Google's head of Android security David Kleidermacher claimed in an interview that "Android is now as safe as the competition" on the release of the company's 2017 Android Security report, which seeks to reassure users that it is doing everything it can to protect them from malware and exploits. The problem is that Google can't secure the 2 billion Androids it claims as its platform.
Google claims a lot
Kleidermacher's claim, made during a media tour surrounding the release of its Android Security 2017 Year in Review, sounds a lot like one made in 2014 by Google's former chairman Eric Schmidt, who similarly boasted to the media that "our systems are far more secure and encrypted than anyone else, including Apple."
That was not true at the time and remains false today. A large number of Androids don't even support Full Disk Encryption, which has been on by default on iOS for years.
Of course, Schmidt regularly uttered bold pronouncements that turned out to be clear fictions, such as claiming in 2011 that third-party developers would prioritize Android over iOS in 2012 and that the majority of televisions would be running Google TV. Back then, the media uncritically reiterated his claims as if they were factual.
Google is now trying to peddle an alternative reality where Android is super secure, following several years of embarrassing, massive security lapses, wide scale malware outbreaks, malicious spyware and architectural errors that broke Android's Full Disk Encryption among the subset that could even support it in hardware— all exacerbated by Google's negligent security delegation strategy that inherently put Android users at high risk.
Google Play Protect
In fact, many of the security problems of Android come from Google's notion of "openness" in the loading of mobile software from any source. That's a strong point of differentiation from Apple, which curates App Store titles and works to prevent malicious or dangerous titles from even entering circulation.
Apple's curation works to prevent toxic sewage from ever entering the water supply, Google's approach for Android is to try to filter out sludge after it notices that it's doing damage
While Apple's curation works to prevent toxic sewage from ever entering the water supply, Google's approach for Android is to try to filter out sludge after it notices that it's doing damage, using automated machine learning.
This retroactive security approach of Google Play Protect requires sewage filtration on the device because Google doesn't effectively control the flow of bad Android apps. But having another filtration task running in the background is more work for devices that are already underpowered and suffering from performance and battery life issues.
Yet as Google's latest security report noted, "we recognized that nearly 35 percent of new PHA [malware risk] installations were occurring when a device was offline or had lost network connectivity. As a result, in October 2017, we enabled offline scanning in Play Protect, and have since prevented 10 million more PHA installs." (PHA is Google's euphemism for viruses, malware, spyware and ransomware).
Google noted that it removed 39 million bad titles automatically, so another ten million filtered out on the device means Google Play Protect managed to strain 49 million sewer downloads out of what it was actively delivering to users on Google Play.
The company also stated that "devices that downloaded apps exclusively from Google Play were nine times less likely" to end up with malware, meaning that users who dabbled outside of Google's store experienced a total of 441 million dirty downloads just last year— and Google Play Protect filtered out just 11 percent of them from Google Play.
The elusive Android Security Update
Google's security report next moved to security updates, stating that "we also partner with device manufacturers to make sure that the version of Android running on users' devices is up-to-date and secure. Throughout the year, we worked to improve the process for releasing security updates, and 30 percent more devices received security patches than in 2016."
Any improvement in security patches is great, but it's noteworthy that Google didn't provide any useful numbers to gauge how many users were actually receiving security updates. Last month, SecurityLab did profile mobile OS providers and the length of time it takes them to distribute software patches and how long they deliver them for their models, and it was not flattering for any of Google's Android licensees.
The rare Android Update
Google and its partners have also been doing a poor job of getting full Android updates to users. Over the first four months since its release, iOS 11 found its way to 65 percent of iOS devices, and only seven percent of Apple's installed base were using something earlier than iOS 10. On Android's side, barely one percent were running Oreo, and only 28 percent were running the iOS 10-era Nougat. Nearly seventy percent of active phones in use were running a version of Android more than two years old.
Google has worked to deliver some feature updates using Google Play Services, a software package it can push to users even on older versions of the Android OS. However, diagnostic testing indicates that this software is unstable and crashed more than any other code on Android devices. There are also a variety of security issues and features that Google Play can't address.
One is encryption. While all iOS devices have shipped with Full Disk Encryption since iOS 8, Google didn't even begin requiring FDE be active by default until Marshmallow (largely because most Androids were not fast enough to support encryption). Further, this requirement was only for manufacturers of new devices, not Over The Air Android updates to existing users, where encryption remained optional.
That means most Android users would need to manually erase and scramble every block on their devices to make sure their data could not be recovered by another user. Most of the people affected by this lapse in security probably don't even know that. On iOS, users can remotely erase a stolen phone or simply do a device reset that securely removes any ability to recover data from it, because the device is encrypted by default.
Another real-world example of the inadequacy of Google's software update policies for Android and the disconnect between supposed updates and real-world impact: graphics. Google added support for OpenGL ES 3.1 in Android 5.0. Today, that should theoretically be available to more than 80 percent of Android users, but Google's figures show that only 18.3 percent of devices actually support it, in large part because Google has no control over the graphics hardware its licensees use, just as it has historically had little control over encryption, the storage of biometric data and other serious aspects of security.
In contrast, Apple has an installed base that is not only automatically encrypted, but fully secured by Touch ID or Face ID, rather than experimenting with cheap fingerprint implementations like Samsung's that stored data insecurely or that featured "face recognition" security theater that didn't work.
In parallel, that also means that rather than weakly pushing ahead on graphics standards for years and making little real progress, Apple could develop its own highly-optimized Metal API and very rapidly make it ubiquitous across virtually all of its iOS and Mac users. Support for iOS 11 means support for Metal.
Google advanced a new architecture for Android O intended to make it easier to deploy new updates to existing hardware. Called "Treble," the feature draws a separation between the low-level drivers related to fragmented hardware and the core OS above it. This modular design makes it easier to update higher level Android software across a wider range of devices. However, this requires support from hardware makers to enable Treble on their hardware.
Notably, Google did not support Treble on its own Nexus 5x, 6P or Pixel C, a hint that indicated that it didn't plan to continue supporting its products, even after building the mechanism to do this. If Google doesn't bother to implement its own Treble on the phones it makes for its fans, will third parties bother to do this when the only real difference it would make is possibly preventing a replacement sale?
4.5M Pixels show how bad the other 2B Androids are
"We've long said it, but it remains truer than ever: Android's openness helps strengthen our security protections," Google's security report stated, seemingly unaware of the fact that Android has been "open" for almost a decade but has also suffered far worse security lapses, architectural flaws and malware infections than iOS.
Google also touted its Android Security Rewards program, which has paid developers millions of dollars to hunt down and report critical vulnerabilities. It then bragged that "at the 2017 Mobile Pwn2Own competition, no exploits successfully compromised the Google Pixel," a phone that has no commercial footprint and no significant user base, and which presumably has already paid for its security vulnerabilities.
What that really indicates is that Google's "Pure Android" Pixel vision of what an Android phone could be— secured and regularly patched by a vendor who cares about its security reputation— is not representative of the other 2 billion Androids that are in actual use around the world.