Google has made several changes to the Android security ecosystem recently, including providing monthly updates and working with manufacturers to get those patches in the hands of users more quickly. But despite those efforts, about 50 percent of Android devices didn’t install a single security update in 2016.
One of the issues with Android security over the years has been the way that patches are delivered to users. Google distributes updates directly to the Nexus and Pixel devices it sells, but carriers and other manufacturers are responsible for getting updates to their own customers. Some handset makers, including LG and Samsung, follow Google’s lead and send monthly updates to some of their devices on the day they’re released. But many others either deliver them much later or not at all.
In its annual report on Android security, Google said that while the monthly update schedule has helped, it hasn’t fixed the problem entirely.
“About half of devices in use at the end of 2016 had not received a platform security.”
“Security updates are regularly highlighted as a pillar of mobile security—and rightly so. We launched our monthly security updates program in 2015, following the public disclosure of a bug in Stagefright, to help accelerate patching security vulnerabilities across devices from many different device makers,” Mel Miller and Adrian Ludwig of the Android security team said in a post on the 2016 Android statistics.
“We provided monthly security updates for all supported Pixel and Nexus devices throughout 2016, and we’re thrilled to see our partners invest significantly in regular updates as well. There’s still a lot of room for improvement however. About half of devices in use at the end of 2016 had not received a platform security update in the previous year. We’re working to increase device security updates by streamlining our security update program to make it easier for manufacturers to deploy security patches and releasing A/B updates to make it easier for users to apply those patches.”
The Android device ecosystem is massive and includes hundreds of different models and software versions in countries around the world. The patching behaviors vary by carrier and geography, but data gathered by Duo Labs shows that among the top 50 Android models, 46 percent had received a security patch in the last 90 days, and 81 percent had received one in the last 180 days.
On the plus side, Google said that only 0.05 percent of all Android devices that only download apps from the official Play store had a potentially harmful app installed at the end of 2016. In 2015, that number was 0.15 percent. Google classifies PHAs as apps that could harm a user’s device or the data on it. The company has a system called Verify Apps that checks users’ devices for PHAs and can remove them when they’re found. In 2016 the system conducted 750 million checks of user devices.
One of the challenges for Google in protecting users from PHAs and outright malicious apps is that many users install apps from third-party markets, which don’t have the security controls that Play does.
“Still, there’s more work to do for devices overall, especially those that install apps from multiple sources. While only 0.71 percent of all Android devices had PHAs installed at the end of 2016, that was a slight increase from about 0.5 percent in the beginning of 2015. Using improved tools and the knowledge we gained in 2016, we think we can reduce the number of devices affected by PHAs in 2017, no matter where people get their apps,” Miller and Ludwig said.