As the Internet and its denizens have evolved, so have the ways of accessing and interacting with it. For a vast majority of people around the world, the easiest and often only way to connect to the Internet is their smartphones. With 4 out of every 5 smartphones running a version of Google’s Android OS, it becomes imperative that Google beefs up the defences of their OS. In the light of recent security threats like Stage Fright and the Accessibility Hack, quite a few people have raised their doubts about the security services of the Android OS. To put all these doubts to rest once and for all, Google has released their second Annual Android Security report for the calendar year of 2015.
Providing security for an OS like Android is incredibly tough because of two main factors. The Android OS is open source, allows all of the partner OEMs to modify the Android source code to suit their own needs. While this leads to some wonderful creations like custom UIs like MIUI and new security protocols like Samsung’s Knox, it also allows bugs to creep into the system being used by the end-user. Secondly, the fragmentation of the Android ecosystem forces Google into a situation where they have no way to provide security updates to the systems of devices that are languishing in previous versions of Android. So has Google been able to solve these two major problems? Let us find out in our analysis of the situation below!
Google and OEMs Working Together For A Secured Android OS
While Google actively tries to intercept security attacks on Android users through its Google Play services initiative, that is not the first line of defence for the OS. As has been famously said, prevention is better than cure, and that is why we see that Google has invested heavily in creating the Android SDK a safe and secure Development environment so that app developers don’t accidentally inject their apps with malicious code. But while this form of malicious apps is stoppable, what forms an even greater threat to Android users are security vulnerabilities in the custom UIs of various OEMs.
To negate that risk, Google has partnered with the smartphone manufacturers in a symbiotic relationship where the open source nature of Android has come to the limelight. While Google has been instrumental in providing monthly patches to Nexus devices, having these patches reflected in the Android Open Source Project (AOSP) means that many major OEMs have been able to roll the security patches out to their flagships as well. Samsung’s Knox Code, which has been instrumental in providing a safe boot process, has now also been inculcated into the AOSP main branch. Companies like Blackberry have also contributed to the overall system security by adding several kernel hardening measures that have been included in the Blackberry Priv.
Google Play Services: Answer to Android Fragmentation?
While the flowchart above is an elegant description of the entire process how Google Play Services works, the truly amazing factor in here is how huge the scope of Google Play services actually is. In 2015, over 1 billion devices had been protected by Play services with daily scans on over 400 million devices. Not only are those numbers incredible, but it also makes Google Play Services the world’s most widely deployed and used end-user security system.
So how well has Google Play Services performed? On a YoY basis, installation of Potentially Harmful Apps (PHAs) on Android devices has been decreased by 40%. To gain a complete view of the protection that Google Play Services provides, we have highlighted a few major points below.
- The rate of devices that only install apps from PlayStore and have PHAs installed has decreased to 0.15% in 2015. The rate has remained almost the same at 0.5% for devices that install apps from both the Play Store and outside sources.
- Within the Play Store, Data Collection Apps have decreased by 40% and is now restricted to only 0.08% of installs. Along with that Play Services has also cracked down on Spyware and Hostile downloaders, reducing them by 60% and 50% to non-existent levels of 0.02 and 0.01% of total app installs.
- Along with that, to protect the users who are installing apps from third party sources, Google enabled Verify Apps to scan all the apps on the device and also changed the warning UI which decreased the percentage 0f PHA installations by 50.
But while both OEMs and Google Play Services have done their bit to protect the Android users, saving the devices from System level vulnerabilities have always been a tough ask. This is why we find that Google has baked in even more security elements into the latest versions of Android to make the system even more secure from within. What are these elements and how can they be improved upon? We talk just about that in our finishing segment.
While the App Security Improvement Programme has increased the security of devices by removing more than 100,000 apps from the Play Store with various vulnerabilities, Google has also worked on ways to minimise the risk of a device’s security getting compromised from a basic OS level. In order to do this Google released several features in Marshmallow their latest release in 2015 which we shall see take place in devices as they are released with the new flavour of Android in 2016. A few salient features from this new release have been included below:
- Application Sandboxing has been strengthened and now the end user can decide which app gets which permissions individually instead of agreeing to give all the permissions at once when the app is being installed from the PlayStore.
- The Verified Boot process ensures that no one can tamper with the user data so that a hacker cannot take advantage of the system has not fully booted up to gain access to the file systems inside the device.
- As an added measure to provide device security, Marshmallow provides encryption by default, even on SD cards.
- And finally, Android now natively supports biometric security measures like Fingerprint sensors and even Security Lock on older versions of Android.
So while all of this makes the future for Android look rosy, yet app vulnerabilities and OS fragmentation continue to be very real problems for Google moving forward. With mobile payments like Samsung Pay picking up more steam, more people are moving to shopping on their mobile devices. This means that Android will become a target for hackers, now more than ever.
While it is in the best interests of Android’s Open source nature to have different OEMs compete with their own take on Android, maybe the time has come for Google to take control of its OS at least in the core layers of security and not let anyone tamper with that.
“Programming can be fun, so can cryptography; however they should not be combined” were famous words by Kreitzberg and Shneidermann.
and moving forward with Android N, Google may follow the same principles by letting the OEMs have all the fun of customizing the outer layer of the OS while the core functions within stay in Google’s grasp. For a secure Android, that might be the only alternative left, but whether the OEMs let Google tread that path is what remains to be seen.