Android suffers from a reality-based reputation problem, with reports of malicious apps stealing user data and critical security vulnerabilities that can take over user devices. Over the years, Google has been working to improve its mobile operating system with new security features, the release of monthly security updates, and better tools to detect and remove malicious apps both on devices and in the Google Play app store. As a result, Android is safer than you may believe, the company says in its annual report.
Google deserves credit for improving Android security last year: The release of Safe Browsing API, file-based encryption, verified boot, and media server hardening has tremendously improved the overall security of Android devices.
But Google’s report shows mixed results for the overall state of Android security.
1. Mobile malware fears are overstated
There are and (and !) of warnings about malicious apps and mobile malware. They’re mostly found on unsanctioned third-party app marketplaces, but some manage to bypass security controls and sneak into Google Play.
, the research arm of mobile authentication provider Duo Security. Duo’s analysis suggests that, among the top 50 Android models used by businesses, 46 percent of devices received a security patch in the previous 90 days, and 81 percent had received one in the previous 180 days. Although it’s better to patch devices with each update, the Android updates are cumulative, so users who eventually update are covered up till that patch version.
Still, the overall numbers for Android security aren’t great. A substantial percentage of Android devices remain at risk. That’s even true for critical security vulnerabilities. For example, Duo found that at the end of 2016, 40 percent of affected Android devices hadn’t applied patches for four vulnerabilities (CVE-2016-2503, CVE-2016-2504, CVE-2016-2059, and CVE-2016-5340) that affected a widely used Qualcomm chip set, though the patches were released between July and October.
The percentage of unpatched Android devices is particularly troubling when you realize that the vast majority—96 percent—of Android devices support getting the monthly updates, said Rich Smith, R&D director of Duo Labs. “The unfortunate reality seems to be that carriers just have to wait 30 days for the hype to die down and then everyone forgets,” he said.
3. Google, LG, Samsung, and Sony are among the best at updating
Although Google didn’t say what devices are included in its “top 50 devices” list, the report gives some indication of what devices are receiving regular updates: Asus Zenfone 3, BQ Aquarius M5, Google Pixel, Google Pixel XL, LG V20, Motorola Moto Z Droid, Nexus 6P, Nexus 5, Nexus 5X, Nexus 6, OnePlus OnePlus3, Oppo A33W, Samsung Galaxy S7, Sony Xperia X Compact, and Vivo V3Max all had an update rate between 60 percent and 95 percent by the end of 2016.
Over 78 percent of “active flagship Android devices on the four mobile major network operators” had a security patch level from the last three months. Those devices include Samsung’s Galaxy S7, Galaxy S7 Edge, Galaxy S7 Active, Galaxy S6, Galaxy S6 Edge, Galaxy S6 Edge+, Galaxy S6 Active, Galaxy Note 5, Galaxy Note 4, Galaxy Note Edge, and Galaxy A5 (2016); LG’s G5, G4,G3, and V10; Lenovo’s Moto X Play, Moto X Style, Moto X Force, Droid Maxx 2, and Droid Turbo 2: Huawei’s Mate 8, Mate S, P8, and P9; and Sony’s Xperia Z4, Xperia Z5 Compact, and Xperia Z5 Premium.
Although the Android update process covers all devices running Android KitKat 4.4.4 and later, which accounts for 86.3 percent of all active Android devices worldwide, it’s a sure bet that updates still depend on geographic location, carrier, and manufacturer. Anyone in the market for a new device should consider that some manufacturers appear to be better about updates than others.
4. Users aren’t taking advantage of Smart Lock
Smart Lock, introduced back in 2014 as part of Android Lollipop 5.0, lets devices remain unlocked if it is in the user’s possession. Smart Lock depends on a combination of security signals, including facial recognition, trusted places such as the user’s home or office, and the presence of a paired Bluetooth device such as a smartwatch. The idea is to reduce the number of times a user has to manually entering a password, while still encouraging users to adopt a secure lock screen that protects the device when it’s not nearby. Google estimates that the use of Smart Lock can reduce the number of times people have to manually unlock the device by 90 percent.
But fewer than half of Android devices worldwide have enabled Smart Lock, according to the report. The country breakdown is even wackier—with Somalia having the highest adoption rate at 82 percent, followed by Samoa at 78 percent.
Smart Lock adoption rates get more interesting when you combined it with the data from Duo Labs. Duo found that 70.7 percent of Android devices it tracks have enabled Smart Lock. The difference is due to Google tracking all Android devices and Duo tracking ones used by businesses. Businesses tend to require the use of passwords, which they can enforce through Exchange or mobile management policies. Such requirements impose a burden on users that seems to drive them to using Smart Lock to ease that burden.