clock menu more-arrow no yes mobile

Filed under:

Google says the fundamentals of Android security are stronger than ever

Android wants to cure our Stagefright.

Justin Sullivan / Getty Images

Android security has had a tough year in the headlines. Reports surfaced pointing to damaging holes in the open source software, pinning the blame — very often unfairly — on Google. The most prominent was Stagefright, a bug that left millions of Android devices potentially vulnerable.

Ignore those sensational headlines, Google contends. Look at the data.

“There is a fairly big disconnect between what’s in the data and what’s in the public discussion,” said Adrian Ludwig, Android’s lead security engineer.

That data, from Google’s second annual Android Security State of the Union, published today, shows that a minute proportion (less than 0.15 percent) of devices running on Android installed a bad app, or Potentially Harmful App, from Google’s Play store in 2015. That’s the same figure as the prior year, but Google claimed its security efforts during 2015 cut the likelihood of PHA installs by 40 percent.

Part of those efforts were aimed at improving the process for pushing security updates to Android phones, Ludwig told Re/code. It’s a laborious process, because Android’s best asset — its openness — is also its biggest vulnerability, as it forces Google to update software in cooperation with a myriad of hardware and carrier partners, which are often less equipped (or concerned) than Google on security. Apple can just do it alone.

But Google is gradually taking more control. On the penultimate version of Android — 5.0, roughly one-third of Androids worldwide — Google now controls updates on the software for writing Web apps, rather than the hardware makers. “There may be some more opportunity for us to do those sort of things,” Ludwig said. (He wouldn’t say how many Android devices out there get Google’s most recent security regularly, citing insufficient data.)

You can read the entire report, if you want to get into the weeds. For those who don’t, the key point is that Google is taking security seriously. That could come from the spark of the Apple-FBI standoff over mobile encryption (or that Apple likes to bludgeon its mobile rival about its security). Ludwig said the Android team was not influenced by the FBI case, but did emphasize that Google is rolling out more and more device encryption.

The report notes that Google scans around four million devices a day for security holes and protects around 200,000 owners — about one-fourth of San Francisco’s population — when their phones or tablets are lost or stolen.

Another interesting number: Last fall, the Android team noticed that about a third of Android apps worldwide not downloaded via Google’s app store were at risk of a nasty malware called Ghost Push.

It’s timely that Google points out the safety of its own app store over others, given that later this week the European Union antitrust chief is expected to bring charges against Android — specifically, Google’s practice of bundling its apps with it. That could become a talking point for Google: You may not like our app store, but look here — it’s far safer.

This article originally appeared on

Sign up for the newsletter Sign up for Vox Recommends

Get curated picks of the best Vox journalism to read, watch, and listen to every week, from our editors.