Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review

Posted by Adrian Ludwig & Mel Miller, Android Security Team

Today, we're sharing the third annual Android Security Year In Review, a
comprehensive look at our work to protect more than 1.4 billion Android users
and their data.

Our goal is simple: keep our users safe. In 2016, we improved our abilities to
stop dangerous apps, built new security features into Android 7.0 Nougat, and
collaborated with device manufacturers, researchers, and other members of the
Android ecosystem. For more details, you can read the full
Year in Review report
or watch our

Protecting you from PHAs

It's critical to keep people safe from Potentially
Harmful Apps
(PHAs) that may put their data or devices at risk. Our ongoing
work in this area requires us to find ways to track and stop existing PHAs, and
anticipate new ones that haven't even emerged yet.

Over the years, we've built a variety of systems to address these threats, such
as application analyzers that constantly review apps for unsafe behavior, and
Verify Apps which regularly checks users' devices for PHAs. When these systems
detect PHAs, we warn users, suggest they think twice about downloading a
particular app, or even remove the app from their devices entirely.

We constantly monitor threats and improve our systems over time. Last year's
data reflected those improvements: Verify Apps conducted 750 million daily
checks in 2016, up from 450 million the previous year, enabling us to reduce the
PHA installation rate in the top 50 countries for Android usage.

Google Play continues to be the safest place for Android users to download their
apps. Installs of PHAs from Google Play decreased in nearly every category:

  • Now 0.016 percent of installs, trojans dropped by 51.5 percent compared to

  • Now 0.003 percent of installs, hostile downloaders dropped by 54.6 percent
    compared to 2015

  • Now 0.003 percent of installs, backdoors dropped by 30.5 percent compared to

  • Now 0.0018 percent of installs, phishing apps dropped by 73.4 percent
    compared to 2015

By the end of 2016, only 0.05 percent of devices that downloaded apps
exclusively from Play contained a PHA; down from 0.15 percent in 2015.

Still, there's more work to do for devices overall, especially those that
install apps from multiple sources. While only 0.71 percent of all Android
devices had PHAs installed at the end of 2016, that was a slight increase from
about 0.5 percent in the beginning of 2015. Using improved tools and the
knowledge we gained in 2016, we think we can reduce the number of devices
affected by PHAs in 2017, no matter where people get their apps.

New security protections in Nougat

Last year, we introduced a
variety of new protections
in Nougat, and continued our ongoing work to strengthen
the security of the Linux Kernel

  • Encryption improvements: In Nougat, we introduced
    file-based encryption which enables each user profile on a single device to be
    encrypted with a unique key. If you have personal and work accounts on the same
    device, for example, the key from one account can't unlock data from the other.
    More broadly, encryption of user data has been required for capable Android
    devices since in late 2014, and we now see that feature enabled on over 80
    percent of Android Nougat devices.

  • New audio and video protections: We did significant work to
    security and re-architect
    how Android handles video and audio media. One
    example: We now store different media components into individual sandboxes,
    where previously they lived together. Now if one component is compromised, it
    doesn't automatically have permissions to other components, which helps contain
    any additional issues.

  • Even more security for enterprise users: We introduced a variety
    of new enterprise security features
    including "Always On" VPN, which
    protects your data from the moment your device boots up and ensures it isn't
    traveling from a work phone to your personal device via an insecure connection.
    We also added security policy transparency, process logging, improved wifi
    certification handling, and client certification improvements to our growing set of enterprise

Working together to secure the Android ecosystem

Sharing information about security threats between Google, device manufacturers,
the research community, and others helps keep all Android users safer. In 2016,
our biggest collaborations were our monthly security updates program and ongoing
partnership with the security research community.

Security updates are regularly highlighted as a pillar of mobile security—and
rightly so. We launched
our monthly security updates program
in 2015, following the public
disclosure of a bug in Stagefright, to help accelerate patching security
vulnerabilities across devices from many different device makers. This program
expanded significantly in 2016:

  • More than 735 million devices from 200+ manufacturers received a platform
    security update in 2016.

  • We released monthly Android security updates throughout the year for devices
    running Android 4.4.4 and up—that accounts for 86.3 percent of all active
    Android devices worldwide.

  • Our carrier and hardware partners helped expand deployment of these updates,
    releasing updates for over half of the top 50 devices worldwide in the last
    quarter of 2016.

We provided monthly security updates for all supported Pixel and Nexus devices
throughout 2016, and we're thrilled to see our partners invest significantly in
regular updates as well. There's still a lot of room for improvement however.
About half of devices in use at the end of 2016 had not received a platform
security update in the previous year. We're working to increase device security
updates by streamlining our security update program to make it easier for
manufacturers to deploy security patches and releasing A/B
to make it easier for users to apply those patches.

On the research side, our Android Security Rewards program grew rapidly: we paid
researchers nearly $1 million dollars
for their reports in 2016. In
parallel, we worked closely with various security firms to identify and quickly
fix issues that may have posed risks to our users.

We appreciate all of the hard work by Android partners, external researchers,
and teams at Google that led to the progress the ecosystem has made with
security in 2016. But it doesn't stop there. Keeping you safe requires constant
vigilance and effort. We're looking forward to new insights and progress in 2017
and beyond.

Related Posts

Subscribe Our Newsletter