How safe and secure is Android? It highly depends on where you get your apps and, to a large degree, what country you're in, based on a 44 page whitepaper Google published on Thursday. The document is filled with data from the billions of daily data points it captured throughout 2014.
Just the facts, please
While no in-house survey should be accepted at face value, Google is really in the only position to gather and compile such a wide range of Android data; third-parties can only offer a glimpse at the overall security picture for Android. With that in mind, here are some of the high-level points Google has broken out from the data:
- Over 1 billion devices are protected with Google Play which conducts 200 million security scans of devices per day.
- Fewer than 1% of Android devices had a Potentially Harmful App (PHA) installed in 2014. Fewer than 0.15% of devices that only install from Google Play had a PHA installed.
- The overall worldwide rate of Potentially Harmful Application (PHA) installs decreased by nearly 50% between Q1 and Q4 2014.
- SafetyNet checks over 400 million connections per day for potential SSL issues.
- Android and Android partners responded to 79 externally reported security issues, and over 25,000 applications in Google Play were updated following security notifications from Google Play.
In the whitepaper, Google breaks down the various security threats it sees as potential harmful to Android users: Data is available for Spyware, Ransomware, and WAP/SMS fraud, as well vulnerabilities in SSL, the underlying Linux kernel for Android and issues specific to equipment makers and particular systems-on-a-chip.
Based solely on the data in the whitepaper, it appears that Google has improved Android security in nearly every area. Again, a dose of skepticism is warranted in that Google is being forthcoming with the information it has access to.
Taking steps for better security
But the company has made important strides to improve security -- both proactively and when faced with reports of rogue apps -- in the recent months. These range from a revamped application review process announced last month and improved system-level protection for apps installed outside of the Google Play Store, where the security risks are visibly higher.
The latter part is worth mentioning, mainly because says fewer than 0.15 percent of Android devices downloading from the Play Store had a potentially harmful app (PHA) installed.
Google's Verify Apps technology expanded in March of 2014 to not just scan apps for potential issues at the time of installation but to continue scanning them afterwards. The company's whitepaper notes that during the month of October last year, the Verify Apps tool was scanning 200 million devices per day solely for security details; not for personal data. The Verify Apps scanning volume jumped more than 300 percent last year, helping to protect more devices, says Google.
In some countries, it's still a wild-west show
If those devices are in Russia, I'd be concerned however. The region repeatedly showed up in Google's data to have a significantly higher source of potentially harmful applications.
While the worldwide rate of Android devices with a PHA is 0.8 percent, between 3 and 4 percent of Android phones and tablets in Russia downloaded a harmful app, with many of those coming from outside the Google Play Store.
And really, that's the moral of the story. Google can't yet guarantee that every Play Store app is safe and sound for your Android device; once you leave its app store, you're treading more dangerous waters. Adding security scans and system-level tools is helpful but it's difficult for Google to combat things beyond its control.