The state of Android security: Great on Oreo, but most phones are missing out

Project Treble to the rescue.

Credit: C_osett

Google has released its annual report on Android security and the message is clear: The devices running the latest version of Android are among the safest you can buy. Through a combination of features such as Google Play Protect and Instant Apps, the bug bounty program, and machine learning, Google says Android 8 “has achieved a strength of protection that now leads the industry.”

That’s great news if you’re using a Pixel or have a Galaxy S9 on the way. But if you have one of the millions of phones that will never receive an Oreo update, the biggest issue with Android security is one that’s plagued the platform for a while: fragmentation. At last count, just 1 percent of Android users were running Oreo on their phones, compared to nearly 28 percent each on Nougat and Marshmallow. That means nearly 99 percent of Android phones aren’t as secure as they could be. But Google’s trying to change that narrative.

The impact on you at home: With each new Android release, Google does more and more to make out phones secure. So, if you’re one of the 1 percent using an Oreo phone, congratulations. Not only do you have the most recent features, you also have the safest Android phone you can buy. But Google is hopeful that it’s turned a corner. With Project Treble and the Pixel, phones running the latest version of Android should increase exponentially with Android P, so this time next year there could be more than 10 percent of Android phones that are up-to-date. And there’s also Android Go and Android One, both of which offer a “pure” version of Android with the promise of years of updates. So things are definitely looking up.

Protection at the source

One area where all Android phones benefit from tight security is the Google Play Store. Last year, Google updated its digital storefront with a new security feature called Google Play Protect. A background process turned on by default, the security suite automatically runs a safety check on apps before they are downloaded from the Play Store and warns users about any potentially harmful ones that could out your phone at risk.

According to Google, the probability of a user downloading a malicious app from the Play Store was sliced in half last year, from .04 percent to .02 percent. While the number was already extremely low, Google says that the odds of downloading a harmful app from Google Play in 2017 was “less likely than the odds of an asteroid hitting the earth.” Additionally, the proliferation of Instant Apps—which can be used without downloading anything—keeps limits the likelihood of installing a harmful app.

android instant apps setup IDG

Instant Apps are full Play Store games and services that run without downloading anything onto your phone.

While Google Play Protect and Instant Apps are available for phones going back to Lollipop, most of the other security enhancements Google delivered last year were mostly limited to Oreo. Among the features in the latest version of Android are stronger encryption and key storage, tighter sandboxing, kernel self-protection, and an updated version of Android Verified Boot.

But the biggest change in Android 8.0 security is to the the handling of apps from sources other than the Play Store. Where users previously could easily access an Unverified Sources toggle to allow installations of non-Play Store-approved apps, in Oreo it’s a behind-the-scenes permission that automatically runs whenever an app is side-loaded. The means users can’t unwittingly turn it off, but it also means that a malicious app can’t do it either.

Google also paid out more than $1.25 million as part of its bug bounty program, but very few of them critical Oreo vulnerabilities. In fact, Google reports, at the 2017 Mobile Pwn2Own competition, none of the exploits were able to successfully compromise Google Pixel devices. That event was held in October, however, after the phones received their Oreo update.

All about that Treble

Overall, things might be looking up. While Android updates generally follow the same slow adoption rate, Google’s new Project Treble could ramp up the number of phones running Android P. The Oreo feature makes it easier for manufacturers to deliver updates to phones, so the phones running Android 8 should receive version 9 much quicker. That means everyone will be a whole lot safer.

Project Treble is a complete change to how update are delivered. Starting from the source, Project Treble gives manufacturers a clear way to update from Oreo to whatever Android P will be called, boiling down a multi-step process to just a single one. It also smooths over the various hardware tweaks, so Samsung will be able to push out updates to numerous phones, not just the Galaxy S9. Granted, phones will need to be running Oreo in order to take advantage of the new system, but it's a good start.

And that means next year's state of Android report could be a whole lot rosier.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Android MarshmallowAndroid NougatAndroid Oreo

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Michael Simon

Michael Simon

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?