Over the years, plenty of FUD — fear, uncertainty, and doubt — spread surroundingsecurity. And I’ll be honest: much of it was well deserved in the early days. The fragmented nature of Android, the sheer amount of stuff that required a complete firmware upgrade to change, and the reticence of phone makers to roll out those issues than the iPhone.
Apple could quickly patch its entire ecosystem ten years ago if a significant iPhone security vulnerability had been discovered. On Android, you could be left waiting months if a fix ever made it to your device. For an Android security issue to be addressed in 2011, new code had to be, then integrated into your phone’s firmware by the manufacturer, and eventually signed off by your carrier. That’s not an is of the essence, as it likely would be if a nasty new software vulnerability were being exploited in the wild.
Android security has come a long way in the past ten years.
But Android in general, and Android security in particular, has come a longdecade. The best Android phones now guarantee four years of regular security patches, and Android is now more secure by design. And the tired trope of being mired in malware is now outdated.
The problem is how Google keeps Android safe and secure is nebulous and pretty technical. While Apple, with its vertical integration and the relatively small number of phone models, can roll out complete firmware updates at will, Google’s more extensive, more diverse, and less directly controlled ecosystem requires a different approach.
Google Play Services
Almost every Android phone sold in the West comes with Google Play Services — it’s an integral part of the package ofpreloaded onto Google Android phones, and Google can silently update it in the background. But Play Services is far more powerful than your average . That’s because it’s a system app, which means it has the keys to the castle, allowing for features like a remote wipe of your phone if it’s lost or stolen. (For that reason, your manufacturer must first load system apps onto the device. They can’t be installed from scratch like a standard app.)
Current versions ofServices have been supported back to Android 5.0 Lollipop, released in 2014. The last version of Android to lose Play Services support was the 4.0 Ice Cream Sandwich, released in 2011 and retired in 2018. For “current” Services support, the timeframes we’re discussing here are much longer than most people will ever keep a smartphone.
Play Services also does many other things, allowing developers to integrate services like. But let’s zero in on the security implications: , constantly kept up-to-date in the background, supported on devices released seven or more years ago, and with permission to do anything, is a powerful tool in Google’s Android security arsenal.
Play Services is always up-to-date, even on old Android phones, protecting against malware.
Protect, for instance, is part of Play Services. This lets Google check the apps on your phone for malware, whether or not they’re downloaded from the Play Store. Because Play Services is a system app, Play before they have a chance to do any harm. And because Play Services is constantly updated, these defenses can be kept up to date in the background many years after your receives its last proper firmware update. It’s a way for older devices to be protected against malicious apps, even if they use software vulnerabilities still technically present in the underlying OS.
This can giveS4, released in 2013, a decent level of protection against vulnerabilities in its Android 5-based firmware.
A great example of the power ofServices can be seen in the Covid-19 Exposure Notification System. Google was able to with Apple and, thanks to Play Services, automatically deploy it to every Android phone running 5.0 Lollipop or above without updating its firmware.
When scary software vulnerabilities emerged, as happened in 2014 with the, Google immediately updated its “Verify Apps” feature (a precursor to Google Play Protect) to identify offending apps. This allowed the vulnerability to be nipped in the bud long before manufacturers rolled out firmware updates addressing the underlying bug.
But of, not having vulnerabilities in the first place is better than just preventing them from being exploited. In recent years, Google has tackled Android’s long-standing firmware update problem in several ways: Firstly, by making Android more modular and with manufacturers during Android’s development. And secondly, by clearly tying a date to Android’s level of security and writing minimum support requirements into its contracts with phone makers.
Android goes modular
Android was a significant monolithic entity a decade ago that had to be updated simultaneously. Changes to system-level things like media codecs or networking — or even the built-inor dialer app — could only be done via a full firmware update, with all the hassle that entails. (First, Google pushes new code out, then the manufacturer turns it into a device-specific firmware update, then the carrier has to sign off.) And as mentioned earlier, that’s slow and pretty bad for security if an exploitable bug is discovered.
Since then, Google has made Android more modular, making it quicker and easier forout OS updates. And more recently, it’s now possible to update chunks of the Android OS without a complete firmware upgrade. This makes it possible for Google and phone manufacturers to respond fast to fix security issues in certain parts of the OS.
Google’s earliest steps in this direction involved breaking certain apps and components out of the firmware and allowing them to be updated via the Google Play Store. The best examples areand the Android WebView component — used for web content inside Android apps. fix browser engine bugs that could be exploited by malicious web pages and get them rolled out to the entire Android ecosystem in hours instead of months.
Recent versions of Android get rid of the update middleman.
In 2017’s Android 8.0 Oreo release, Google stepped up a gear with “Project Treble.” This effort was to disentangle the low-level bits of Android from chipset manufacturers like Qualcomm from the rest of theand create a more modular OS that could be updated quickly. With hardware companies able to separate their customizations from the core OS, the idea was that firmware updates could be pushed out more rapidly and with less technical legwork. Project Treble isn’t something you’ll notice running on your device, but it could be why the you bought in 2018 got OS updates quicker than the one you purchased in 2016. And quicker updates, of course, are better for security.
Thein modularizing Android came in Android 10, with “Project Mainline,” — known today as “Google Play System Updates.” Mainline is all about sidestepping the existing over-the-air firmware process and bundling Android parts into new modules that could be updated directly by Google or your phone’s manufacturer. Mainline grew in with updateable modules for more Android system bits like Wi-Fi, tethering, and neural networking components. And (the Android runtime), bringing more security benefits. As AC’s Jerry Hildenbrand explains in a recent editorial:
In Android 12, any security exploits found in how the Android runtime works could be quickly and easily fixed across the entire Android ecosystem.
To understand how Android’s security has improved so much since the early 2010s, looking at one of the past decade’s major Android security scares — 2015’sis interesting. Stagefright involved an exploit in the .
One of the scariest Android security bugs of 2015 would be wholly neutered by Project Mainline. While there’s no evidence that Stagefright was ever widely used in real-world malware — probably because other security precautions in Android made it very difficult to take advantage of — it was nevertheless big news at the time. In 2015 there was no single silver bullet for Stagefright. Unlike an app-based vulnerability,Protect couldn’t stop lousy media files from potentially compromising your phone. The only fix was to wait for a firmware update and hope for the best.
But it would be trivial to address if something like Stagefright was discovered in 2021. Google would prepare a Project Mainline update for the media playback library and instantly fix the bug across10 and up devices. With more Android being modularized in each new version of the OS, it’s far less likely that Google will be caught out by an exploit like Stagefright in the future.
Android security patches
As a direct result of the Stagefright bug, in late 2015,Android security patch levels, tying a precise date to the level of security in any Google-approved Android firmware. The extra visibility of the security patch shone a light on the over and under-achieving Android manufacturers while also giving peace of mind when new updates arrive. New patches are issued monthly, addressing recently discovered security issues, with device manufacturers giving a one-to-two-month lead time to get security patches pushed out to devices.
Two years of security updates are now contractually required by Google.
More recently, Google has started writing minimum security support levels into its contracts with Android manufacturers. The Vergethat phone makers would need to guarantee at least two years of security updates for new phones, with at least four security updates within the first year. By the standards of most high-end phones, that’s a pretty basic level of support. But that’s just what it is: a bare minimum. Many others at the high end go much further, including Samsung’ss recent promise of .
A decade of progress
Android’s security today is robust between faster Android updates thanks to Project Treble, more accessible updates to parts of the OS without a complete firmware upgrade, longer support lifespans, and a solid last defense against malware fromProtect. Today’s most highly publicized risks come from phishing attacks instead of malicious apps or media files. Or in other words, as Android security is strengthened, the bad guys are increasingly opting to trick you, not your phone.
That’s not to say the Android security andsituation is perfect. In an ideal world, when patching security vulnerabilities. We’re getting there with Project Mainline, but it’ll take time for the benefits of the new Mainline modules added in Android 11 and Android 12 to trickle out to the Android ecosystem. Google Play Protect is as good as it utilizes app-based Google Play Protect malware instead of other exploits. And I would argue that the contractual minimum of one security update every three months doesn’t go far enough. (Case in point: The of many cheaper OnePlus Nord phones.)
The platform has come a long way since 2011, and the past decade of progress means Android is well-positioned to see off the software threats of the future. At the same time, in 2021, the old stereotype of Android being rife with malware and firmware exploits is further from the truth than ever. And direct comparisons with the iOSAndroid like Play Services and Project Mainline.