Diverse protections for a diverse ecosystem: Android Security
2016 Year in Review
By Adrian Ludwig & Mel Miller, Google Android Security Team
March 23, 2017
Today, we’re sharing the third
annual Android Security Year In Review, a comprehensive look at our
work to protect more than 1.4 billion Android users and their data.
Our goal is simple: keep users safe. In 2016, we improved our
abilities to stop dangerous apps, built new security features into
Android 7.0 Nougat, and collaborated with device manufacturers,
researchers, and other members of the Android ecosystem. For more
details, you can read the
full Year in Review report
or watch our
Protecting users from PHAs
It’s critical to keep people safe from
Potentially Harmful Apps (PHAs)
that may put their data or devices at risk. Our ongoing work in this
area requires us to find ways to track and stop existing PHAs, and
anticipate new ones that haven’t even emerged yet.
Over the years, we’ve built a variety of systems to address these
threats, such as application analyzers that constantly review apps
for unsafe behavior, and Verify Apps which regularly checks users’
devices for PHAs. When these systems detect PHAs, we warn users,
suggest they think twice about downloading a particular app, or even
remove the app from their devices entirely.
We constantly monitor threats and improve our systems over time.
Last year’s data reflected those improvements: Verify Apps conducted
750 million daily checks in 2016, up from 450 million the previous
year, enabling us to reduce the PHA installation rate in the top 50
countries for Android usage.
Google Play continues to be the safest place for Android users to
download their apps. Installs of PHAs from Google Play decreased in
nearly every category:
- Now 0.016 percent of
installs, trojans dropped by 51.5 percent compared to 2015
- Now 0.003 percent of
installs, hostile downloaders dropped by 54.6 percent compared
- Now 0.003 percent of
installs, backdoors dropped by 30.5 percent compared to 2015
- Now 0.0018 percent of
installs, phishing apps dropped by 73.4 percent compared to
By the end of 2016, only 0.05 percent of devices
that downloaded apps exclusively from Play contained a PHA; down
from 0.15 percent in 2015.
Still, there’s more work to do for devices overall, especially those
that install apps from multiple sources. While only 0.71 percent of
all Android devices had PHAs installed at the end of 2016, that was
a slight increase from about 0.5 percent in the beginning of 2015.
Using improved tools and the knowledge we gained in 2016, we think
we can reduce the number of devices affected by PHAs in 2017, no
matter where people get their apps.
New security protections in Nougat
Last year, we introduced a
variety of new protections in
Nougat, and continued
our ongoing work to
strengthen the security of the
improvements: In Nougat, we introduced file-based encryption
which enables each user profile on a single device to be
encrypted with a unique key. If you have personal and work
accounts on the same device, for example, the key from one
account can’t unlock data from the other. More broadly,
encryption of user data has been required for capable Android
devices since in late 2014, and we now see that feature enabled
on over 80 percent of Android Nougat devices.
- New audio and video
protections: We did significant work to
improve security and
Android handles video and audio media. One example: we now store
different media components into individual sandboxes, where
previously they lived together. Now, if one component is
compromised, it doesn’t automatically have permissions to other
components, which helps contain any additional issues.
- Even more security for
enterprise users: We introduced a
variety of new enterprise
including “Always On” VPN, which protects your data from the
moment your device boots up and ensures it isn't traveling from
a work phone to your personal device via an insecure connection.
We also added security policy transparency, process logging,
improved wifi certification handling, and client certification
improvements to our
growing set of enterprise
Working together to secure the Android ecosystem.
Sharing information about security threats
between Google, device manufacturers, the research community, and
others helps keep all Android users safer. In 2016, our biggest
collaborations were via our monthly security updates program and
ongoing partnership with the security research community.
Security updates are regularly highlighted as a pillar of mobile
security—and rightly so. We
launched our monthly security
updates program in
2015, following the public disclosure of a bug in Stagefright, to
help accelerate patching security vulnerabilities across devices
from many different device makers. This program expanded
significantly in 2016:
- More than 735 million
devices from 200+ manufacturers received a platform security
update in 2016.
- We released monthly
Android security updates throughout the year for devices running
Android 4.4.4 and up—that accounts for 86.3 percent of all
active Android devices worldwide.
- Our carrier and hardware
partners helped expand deployment of these updates, releasing
updates for over half of the top 50 devices worldwide in the
last quarter of 2016.
We provided monthly security updates for all
supported Pixel and Nexus devices throughout 2016, and we’re
thrilled to see our partners invest significantly in regular updates
as well. There’s still a lot of room for improvement, however. About
half of devices in use at the end of 2016 had not received a
platform security update in the previous year. We’re working to
increase device security updates by streamlining our security update
program to make it easier for manufacturers to deploy security
patches and releasing
to make it easier for users to apply those patches.
On the research side, our Android Security Rewards program grew
paid researchers nearly $1
million dollars for
their reports in 2016. In parallel, we worked closely with various
security firms to identify and quickly fix issues that may have
posed risks to our users.
We appreciate all of the hard work by Android partners, external
researchers, and teams at Google that led to the progress the
ecosystem has made with security in 2016. But it doesn’t stop there.
Keeping users safe requires constant vigilance and effort. We’re
looking forward to new insights and progress in 2017 and beyond.