Google is on a serious quest to create an ultimate security fortress around Android. Google’s mobile operating system has a tough reputation to shake, as multiple vulnerabilities give some people the impression that Android is like an unlit alley in a seedy part of town.
The reality is different, and things are changing fast when it comes to how rapidly Google is shoring up Android’s defenses. With Android market share dominant worldwide and the Google Play store ready to transform Chrome OS into the next Windows, Google is reworking what was once the Wild West of app development into a malware-free zone.
But it’s not there yet. Some areas of Android security are finally rock solid, while there are other areas that Google definitely needs to nail down. But don’t forget that most of security is consumer behavior: if you take the right steps, there’ll be little for you to worry about.
FIVE BRIGHT SPOTS
Google has made tremendous progress in terms of making Android a more secure environment for consumers and the enterprise. These are five areas that you can feel good about if Android is your platform of choice.
The Google Play Store: A detailed blog post earlier this year promoted all of the upgraded security work being done to ensure that Android apps are malware free. Google now mirrors the same approach that Apple takes with its own App Store: apps are vetted before they’re published, and Google also scans the APK for viruses and other threats. With the Google Play Store coming to Chromebooks, the incentive is even higher for Google to keep its app storefront malware free.
Monthly security updates: After the Stagefright disaster, Google finally took more aggressive action when it came to regularly security updates. Now, shortly after the first of the month, Google pushes out a batch of security patches. They of course go first to Nexus devices, but other manufacturers have been stepping up their game with more regular updates. The progress is still too slow with other OEMs, but it’s been positive.
Android for Work: Google is getting serious about making Android more friendly for enterprise users. The Android for Work initiative allows companies to create a separate batch of apps and even a Play Store that only pushes out work-approved applications on BYOD phones.
But you still get to use your personal Google account and the rest of the phone as you normally would, with your company information kept separate. If you change jobs, there’s no need to wipe your entire phone - the company can just take off the data that it needs to keep from getting out into the wild.
Android N: A lot of improvements are coming with regards to security. First, Android is stealing a feature from Chrome (well, it is the same company, after all) that should help with all of those who like to delay their updates: new versions of ANdroid will update in the background. It will then install the next time you restart the phone. It’ll come first to Nexus devices, but other OEMs may jump on board. It’s another tool that might help the rather pitiful number of devices on the latest version of Android (10 percent at last account, according to Google’s own numbers).
Google services: You can’t get more rock-solid with security than using Google’s own tools. As long as you use sound security practices in safeguarding your account (more on that below) keeping your data in Google’s cloud is pretty much the Fort Knox of computing. Of course if Google knowing your constant whereabouts, email use, and other habits creeps you out, then that’s another story.
FIVE AREAS THAT NEED WORK
It's not all secure sunshine and double-encrypted rainbows on the Android platform. There are some major, major areas of security vulnerability that users need to be aware of. Awareness is the first step. Lobbying for change is the second.
Android updates: Android's Achilles’ Heel is still the slow pace of Android updates. According to Google’s own numbers, only 10 percent of Android devices are running Marshmallow. That’s still pitiful, and cajoling hardware partners and carriers to address this problem should be priority number one at Mountain View.
Miscreant apps: Even with all of Google’s efforts, every once in awhile you hear about some app that has gone rogue. The most recent example is this fake banking app. Some of this is still common sense, but it’s a black mark on an otherwise good ecosystem. Android isn’t alone, as some nefarious apps still creep through Apple’s App Store.
Security patches: Related to the slow pace of updates is that some OEMs are better than others about pushing out the monthly updates. Some of the clog lies with larger companies (ahem, Samsung) so it’s time to take user privacy seriously and make these a higher priority.
Carriers need to get on board: If carriers are going to insist on certifying updates and loading up phones with bloatware, then they need to also get serious about security and not clog up the update elixir. If that means carriers and manufacturers need to work more closely to make this happen, then so be it. Security needs to trump the control in this instance.
Fix messaging: Some changes are coming here, which are needed for enterprise and government that want a secure and reliable system - something you don’t currently get with Hangouts. That’s why there are so many competitors in this space. Yes, Allo is on the way later this year, but messages aren’t send with end-to-end encryption by default. If Allo gets some enterprise use as part of Google for Work, there should be an option to enable end-to-end encryption by default.
TAKE CHARGE OF YOUR OWN SECURITY
Your own practice is just as much an essential part of security as what Google does with Android. No matter how secure an operating system or service, it's only as strong as the user who deploys it. Your best security measures rest in your own habits.
Stick to the Play Store: Unless you really know what you’re doing and are comfortable sideloading APKs, your best bet is to stick to the Google Play Store. That’s where the vetting process is the most robust. You’re probably OK with an official beta from a Play Store developer, however, though it’s always good to ensure it’s a reputable or large company.
Use two-factor authentication: Along with using a good password that you don’t duplicate anywhere else, you should definitely enable two-factor authentication with your Google account. With this, signing in requires your password and a code sent to your phone. For extra security, use Google’s authenticator app - this way no one could use an SMS phishing trick to extract a security code.
Get a password manager: Google eventually wants to kill the password, but until then a password manager is your best tool for security. It’s impossible to maintain a robust set of passwords that you memorize. Tools like Dashlane, 1Password, and others can also give you a rapid ability to change passwords when accounts get compromised. Hey, if it can happen to Mark Zuckerberg, you might be next.
Keep your device up to date: The only thing worse than slow Android updates is when you don’t do your part and keep your device up to date when there’s fresh software available. Don’t do that. Especially if you get those seemingly minor monthly security updates, as they can kill off some nasty bugs. When it’s time to update, do it.
Stay aware: Finally, it’s a good practice to know what’s going on in the world of Android security. Pay attention if there is a major breach or a new vulnerability. You don’t need to panic or completely overhaul your workflow, but be aware the next time there’s a Stagefright or other major exploit that has unleashed itself on Android Land.