The idea that the Android platform is insecure is popular and persistent. And quite possibly wrong.
Barely a week goes by without a new headline about a freshly uncovered vulnerability or new malware affecting millions of devices.
These issues are exacerbated by the fact that the Android ecosystem is complicated. Fragmentation makes it incredibly difficult to update the platform. A glut of different device manufacturers build thousands of different phones and tablets running different versions of Android. As a result, updates with security fixes in them take months to roll out — or worse, never do at all. Too many manufacturers only update their flagships, leaving known vulnerabilities in older and lesser devices that could put users at risk.
Consider a vulnerability like Stagefright, which could give hackers control of an Android device through malicious code in an audio or video file. Reports suggested up to 95 percent of devices were vulnerable. But how many were actually affected?
“Here we are a year and a half in, almost going on two years since we first found out about it and we still don’t know that anybody’s actually affected,” Adrian Ludwig, Director of Android Security, told Digital Trends.
The concern was, Google worked out fixes relatively quickly, and rolled them out to Google’s Nexus line of devices immediately. Patches for other devices came out at the discretion of the manufacturers.
That means, if you have a Google Pixel with the latest Android 7.0 Nougat, you’re benefitting from the latest security, but someone with a phone running KitKat (20 percent of Android devices) that hasn’t seen an update for a year or more could have been at risk.
It’s a thorny issue that’s not easily solved, but the Android security team has worked hard to reduce the risk for users. Scary statistics make for good headlines, but does Android deserve the reputation it has for insecurity?
“I do think we have a bit of a perception problem, but it’s very different from actual user risk,” Ludwig explained. “The cryptographic work that we’ve been doing, the sandboxing that we’ve been doing, and a lot of the work to make exploitation more difficult is all coming together nicely.”
Digital Trends talked with Ludwig on Google Hangouts to find out the current state of Android security, ask whether people should really be concerned about headline vulnerabilities and malware, and learn what Google is doing about fragmentation to enable wider security updates.
Digital Trends: Is Android really insecure?
Adrian Ludwig: No, it’s not insecure. There are a lot of things we’ve done that have moved expectations forward over the last couple of years.
For Mac or Windows, you had to have third-party antivirus protection, but we said we’re going to do that for everybody and make it for free.
Application sandboxing is a relatively new concept in the world of Android security – the idea that applications don’t have access to all your user data, but only have access to their data is entirely new, it’s not something that exists on Mac, it’s not something that exists on Windows.
“We have a bit of a perception problem, but it’s very different from actual user risk.”
Then there’s device encryption. Most enterprise don’t have it turned on all the time. An expectation has been set in the mobile space that everything should be encrypted all the time and there’s even an expectation that it’s going to be encrypted so well that it’s going to be difficult even for a sophisticated attack to get access to that data without user authorization.
We’ve also learned a lot about how the bad actors work and what they’re trying to do, and we’re now at a little bit of an inflection point. For the first few years we were learning, building our understanding, and improving our technology stack. Now we can keep up with the bad actors. Malware rates, for example, are relatively flat across the last three or four years, but I think this is the year where we’re going to see them drop, perhaps drop significantly, because we’ve gotten to the point where we have enough skill and experience. We’re now able to move more quickly than the actors, catch them sooner, and take action more effectively across the entire ecosystem than we could before.
I think we’re at a turning point where even by Android standards we’re going to start to see pretty significant improvements with regards to malware.
There’s still more to do, but it’s easy to forget how far we’ve come over the last five years.
We see a lot of reports about vulnerabilities with frightening statistics. What’s the realistic risk of your Android device being exploited or hijacked? For example, something like Stagefright was said to potentially impact 95 percent of Android devices. Do we have an idea how many have actually been hijacked using that vulnerability?
Here we are a year and a half in, almost going on two years since we first found out about it and we still don’t know that anybody’s actually affected. There are rumors that a small number of devices might have been affected, but even those we haven’t got any substantiated evidence for.
And trust me, whenever we hear a rumor like that we try to chase it down. We go talk to the company that’s making that statement. We ask if there’s data that they can share. We’ve never been able to substantiate any of those numbers. I can say definitely that there weren’t 900 million devices affected.
Certainly, the headlines that ran and the excitement was disproportionate to reality and it may be that nobody was affected. Which is incredible I think, even looking back myself there’s always a concern that there may be something you’re not seeing, but time seems to be the thing that’s revealing those blind spots.
I’ve been working on Android security for the last six years and every time you look in an area where someone has said “that’s a blind spot,” we don’t find anything. So, early on it was “there’s tons and tons of malware in Google Play” and we looked, there was some, we removed it. Then we hear “it’s outside of Google Play,” we look, there’s some, we put pretty good protections in place. Then “it’s going to climb next year” and that didn’t happen either. Now, “it’s vulnerabilities are going to be exploited,” but we don’t see that.
Time and time again we’re moving forward in where we’re looking and the checks that we’re doing and the services we’re providing to look for bad actors, but we’re just not seeing any actual harm.
That said, we want to be as cautious as we possibly can and so we’re investing in services to look in all those little dark alleyways. We’re also working with partners to make sure that they’re able to respond as quickly as possible, so that’s where we’ve invested a lot in security updates, not because we’re seeing a lot of actual exploitation, but because we don’t want that to be a risk that ever gets realized.
A lot of it is about staying ahead and never getting to a point where there’s a problem.
Why do you think this narrative about Android being a “toxic hellstew” of vulnerabilities persists?
There’s a few reasons. One is that complexity is often very scary and the narrative for the Android ecosystem is a complex one. There are lots of different OEMs [phone and tablets makers] in the ecosystem, lots of different device models.
“[Machine learning] is one of the main reasons we’ll get ahead of the attackers.”
Very succinctly describing what’s happening in the Android ecosystem is difficult, in much the same way that describing human anatomy or the population of humanity is very difficult. But we know that medicine is getting better, and we know that people are living longer. We know that people are getting healthier, but we still read lots of stories about people dying, bad things happening, and diseases.
I think that’s a mirror of what we have going on in the Android ecosystem. It’s complicated, so there’s not often a satisfying, super simple answer, but overall it’s getting more and more secure and robust.
We also see a lot of malware stories, but is the average Android user, who never downloads apps outside of the Play Store, in danger?
From Play the malware number is about 0.05 percent which is 5 out of 10,000 apps, so that’s pretty low. In terms of what percentage of devices get infected, that’s in the range where if we weren’t talking about it, no one would know it was even happening.
We talk about it to make sure there’s transparency about the level of risk. Often platforms don’t want to talk about things. They turn a blind eye. We like to have transparency into external actors and our policies and processes, so we can build trust. We don’t want people to trust blindly.
My guess would be, certainly in the Android ecosystem, the Play Store is the cleanest app store. I would imagine it compares similarly to other app stores with ecosystems that are more closed. [We believe Adrian is referring to the Apple App Store.]
Having discussed it with a lot of people, anecdotally, we don’t know anyone who has had an Android malware problem, but I’ve had Windows problems myself. Why is everyone talking about Android security?
I think we’ve gotten bored of Windows malware and so it’s not fun to talk about it anymore. Android was sort of the new, exciting thing.
Everything I’ve seen shows that across the Android ecosystem. The hundreds of millions of devices that install from Google Play are an order of magnitude cleaner than a managed corporate fleet of Windows devices. Our infection rate is a half percent globally, where for managed Windows devices it’s higher, and for consumer households the infection rate for Windows devices is higher still.
But Android is exciting. It’s a growing market. It’s a growing market for consumers, but I think it’s also a growing market for the security industry, so they’re very interested in making sure people are aware and thinking about those things. That’s the shape of communication around the platform.
When you do find malware, what type is most common?
Most of what we’re seeing is commercial in nature. They’re typically trying to make money and the mechanism to monetize on mobile is to install applications. We do see niche cases of apps that go after banking passwords or things like that, but the simplest way to monetize is to install an app. A very large percentage is related to what we call hostile downloaders.
What’s interesting is that the apps they install are not themselves harmful. It might be a game that’s looking to get a promotion, or it might be another service where they benefit from having market distribution. The end result is not the types of things people think about when they think about malware. It’s often not somebody trying to steal your data.
There is spyware. I don’t want to suggest that it doesn’t exist. We even did a post this week describing a very high-end spyware that we found, but that was on 25 devices. It’s certainly not the type of thing that’s common or most popular across the ecosystem.
Is there anything inherently less secure about Android compared to other mobile operating systems?
I don’t think there’s anything inherently less secure about the platform. I think the complexity makes it more difficult to make statements at a platform level.
People love to compare iPhone to Android. The iPhone is a device with an operating system from a manufacturer, in fact it’s about five different devices. If you look at one manufacturer from Android — Samsung is the biggest — they have hundreds of different device models. Merely comparing Samsung to iOS you’re roughly 20 times more complex already, in terms of this device versus that device. It’s not a reasonable comparison.
Perhaps comparing the Pixel and Nexus line to iPhone might be fairer?
Yes, very similar hardware-wise – similar security properties. The app stores have similar security properties, verified apps, application isolation — very similar security properties. Both have a commitment to rapid updates.
“Comparing Samsung to iOS you’re roughly 20 times more complex already, in terms of this device versus that device.”
Where you get into differentiation is in transparency. Android is open source. That information is available to everybody. We encourage third-party research through our security rewards program, so we know that not only are we looking for issues in the platform, but other people are as well and that makes a big difference.
I think the services make a huge difference as well. We have intentionally designed in visibility and the ability to check on devices in the field, whereas that doesn’t exist on any other platform. It means we get feedback on a lot of little things that are happening and we can respond to that.
How do you combat the slow roll out of security updates for non-stock Android devices? Is it frustrating?
We really appreciate how many people have adopted Android and how many devices have Android on them. The reality of that sheer diversity of the ecosystem is that some manufacturers will move very quickly and others move more slowly.
We’ve spent a lot of time over the last year to try to help those that are moving more slowly to solve some of their technology challenges, solve some of their engineering challenges, and in some instances its organizational challenges. They may lack a staff of engineers to provide updates. Perhaps they didn’t think about that, so we ask what can we do to get you to a point where you have thought about it and it does makes sense?
It definitely makes things more complicated, but it’s also at the core of why Android has been so successful, because a lot of different people were able to jump in and start building devices.
What action has the Android team taken to make the platform more secure? And what’s the next area you’d like to tackle or improve?
I think all the pieces are coming together really nicely. It’s been a multi-year journey, but the cryptographic work that we’ve been doing, the sandboxing that we’ve been doing, a lot of the work to make exploitation more difficult is all coming together nicely, so those are the areas that we’re going to keep working on.
Why is sandboxing important?
Sandboxing at a fundamental level is about how you isolate one application from another. A game is a perfect example, one where people don’t think about it, but on a PC, games are often networked. They’re one of the few things on that sort of device that has network port service, so that is one of the scariest pieces of software that you’re running on most consumer devices. If you compromise a game, the game author might be perfectly benign, but that game has access to everything on your PC.
Whereas on Android that’s not at all the case. You have to then also compromise the core operating system to be able to go beyond that. For us, that was really, really important to make sure that you always have to compromise Google’s code, Android’s code, to get to the point where you can do something that really hurts a user.
How important is the third-party research program for finding bugs and vulnerabilities?
It’s really important actually. Last year we paid almost a million dollars to researchers. I think there were about 120 different researchers that found issues and reported them to us. Dozens come in every month, so it’s really important for us.
One thing that has happened actually that’s really interesting is that we started to get more and more reports of issues, not in Android, but in other components that are in the device. For example, this week there was a report of an issue in Broadcom’s Wi-Fi drivers that affected Android, iOS devices, and anybody else who was using those types of drivers. That’s the kind of thing we’re seeing more and more.
Is machine learning starting to play a role? Do you have enough data for it to be effective?
We do have a huge amount of data now and we’ve started to find some machine learning techniques that work really well for different types of things. One thing machine learning works really well for is finding other applications that are also malware. When we find one bad app, we might be able to take down a thousand or more applications that same day that we know are related based on machine learning techniques.
And you expect that to improve over time? Obviously, it’s learning so it should get better?
“Machine learning lets us develop protection capabilities much more quickly.”
It’s one of the main reasons that in the next couple of years we’ll get ahead of the attackers. Machine learning lets us develop protection capabilities much more quickly than a human can improve their hiding, which is ultimately why malware in the past has been persistent — because even very small changes can hide it effectively. That’s not going to be the case anymore.
Does tightening security mean losing some of the openness and customizability that has helped make Android the most popular mobile OS in the world?
Not at all. The openness, customizability, and security of Android are all among its greatest strengths. We think it’s possible to continue to improve on all three.
When we are confronted with a feature that appears to put these principles in conflict, we’ll go to great lengths to find an approach that is balanced. One common strategy is to have the default be more secure (to protect as many users as possible) while allowing users choice (to allow for customization).
We do the same thing with OEMs [device makers], defining a security model that is robust, but also providing a myriad of opportunities to innovate and customize. The resulting diversity is itself a security enhancement, as monocultures are known to be more susceptible to systemic risk. And in some cases, that customization leads to innovative security enhancements, which is a boon for the ecosystem.
Do you think that antivirus, anti-malware, and other third-party Android security apps are needed?
We are committed to making the free protections provided by Google Play the best protection in the world. We already think we’ve accomplished that, and we’ll continue to publish information that makes it possible for others to double-check and confirm it for themselves.
What advice would you give an Android user with security concerns? What actions potentially put them at risk and what can they do to stay safe?
We’ve published a help center article on this topic, here.