Google has put some hard numbers behind the effectiveness of the security enhancements it has dropped into Android in the past year, and results show that things such as SE Linux (SE Android), Verify Apps and Safety Net have cut down on successful attacks against the Android operating system, significantly lowered the number of potentially harmful apps allowed onto mobile devices, and reduced the opportunity for network-level attacks leveraging Android devices.
Google’s first Android Security Report, released today, highlights that fewer than one percent of Android devices had a harmful application installed, and 0.15 percent of devices that download only from Google Play had a harmful app installed. Google said that the worldwide average rate of harmful application installs dropped by about half between Q1 and Q4 of last year.
“With a system that includes checking both the Google Play Store and client-side detection of possibly malicious applications with things like Safety Net and Verify Apps, Google has given themselves the opportunity for a great deal of insight that allowed them to collect the numbers for this report,” said Chris Czub, security researcher at Duo Security. “Having and publishing this additional information is a huge step forward that can only be a good thing for improving the understanding of what the real state of malicious apps on Android is.”
Enhanced protections for the Verify Apps feature were introduced last April into Android and are supported on versions 4.2 and higher. The feature continually performs security scans on apps downloaded from Google Play or outside sources to ensure they’re continuing to behave benignly.
Safety Net, meanwhile, checks device configurations to ensure their security, and that apps haven’t reconfigured permissions that would impact user privacy or security. Safety Net gathers data on how devices are used and the myriad ways they could be exploited at not only the application level, but also at the network level by analyzing 400 million network connections daily.
Czub said the data in the report gives Google a number of capabilities.
“To combat third-party accusations of rampant malware, to know which protections need to be introduced in the future, and to have metrics they can use to judge the efficacy of previously introduced security measures,” Czub said.
Safety Net for example, checks SSL connections made between Android devices and websites, ensuring that the integrity of supposedly encrypted communication remains sound. For example, Google said one of the enhancements it made to Safety Net last year was to check for SSLv3 downgrade attacks in the wake of the POODLE vulnerability disclosure.
The amping up of SELinux in Android, meanwhile, has cut down on kernel-level issues, Google said. SELinux was put into full enforcement mode in Android 5.0, or Lollipop, bringing policy enforcement to the kernel level. Device encryption is also on by default since Lollipop. With SELinux in Enforcing mode, fewer permissions are granted by default for third party apps, and device data is encrypted from the start.
“The requirement of SELinux to enforce system-wide on Android 5.0 is a good security hardening practice that should make it more difficult for apps to break their intended boundaries,” Czub said. “With mobile devices increasingly being used to store sensitive data it’s critical that only apps authorized to access that data are able to, and SELinux enforcement represents a strengthening of those guarantees.”