Google just released its 2014 Android Security Year in Review, an intensely data-driven report intended to bring transparency to the vulnerability of phones running on Android. Its findings: fewer than 0.15% of devices that only install from Google Play had a Potentially Harmful App (PHA)–apps that pose a threat to users or their data– installed. Overall, fewer than 1% of Android devices had a PHA installed in 2014. Apple, Microsoft, and Blackberry haven’t released similar figures.
The report reads more like a Center for Disease Control study than one produced by an information technology company. It’s an apt analogy: If we’ve learned anything from the steady stream of news reports about security breaches, malware is as inevitable as disease. And while both are impossible to fully eradicate, they can be detected and managed within a population. And like the CDC, Android security operates at scale by regularly testing over a billion devices to predict and respond to malware infection trends.
Google uses an analytic approach to security for a practical reason beyond the company’s oft-cited obsession for managing everything from search ads to human resources with data analysis. From the beginning, Android was designed to leave the choice of hardware to manufacturers like Samsung, HTC, and Motorola to allow for innovation and competition. Mobile carriers and manufacturers bought into Google’s approach shortly after the iPhone was introduced because they wanted the common Android operating system to introduce competition and prevent an Apple smartphone monopoly. This resulted in a diverse, but also unpredictable, ecosystem, posing challenges to fighting malware.
Google splits its PHA detection between the Google Play Store and the device. Apps submitted to the Play Store undergo automatic testing for malware before making them available for download. Detection of malware relies in part on the analysis of how the app operates and partly by using big data to predict which apps may be harmful. This helps detect threats on over 1 billion devices, each of which was sends anonymized data to Google. About 200 million devices are scanned each day.
When users circumvent the Play Store security by directly loading an app, Verify Apps–Android’s malware detection feature–will still scan it. If malware is detected, it will enforce a multistep confirmation to ensure the user really intends to install a PHA. Google gets a balanced perspective of the Android’s malware susceptibility outside of the safety of the Play Store based on the upload of the results of the scan, and the user’s decision to install or not to install.
The data uploaded from the Verify Apps provides Google with up-to-the-minute global security status. The report points out the source of the apps are a critical factor in blocking PHA installations. In 2014, U.S. devices had a PHA installed on about 0.4% of devices, about 0.2% lower than the worldwide average; users in the U.S. typically download tested apps from the Play store. Users installing apps from stores in other geographies such as China, Russia, and the Arab Emirates have a much greater chance of installing a PHA.
In the newest version, Android 5, Google’s development team has borrowed technology from SELinux kernel that mandates how apps operate safely on an Android device. It blocks apps from taking control of system functions, like an unauthorized app that uses the camera or microphone for a purpose unintended by the user. It will take some time for users with devices that have previous Android versions to get this feature since Google can’t directly update most of its Android devices directly and relies on mobile carriers and manufacturers to deliver these updates.
The report provides transparency into the state of Android security, but it also may spark a movement to similar quantify mobile security with Apple.
Technology writer, Steven Max Patterson lives in Boston and San Francisco following trends in software development platforms, mobile, IoT, wearables and next generation television. His writing is influenced by his 20 years experience covering or working in the primordial ooze of tech startups. Follow him on Twitter at stevep2007.