Two years ago I pointed the finger Google and the hardware OEMs for turning the Android platform into "a toxic hellstew of vulnerabilities." Well, are things any better now?
Let's begin by taking a look at what Google itself has to say. In its latest Android Security Report, the company claims that about 70 percent of "all active Android devices are on a version that we support with patches." That sounds good until you realize that:
- This means 30 percent of devices are on versions that don't get updates
- If the Android ecosystem consists of about 1.4 billion devices, that 30 percent translates into some 400 million devices
- The next sentence - " We have provided these regular updates directly to manufacturers since the release of these versions of Android" - suggests that while manufacturers are getting these updates from Google, it makes no mention of the proportion of end users that are getting them
But the report also shows that Google is doing a better job of finding and patching vulnerabilities than ever, either internally or through leveraging the wider security community through bug bounties.
This is all good.
There's also good news on the malware front (which Google refer to as PHAs or Potentially Harmful Applications), with device infection rates averaging around 0.5 percent overall, with that figure dropping down to 0.15 percent for devices that only install apps from the Google Play store.
However, there are a lot of Android devices out there, so as Sophos' security evangelist Paul Ducklin points out, even a sub-1 percent infection rate across an ecosystem consisting of over a billion devices, translates into millions of devices infected with PHAs in the wild.
Is that sub-1 percent infection rate good or bad?
Let's compare that to PCs. According to a PandaLabs report for 2015, over 30 percent of the world's PCs are infected with malware, worms, and PUPs (Potentially Unwanted Programs). Make of that number what you will (I'm sure you will), but it's clear that the PC ecosystem is in more of a mess than Android is.
So, what's the bottom line here? Is Android still a toxic hellstew?
For Google Nexus users who install the regular trickle of patches, and who only download apps from the Google Play store, the answer is no. The chances of being exposed to the toxic hellstew are small, and even if you are, there's a good chance that Google will clean things up pretty quickly.
If you've bought from another hardware maker, your mileage may vary. Samsung and BlackBerry have both issued statements about their update plans, so that helps to clear up some things, but even then update coverage can be patchy to say the least. Still, if you play it safe and only download apps from Google Play, install updates if and when they become available, the chances of things going bad are pretty low.
Google it seems is picking up the pace with respect to patching Android and keeping the Google Play store clean. It's a tough job, but the company has certainly embraced the challenge over the past two years.
I think it could work harder to untangle security updates from the OEMs and carriers, but that's not going to be easy. But on the whole, Google's done a lot in a couple of years. I'll give it an A-.
I also think there's real work to be done by the third-party Android hardware makers, along with the carriers, to get patches to users in a more timely fashion.
Here I think the industry deserves a "could do better."
But the real problem is all the old hardware out there. Devices still running Jelly Bean, Ice Cream Sandwich, and Gingerbread, believe it or not, account for about a quarter of all active Android devices today. These are way beyond ever seeing an update. Sure, there are fewer and fewer as the months progress, as old devices die, and just as with Windows XP, this is a problem that's going to take a long time to disappear completely.
If you're an owner of one of these devices, then you need to give serious consideration to upgrading. This is the real danger zone. While you might be able to dodge a lot of the bullets by being careful and only downloading from Google Play, you're always going to be at risk from unpatched vulnerabilities such as Heartbleed, Pileup and the like. You're playing Russian roulette with your data and privacy.
You are knee deep in the hellstew.
As for folks who root their devices, or install stuff from shady sources, well, you're on your own.