The state of Android security: Great on Oreo, but most phones are missing out

Project Treble to the rescue.

Credit: C_osett

Google has released its annual report on Android security and the message is clear: The devices running the latest version of Android are among the safest you can buy. Through a combination of features such as Google Play Protect and Instant Apps, the bug bounty program, and machine learning, Google says Android 8 “has achieved a strength of protection that now leads the industry.”

That’s great news if you’re using a Pixel or have a Galaxy S9 on the way. But if you have one of the millions of phones that will never receive an Oreo update, the biggest issue with Android security is one that’s plagued the platform for a while: fragmentation. At last count, just 1 percent of Android users were running Oreo on their phones, compared to nearly 28 percent each on Nougat and Marshmallow. That means nearly 99 percent of Android phones aren’t as secure as they could be. But Google’s trying to change that narrative.

The impact on you at home: With each new Android release, Google does more and more to make out phones secure. So, if you’re one of the 1 percent using an Oreo phone, congratulations. Not only do you have the most recent features, you also have the safest Android phone you can buy. But Google is hopeful that it’s turned a corner. With Project Treble and the Pixel, phones running the latest version of Android should increase exponentially with Android P, so this time next year there could be more than 10 percent of Android phones that are up-to-date. And there’s also Android Go and Android One, both of which offer a “pure” version of Android with the promise of years of updates. So things are definitely looking up.

Protection at the source

One area where all Android phones benefit from tight security is the Google Play Store. Last year, Google updated its digital storefront with a new security feature called Google Play Protect. A background process turned on by default, the security suite automatically runs a safety check on apps before they are downloaded from the Play Store and warns users about any potentially harmful ones that could out your phone at risk.

According to Google, the probability of a user downloading a malicious app from the Play Store was sliced in half last year, from .04 percent to .02 percent. While the number was already extremely low, Google says that the odds of downloading a harmful app from Google Play in 2017 was “less likely than the odds of an asteroid hitting the earth.” Additionally, the proliferation of Instant Apps—which can be used without downloading anything—keeps limits the likelihood of installing a harmful app.

android instant apps setup IDG

Instant Apps are full Play Store games and services that run without downloading anything onto your phone.

While Google Play Protect and Instant Apps are available for phones going back to Lollipop, most of the other security enhancements Google delivered last year were mostly limited to Oreo. Among the features in the latest version of Android are stronger encryption and key storage, tighter sandboxing, kernel self-protection, and an updated version of Android Verified Boot.

But the biggest change in Android 8.0 security is to the the handling of apps from sources other than the Play Store. Where users previously could easily access an Unverified Sources toggle to allow installations of non-Play Store-approved apps, in Oreo it’s a behind-the-scenes permission that automatically runs whenever an app is side-loaded. The means users can’t unwittingly turn it off, but it also means that a malicious app can’t do it either.

Google also paid out more than $1.25 million as part of its bug bounty program, but very few of them critical Oreo vulnerabilities. In fact, Google reports, at the 2017 Mobile Pwn2Own competition, none of the exploits were able to successfully compromise Google Pixel devices. That event was held in October, however, after the phones received their Oreo update.

All about that Treble

Overall, things might be looking up. While Android updates generally follow the same slow adoption rate, Google’s new Project Treble could ramp up the number of phones running Android P. The Oreo feature makes it easier for manufacturers to deliver updates to phones, so the phones running Android 8 should receive version 9 much quicker. That means everyone will be a whole lot safer.

Project Treble is a complete change to how update are delivered. Starting from the source, Project Treble gives manufacturers a clear way to update from Oreo to whatever Android P will be called, boiling down a multi-step process to just a single one. It also smooths over the various hardware tweaks, so Samsung will be able to push out updates to numerous phones, not just the Galaxy S9. Granted, phones will need to be running Oreo in order to take advantage of the new system, but it's a good start.

And that means next year's state of Android report could be a whole lot rosier.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Android MarshmallowAndroid NougatAndroid Oreo

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Michael Simon

Michael Simon

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?