Google Android Security report 2017: We read it so you don't have to

Google wants you to know that it's really progressing well on Android security. Here's a look at the key lessons learned, but save the rather futile debate over Android vs. Apple iOS on security.
Written by Larry Dignan, Contributor

Video: Google launches first developer preview

Google released its Android security report just to let you know that you're not loading up on potentially harmful applications. While the report is partly a marketing vehicle for Android given Apple often touts its security, there are some key takeaways to ponder.

We read through the 56-page Android report so you don't have to. Here are the key takeaways.

TechRepublic: Android Security Bulletin January 2018: What you need to know

This report is about perception and corralling an ecosystem that's hard to wrangle. Google's Android security report touts a bevy of key figure to illustrate how it's on the case. Consider that more than 90 percent of deployed Google Pixel 2 devices were running a security update from the last 90 days as of December 2017. And due to Google Play's security protections, the annual probability of downloading a potentially harmful application (PHA) was cut 50 percent to .02 percent in 2017.


So, rest assured, Android is secure and more so than ever. The subtext: Take that iPhone and iOS!

But Apple iOS vs. Android security argument is futile (apples vs. oranges, if you will). Apple has a relatively closed ecosystem compared to Android and that -- along with the reality that most users are on the same version of iOS -- mean it's more secure for most people. Google, however, makes it easier to report bugs and get paid for it. Google forked out $1.28 million in its Android Security Rewards program in 2017.

Is Android as secure or more secure than Apple iOS? It depends on the threats you face as well as how much you want to tinker. Google touts the Pixel 2, but the tech buyer will have trouble comparing that security model to Samsung's devices. The real question is what Android device has a security advantage. Google has incorporated security into its enterprise recommended device program. Apple has no such need for these nuances with the enterprise.

Read also: The state of mobile device security: Android vs. iOS


Android's security model (think patches from the sky) rhymes with Microsoft's. Google noted that in 2017 it increased the number of Android devices receiving security patches by more than 30 percent. Microsoft has Patch Tuesday and multiple flavors of PCs to protect. Google has more than 60,000 different device models in its ecosystem.

Read also: Why Android's yearly OS updates are better for business | Android Oreo vs Android One vs Android Go: All their differences, explained | Android P: New features, release date, and everything you need to know | Android P will stop apps from silently using your phone's camera and mic

Google Play has given Google more control over security. Like Apple's App Store, one central app distribution point gives Google more security control. Google noted that Android devices that only download apps from Google Play are nine times less likely to get a PHA than devices from other sources. Google Play Protect protects almost two billion devices.

Devices certified by Google's Android Enterprise Recommended

The Android security report is partly aimed at the enterprise. Apple's iOS dominates in the enterprise and Android has to overcome management headaches, security issues, and too many devices to really land CIOs. Google has stepped up its enterprise program and duly noted that fact in its Android security report.

The influx of PHAs now requires daily scanning. Google used to scan devices for PHAs once every six days, but moved to a once-a-day model in 2016. Daily scans led to the identification and removal of 39 million PHAs in 2017. That scale is impressive, but it also highlights how Android is one big target. This scanning can now go offline.

Read also: Mobile device computing policy template (Tech Pro Research)

Cloud and machine learning give Google an edge in security. As for the nuts and bolts, Google is relying heavily on machine learning and its cloud platform to find signals and analyze applications.

The report has some interesting metrics worth noting. Data hygiene is one broad metric that could apply across multiple fronts. Google said:

The broadest statistic we use to measure device hygiene is how frequently a routine full-device scan detects PHAs. Since we began to measure device hygiene in late 2014, less than 1% of devices have PHAs installed on average.

This trend continued in 2017.

Read also: Special report: Cybersecurity in an IoT and mobile world (free PDF)

Here's a look at data hygiene rates across the largest Android markets. The chart highlights the security hot spots. Not surprisingly older versions of Android are the most vulnerable.


More on mobile security

Editorial standards