SAN FRANCISCO–Google has a daunting task of scanning 750 million Android devices daily for threats and checking 6 billion apps for malware each day as part of its management of 1.6 billion active Android devices. The numbers are staggering for Adrian Ludwig, director of Android Security; six years ago, when he joined Google, he said being responsible for the security of what would eventually be billions of Android devices seemed overwhelming.
“It’s stunning to me what the ecosystem has done and how we’ve gone about building it. And the more I think about scale, the more overwhelming it gets,” Ludwig said Tuesday at RSA Conference.
Ludwig said he keeps his focus on the fundamentals of keeping a single Android device safe. Keep one device secure and keep them all secure, he said. Not as easily done than said, considering there are 5,033 different variations of Android devices in use since just 2015.
“We are talking about this incredibly complex ecosystem. So to solve the security problem we need to break this problem down at a macro-level to make the problem smaller to solve,” he said. That macro-level breaks down into three pillars of security for Android that include delivering a robust platform, comprehensive services and a secure ecosystem of programs. And over the past year, Ludwig said his team has made big strides in keeping Android users safe.
“The mobile industry has always known where it wanted security to go… application security, isolation and OS integrity and data protection that ties down to encryption,” he said.
Encryption has been one of Google’s unmitigated success with the Android OS, Ludwig said. “In the span of just three years we are going to see encryption on smartphones go from uncommon to something that is essentially ubiquitous.”
Encryption was added with Android 5.x (Lollipop) in 2014 with about one percent of users using it. The following year 20 percent of Android 6.x (Marshmallow) users used encryption. Now, 80 percent of Android 7.x (Nougat) users use encryption. “That is how you deliver security to billions of people. First you make it usable and then you make it ‘on’ by default,” Ludwig said.
Another accomplishment for Google has been the introduction of security and security-related services into Android. “Historically platform providers haven’t provided security services into their platform. Traditionally, in the desktop environment it was Microsoft that facilitated the creation of a security industry that sort of rides along with Windows, but is not part of the operating system,” he said.
Ludwig said his team had the foresight that the Android platform would be too “big and powerful” not to have security services. So it added Verify Apps (an antivirus and antimalware solution), Sensor Network (a network intrusion, detection and analysis tool), Android Device Manager (makes it easy to locate, ring, or wipe Android devices remotely) and APIs which have become a focus for Ludwig’s team over the past year.
“We have been spending a lot of time with APIs recently to see how they can help enterprises better manage Android devices,” he said. APIs are used to limit from where and what type of applications can be installed on devices and in coordination with Safe Browsing even limit the types of website Android users can visit.
Ludwig says, when API limits are imposed and enterprise restrictions limit downloads of apps to Google Play, the Android OS is in parity with iOS when it comes to security and safety. Still he said, only one percent of Android devices with no restrictions on them have an unwanted application on them.
Another new weapon at Ludwig’s disposal is understanding the relationships behind the Android ecosystem from a developer’s point of view.
“Developer relationships are the hidden gold when it comes to finding bad (behaving) applications,” Ludwig said. “Here is where Google Play really becomes a powerful weapon that didn’t exist prior to antivirus and anti-malware software. We have a commercial relationship with the people who make the software. So we are able to look at those relationships and analyze them.”
Leveraging that relationship, Ludwig said the Android Security team is able to find problematic developers and apps before they become problematic to users. It does this by analyzing aspects of the developer’s business, customer feedback, software code and application behavior. Then it compares those attributes to other seemingly unrelated apps that may also be problematic. Using machine intelligence, Google creates clusters of apps that share similarities. Next, apps and developers that have a high probability of bad behavior are red flagged and human analysis can confirm if there is a security problem.
Over the past year, Ludwig said his team has also worked with other aspects of the ecosystem; namely over 351 wireless carriers around the world to improve the time it takes to test security patches before deploying them to users. Over the last 12 months Google has dropped testing regimes time by carriers that used to average six-to-nine weeks a year ago. Today those same testing regimes take about a week.
“There is a perception that carriers and OEMs just don’t care or are lazy when it comes to security updates. That’s just not true,” he said. Collectively, hundreds of millions of dollars have been spent on figuring out how to deliver security updates to Android devices faster, Ludwig said.
Lastly, Ludwig said contrary to myth and legend, Google doesn’t employ all the smartest people. To help raise the collective IQ of all Android security stakeholders, over the past year Google has embarked on a number of measures to bring tools and security incentives to the Android developer community. One of those efforts included introducing new testing tools into the Android app ecosystem.
Another effort includes continued investment into the Android Security Rewards program. Over the last 12 months Google has paid out $1 million dollars to hundreds of independent researchers. In 2017, Ludwig said, rewards are on track to reach $2 million.