Dear Lifehacker, I keep hearing conflicting arguments on the state of Android security. Eric Schmidt says it's more secure than the iPhone, but people laughed at him. Plus, I keep hearing about the threat of Android malware. Who's right? Is Android safe? Should I install security software like I do on Windows? Sincerely, Locked Down Droid
Dear Locked Down Droid,
The Android security debate isn't going to go away anytime soon. There are smart people on all sides of it, but at its core are a few important things every Android owner should know. Let's cut through the fog, shall we?
The Short Version: Android Is Secure... Users Aren't
Let's get this out of the way. Android as an operating system is very secure. It has multiple layers of protection to keep malware at bay, and it requires your specific permission to do almost anything that could lead to your data or the system being compromised. However, Android is an open system that trusts you — the user — and its community of developers to do the right thing. If you want, you can give away a lot of permissions and even access to deeper parts of the system if you've rooted your phone. Android tries to protect you from yourself, but it lets you have the final say on what to install (and from where, like unknown sources and beyond the regularly patrolled walls of Google Play) and who to give permissions to.
As with every security discussion, those things open you up to malware not because they're bad but because users are the weak link. So, when people talk about Android security, it's not that Android is inherently insecure, we are. Android gives us a lot of power, and with great power comes great responsibility.
The Long Version: How Android Security Works
Android was designed with security as one of its cornerstone principles. Without comparing it to any other platform, it does a really good job of making sure processes don't collect too much information (or use too many resources) without permission. No one app or process gets access to the system level without adequate privileges, and the user is generally always aware of what's happening behind the scenes.
Earlier this month, Steven Max Patterson argued in a piece at Quartz that Android is almost impenetrable to malware. Hyperbole aside, he based the assertion on a presentation that Android Security chief Adrian Ludwig made, where Ludwig revealed that "less than an estimated 0.001% of app installations on Android are able to evade the system's multi-layered defences and cause harm to users." Put simply, Android has multiple layers of defence to protect itself against malware incursions, and since Google started paying attention to what users install on their devices, it has seen very little malware appear.
As an example of this, Ludwig presented the graph above (and below, both included in the full slide deck). Just to get installed, an app has to get through Google Play or an unknown sources warning (if it's enabled on your phone), and a user who confirms the installation. Past that, it has to get past Google's "Verify Apps" security feature, which checks an APK against its own database of malware before it can be installed (more on this later). Then, the app is sandboxed and restricted to the permissions granted to it, and Android's own security checks again whenever the app runs.
Ludwig goes on to note that even though security researchers and even the US Department of Homeland Security have noted upticks in Android malware (PDF), no one besides Google has the tools to view actual install data, and they're just not seeing malware manifest in large numbers. Says Patterson:
The problem Google wants to solve is that most independent security researchers don't have access to a platform such as Google's to measure how many times a malware app has been installed. They are analogous to human disease researchers without a CDC to measure the size of a disease outbreak and coordinate a response. Security researchers are very good at finding and fixing malware, but in the absence of reliable data that indicate how frequently a malware app has been installed, the threat level can become exaggerated. Reports that reach publication are often extremely exaggerated. To emphasise this point, Ludwig revealed in his analysis that some of the most publicized recent malware discoveries are installed in less than one per million installations.
Now, of course Google's data is going to say it doesn't see malware in the wild. Google has skin in this game, and it's going to pick and choose the best possible data it can collect to paint Android in the best possible light. That doesn't necessarily make the data false or questionable, but it does mean you should take it with a healthy grain of salt. Unfortunately, Google is also the only ones that could really provide that data for us.
Google collects this information every time you install an app as long as you use the "Verify and Install" option (some users may see "Verify and Install" as well as "Package Installer" depending on their device), or if you install via Google Play directly. If you're not using it, here's why you should:
The new security mechanisms appeared about a year ago when new versions of Android started shipping with Verify Apps. Verify Apps intervenes when an app is downloaded, compares it to a large database of malware information curated by Google and warns the user if the app is potentially harmful. Verify Apps is also distributed to older Android versions by including it in updates to the Google Play app that is used to download apps from Google's app store. Checking and blocking apps is enabled by default requiring a user to choose to disable it in order to circumvent its protection.
So it would seem that all's well on the Android front. If you use your phone in the usual way, install from trusted sources (even if you're sideloading), and use your head when you install apps, the odds you'll get malware on your Android device are exceptionally slim. The case is data-driven, and it's convincing to be sure.
However, it's not a complete picture.
There's a little in-between-the-lines reading left out of the Quartz piece that's equally important to note. A couple of caveats not mentioned but easily gleaned:
- Google can't count malware it doesn't see. All of the data here is based on app installs that Google gets data on through "Verify Apps", available with Google Play in Android 2.3+. If you don't use Verify and Install when sideloading, or you get your apps from another source like the Amazon Appstore (or you're sideloading from a third party), you don't get included, and you're not protected. That's a big caveat — it essentially means "Of the malware Google can see, it's not seeing much of it." To boot, there's an open and fairly significant issue with Verify Apps that affects a lot of phones. Google has fixed it, but the fix needs to be rolled out by carriers and OEMs to users, which is a whole other part of the security problem that's unresolved. Google's been busy making Android modular specifically to get around this problem, and with luck we'll see improvements in Android 4.4 Kit Kat.
- Android has defences... to protect itself, not your data. This is probably the biggest gaping hole left unaddressed by both the presentation and the ensuing commentary. It's one thing if an app is potentially harmful because it compromises Android in some way, but if the app isn't interested in control over your device or isn't a rootkit, that multi-layered defence only protects you up to the point where you install it. If the malware is designed to capture your data, location, usage, contact list, email addresses or other data on your device, none of that is addressed (and, frankly, it's not well-addressed by security companies either. It really is a "watch what you install" kind of thing.)
- Lack of installs doesn't equal a lack of malware. The fact that Google doesn't see a lot of malware installs through its own sources is great news — but that doesn't mean the malware isn't out there in the wild, and it doesn't mean that the threat of it isn't real. It means that the myth of infected handsets everywhere is definitely oversold by security companies, but it shouldn't make anyone more comfortable installing "AngryBirdsPremiumLulz.apk" from a shady website, thinking Android's defences will protect them.
- Many of Android's defences are bypassed with a few taps or by users. For many Android users, the first thing we do is turn off the "unauthorised sources" warning so we can sideload APKs we've backed up, or install from websites or other sources. Want the Grooveshark Android app? Turn it off. Plan to sideload an app you had on your old phone that's no longer available? Turn it off. Have your phone rooted, or have a completely new ROM installed? Google may not count you either. That's just expert users — novice users who aren't paying attention to permissions or authorised sources are a whole other problem — one with serious, real-world consequences. In any case, that's five of those seven layers of defence bypassed directly.
A lot has changed in the mobile security world since Chris DiBona famously called out mobile antivirus companies as "charlatans and scammers", pushing scareware and "playing on your fears to try to sell you BS protection software" back in 2011. While he's still right that conversations about mobile security often devolve into fear, uncertainty and doubt without discussing real-world impact, it's much harder to dismiss the issue than it was back then.
So How Do You Protect Yourself?
At the end of the day, the real reason it's difficult to dismiss mobile malware is because the user is — and always has been — the weak link in the security chain. Android isn't alone in this — every platform, mobile or desktop, has the same problem. It doesn't matter if your garden is walled or open, if a user clicks install, it's all over. That's why it's so important to learn to tell if an Android app is malware before you install it.
Turn on your BS sensors and take a look at app store reviews. Reviews are often a terrible indicator of app quality, but taken as an overall sentiment, you'll be able to see quickly whether an app does what it's supposed to do or if there's a trending complaint about strange behaviour. Similarly, pay attention to the permissions an app requests before you install it. Don't just tap through it — ask yourself if the access requested is reasonable for the features provided. Check the developer's other apps, and look around the web for reviews from sources you trust. If you have an old Android phone that works, try it there first to test it out before you put it on your daily driver with all of your data.
Finally, seriously consider installing a mobile security tool. There was a time when it was hard to recommend one, but even then most tools offer additional features that are worthwhile. In addition to active scanning, the best options also block known malware from third party sources and sideloads (a nice extra layer of protection for those of us who get our apps from more than Google Play), help you locate or remotely wipe a lost device, can back up your data automatically, and more. Also, long gone are the days where Android antivirus meant a slow phone and a dying battery — the best apps won't slow you or your phone down at all.
The mobile security debate right now is in roughly the same place as the desktop debate. It's fair to point out that the mobile threat has been overplayed and overhyped, and it's also fair to say that the vast majority of Android users who install apps from known, good sources, and don't get themselves into trouble will never encounter malware. Just like on the desktop, an intelligent user, good downloading and installing habits, and common sense should be your first line of defence. Beyond that, we'd suggest a good Android security tool to cover everything else, scan for malware whenever you want to, and benefit from the extra features and protection they offer.
Got your own question you want to put to Lifehacker? Send it using our contact form.