Why Android security fearmongering is total BS

Over the years, there has been a lot of FUD fear and uncertainty about Android phone security. It was deserved, I will be honest. Because Android was so fragmented, there was a lot of stuff that needed a complete firmware update. And phone manufacturers were reluctant to release those updates, Android phones were more vulnerable to security problems than the iPhone. Ten years ago, Apple was able to quickly patch its entire ecosystem if there were major security flaws in the iPhone. Android users could wait for months before a fix is available. To fix an Android security problem in 2011, new code had to first be pushed by Google. Then, the manufacturer would integrate it into your phone's firmware and finally your carrier would sign off. If time is critical, this sequence of events may not be ideal. However, it would be if there were a new and dangerous software flaw.In the last 10 years, Android security has made great strides.Android security, in general, has made great strides over the past decade. The old trope that Android users don't get updates and their phones are infected with malware is no longer true. Android is more secure than ever thanks to the fact that Android phones with the best security features can be guaranteed for four years. Google's security measures for Android are complex and nebulous. Apple's vertical integration and small number of phones can allow it to roll out firmware updates as needed. But Google's more complex, diverse, and less controlled ecosystem demands a different approach.Google Play ServicesSource: Android Central/Phil NickinsonGoogle Play Services is preloaded on almost every Android phone in the West. It's an essential part of the Android mobile app package and can be quietly updated by Google in background. Play Services is far more powerful than any other Android app. It's a system application, which means it has the keys to your castle. This allows you to remotely wipe your phone in case it gets lost or stolen. System apps must be installed by the manufacturer before they can be loaded on your device. These apps cannot be installed from scratch as a normal app. All current versions of Google Play Services can be used with Android 5.0 Lollipop (released in 2014). Android 4.0 Ice Cream Sandwich was the last Android version to lose Play Services support. It was released in 2011 and was retired in 2018. This means that for "current" Google Play Services support the times we're referring to here are much longer than most people will keep a smartphone. Read more: Google Mobile Services primer Play Services allows developers to integrate services such as Google Pay or Google Single Sign-on into their applications. Let's focus on security. This system app is powerful in Google's Android security toolkit. It's kept current in the background and supports devices that were released more than seven years ago.Source: Andrew Martonik/Android CentralPlay Services protects against malware and is available on all Android phones. Google Play Protect is one example of Play Services. Google can check your phone's apps for malware regardless of whether they were downloaded from the Play Store. Play Services is a system application, so Play Protect can remove malicious apps from your phone before they cause any damage. Play Services is continuously updated so that these defenses can continue to be maintained in the background for many years after your device has received its last firmware update. This is a way to protect older devices against malicious apps even if the apps are using software vulnerabilities still present in the OS. This can provide devices such as the now-geriatric Samsung Galaxy S4 with a decent level protection against vulnerabilities in its Android 5-based firmware.Source: Alex Dobie/Android CentralThe Covid-19 Exposure Nomination System is a great example of Google Play Services' power. Google and Apple were able to create this system, which was automatically deployed to all Android phones running 5.0 Lollipop or higher, using Play Services. Google's "Verify Apps" feature, which is a precursor to Google Play Protect, immediately updates when there are serious software flaws. This was the case with fake ID in 2014. This enabled the vulnerability to be identified and fixed before manufacturers could roll out updates to fix it. It is better to prevent vulnerabilities from being exploited than not to have them in the first place. Google has been working with manufacturers to address the long-standing Android firmware update problem. A second approach is to clearly tie a date to Android security level and write minimum support requirements into contracts with manufacturers. Android modularSource: Alex Dobie/Android CentralAndroid was a monolithic system that needed to be updated every day ten years ago. A full firmware update was required to make changes to the system-level stuff like media codecs, networking, or even the built in web browser or dialer app. First, Google pushes out new code, then the manufacturer converts it into a device specific firmware update and then the carrier must sign off. As mentioned, this is slow and can be dangerous for security in the event of an exploitable bug being discovered. Google has made Android modular over the years, which makes it easier for companies and individuals to release OS updates. It's possible to update portions of the Android OS OS without having to upgrade the entire firmware. This allows Google and manufacturers to quickly fix security problems in specific parts of the OS. Google began by breaking out certain components and apps from the firmware, and then allowing them to be updated via Google Play Store. This is best demonstrated by Google Chrome and the Android WebView component that allows for web content to be displayed within Android apps. These can be updated independently from the firmware, allowing Google to fix browser engine bugs that could have been exploited by malicious websites and to get them rolling out to the entire Android ecosystem within hours rather than months.The update middleman is gone in Android 2.2 and 2.3.Google's 2017 Android 8.0 Oreo update brought a new level of innovation with Project Treble. This project was designed to separate the low-level parts of Android from chip manufacturers such as Qualcomm and make it more modular, which would allow for faster updates. The idea behind Project Treble was to allow hardware companies to create their own customizations apart from the core OS so that firmware updates could be released at a faster pace and without as much technical work. Although Project Treble won't be something you notice on your Android device, it could explain why your 2018 Android phone received OS updates faster than the 2016 model. Security is also better when there are faster updates. Source: Google Android 10 was the next step in modularizing Android. "Project Mainline", also known as "Google Play System updates", is now known. Mainline is about removing the need to update Android over-the-air and bundling Android components into new modules that can be easily updated by Google or the manufacturer of your phone. Android 11 introduced Mainline with the ability to update modules that allow for additional Android system bits such as Wi-Fi, tethering, and neural networking. It will also include ART (the Android Runtime) in Android 12. This brings more security benefits. AC's Jerry Hildenbrand explained in a recent editorial that any security flaws in the Android runtime could be easily and quickly fixed across the entire Android ecosystem.It's fascinating to look at the "Stagefright" bug, one of the most significant Android security problems in the past decade. This bug explains how Android has improved its security so much. Stagefright was a vulnerability in the Android component that processes media files. This exploit could have allowed a modified video file to be used to execute malicious code on Android phones. Project Mainline would eliminate one of the most dangerous Android security flaws of 2015. Despite not being able to prove that Stagefright was ever used in real-world malware, it was still a big story at the time. Stagefright was not a single solution in 2015. Google Play Protect, unlike an app-based vulnerability could not stop malicious media files from possibly compromising your phone. You could only wait for a firmware upgrade and hope for better. It would be easy to fix Stagefright if it were discovered in 2021. Google would just prepare a Project Mainline update to the media playback program and fix the bug on all Android devices running Android 10 or higher. It's less likely that Google will fall prey to Stagefright-type exploits in the future, as more Android is being modularized in every new OS version. Security patches for AndroidSource: Alex Dobie/Android CentralIn response to Stagefright, Google introduced Android security patches levels in late 2015. These patch levels tie a specific date to any Google-approved Android firmware's level of security. Each month new patches are released to address security issues that have been discovered. Device manufacturers have a one to two-month delay to receive security patches. This increased visibility gave rise to the concerns of over-achieving Android manufacturers and also provided security when new updates were released.Google now requires two years of security updates.Google recently began to include minimum levels of security support in its contracts with Android manufacturers. In 2018, The Verge reported that new phone manufacturers would have to provide at least two years worth of security updates, and at least four updates in the first year. This is a very basic level of support, even if it's up to the standard of high-end phones. It's a minimum. Samsung's recent promise of four year security updates for its major Galaxy phones is just one example of the many high-end companies that go beyond this.Ten years of progressSource: Alex Dobie/Android Central