Google has spent the past year working with third party manufacturers and phone carriers to improve its update system for Android, which is often criticized for not being fast enough to protect users from known vulnerabilities. And while Google says it has made some progress in this area — Android issued security updates to 735 million devices from over 200 manufacturers in 2016 — about half of Android users still aren’t receiving important security patches.
“There is still a lot of work to do to protect all Android users: about half of devices in use at the end of 2016 had not received a platform security update in the previous year,” Android security leads Adrian Ludwig and Melinda Miller wrote in a year-in-review post. Android issued monthly security updates during that timeframe.
When phone makers discover vulnerabilities in their products — either through external reports from security researchers or through internal audits — it kicks off a race to patch the problem before it’s widely exploited. But in the Android ecosystem, which includes hundreds of carriers and manufacturers, pushing those updates out to every user is a complex process.
While Google-manufactured Pixel and Nexus phones and tablets receive automatic updates, hundreds of manufacturers that run Android on their devices don’t push security updates to their customers immediately. This practice can leave customers waiting for months to get updates, and their devices are vulnerable in the meantime.
Ludwig told TechCrunch that Google has been able to cut the wait time for security updates from six to nine weeks down to just a few days by working with carriers and manufacturers. “In North America, just over 78 percent of flagship devices were current with the security update at the end of 2016,” he explained. “It’s a good number in terms of the progress that it represents. We think we can do better.”
Sharing Google’s data on update speed with carriers and manufacturers is crucial in convincing them to issue quicker security updates. “It’s not about convincing them that it’s important — they already believe that — it’s providing visibility into the specific status, which often they don’t have,” Ludwig said. “Because the ecosystem has so many parties, everyone knew the update rate was low but they thought it was caused by someone else. Providing the information allowed them to take action.”
Carriers are starting to view security updates differently than feature updates, and are getting them into consumers’ hands more quickly, while manufacturers are also restructuring the way they release updates to devices. Google is also contributing to the process by shrinking the size of updates to ensure a faster download and by removing requirements for users to approve every update.
Updates aside, Android has made stronger progress in eliminating what it calls “potentially harmful apps” that sneak trojans, phishing scams and hostile downloaders onto customers’ phones. Google automatically scans apps in the Play store for harmful content, performing “750 million daily checks in 2016, up from 450 million the previous year,” according to the year-end report.
Installs of PHAs from Google Play decreased in nearly every category:
● Now 0.016% of installs, installed trojans dropped by 51.5% compared to 2015.
● Now 0.003% of installs, hostile downloaders dropped by 54.6% compared to 2015.
● Now 0.003% of installs, Backdoors dropped by 30.5%, compared to 2015.
● Now 0.0018% of installs, phishing apps dropped by 73.4% compared to 2015.
Despite this progress, Ludwig and Miller said that overall installations of potentially harmful apps rose in 2016. “While only 0.71% of all Android devices had Potentially Harmful Applications (PHAs) installed at the end of 2016, that was a slight increase from about 0.5% in the beginning of 2015,” they wrote, adding that they hope to cut that number this year using new tools developed in 2016.
Android also made encryption improvements in its latest operating system, Nougat, and improved sandboxing for audio and video files.