Connect with us

Hi, what are you looking for?


Mobile & Wireless

Security Improvements Make Android More Attractive to Business

Google Outlines State of Android Security With 2016 Year In Review Report

Google Outlines State of Android Security With 2016 Year In Review Report

Accepting Android as a staff BYOD (Bring Your Own Device) option has always been tempered by security officers’ understanding that it is less secure than iOS. In the last year, Google has made serious efforts to reduce that perception. The Android Security 2016 Year in Review report (PDF), published this week by Google, describes two areas the company has particularly improved Android security: updates, and the elimination of malicious apps.

Security updates, or patches, have always been a problem in the Android ecosphere. The difficulty is the sheer number of different Android manufacturers involved; some of whom rarely distribute the monthly updates provided by Google. Over the last year, Google has worked on improving this. It has concentrated on two areas: improving the discovery and responsible disclosure of vulnerabilities in its partners’ products; and improving the speed and regularity of device patching.

Android Smartphone in BusinessIt has achieved what can be described as partial success. “As of December 2016,” says the report, “735 million Android devices report a 2016 security patch level.” The downside is it still leaves a similar number that did not. Nevertheless, “Over the course of the year, Android device manufacturers became more efficient at delivering monthly security updates, including expanding their security programs to accept and address security vulnerabilities specific to their devices.”

New models of Google’s own products, Pixel and Nexus, and several of the major manufacturers such as Samsung and LG, have introduced automatic updating. At the end of 2016, Android 7.1.1 introduced new features to improve updating generally with automatic updates. “To do this,” says Google, “devices have two system images: one for the currently active system and one to receive an updated image. When an update is available, the device downloads the new system image in the background. The device seamlessly switches to the new software update the next time it reboots… As more new phones are sold with Android 7.1.1, this feature will become available on a wider variety of devices.”

Google also improved its ability to detect and remove potentially harmful apps (PHAs), such as trojans, spyware and phishing apps, both on the device and from within the Google Play Store. “The goal,” says Google, “is to provide the right protection at the moment it is needed by the user.” During 2016, Google’s security services performed over 790 million device security scans daily, covering phones, tablets, watches and TVs. This is up from around 450 million in the previous year.

Similar attention is given to the apps in Google Play, and PHA installations from Play have fallen dramatically: trojan installs fell by 51.5%, hostile downloaders by 54.6%, backdoors by 30.5%, and phishing apps by 73.4%. “By the end of 2016,” claims Google, “only 0.05 percent of devices that downloaded apps exclusively from Play contained a PHA; down from 0.15 percent in 2015.”

Google accepts that there is still work to do, especially to protect those devices that install apps from outside of Play — and it expects to do this in the present year. “We believe that advances in machine learning and automation can help reduce PHA rates significantly in 2017, both inside and outside of Google Play.”

Advertisement. Scroll to continue reading.

As it stands, according to Google’s figures, users of mainstream Google devices that limit app installations to Google Play are increasingly secure; and already significantly more secure than last year. This has to be good news for all organizations with — or considering — an Android-based BYOD policy for staff.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.