not the user eschews that choice to install apps quickly rather than securely. Users will just click through and accept the individual permissions when installing apps until they achieve the desired result, which circumvents any added security benefits Google had intended.

Giving Android users an app that lets them know if their device has the latest security updates is an excellent way to educate them about vulnerabilities, but it’s not a very practical way to keep them secure. Google says the Android Security Team “regularly provides security patches to manufacturers for Android 4.4.4 and higher so they can provide security updates to their devices.” However, the report indicates that over 30% of all active Android devices are on a version that Google will not support with patches.

Astonishingly, this means over 400 million Android users worldwide won’t be able to get critical patches that keep their devices and their data safe.

Even if a user with a supported device discovers a missing update, there’s a chance his or her device can’t even receive the update until the carrier or manufacturer approves it. That’s because updates to Android trickle down from Google to carriers and device makers for their review and approval. These delays are commonplace for Android and put end users at significant risk while they wait. Also, with the extraordinary fragmentation of the platform, this problem is only going to keep growing worse in the future.

Mobile security roadblocks, concerns, and different use cases don’t end with the user either. Since Android owns 25% of the enterprise market share[2], these issues extend to overburdened IT, security, and mobility staff who toil daily with aging device management solutions that lack adequate mobile security. While massaging facts and numbers in a way that lessens the blow of the truth serves Google’s interests, it obscures the reality that the vulnerabilities plague Android today are certain to multiply tomorrow.

Security shouldn’t be a hindrance for users or businesses. So I agree with Google when it says “Greater transparency, well-informed discussions about security, and ongoing innovation will help keep users safe.” That transparency, though, should present the facts clearly and honestly so that end-users and businesses can make better decisions based on all available information.

Jeff Zacuto is a San Franciscan, gadget geek, and senior mobile security marketer at Check Point Software Technologies. His 15 years of experience with mobile technology, security, and compliance gives him a unique perspective on the needs and expectations of IT and security professionals, end users, and corporate executives.

[1] Google CEO Sundar Pichai, September 2015

[2] Good Technology Mobility Index Report, August 2015