Android Security — a Q&A with Google's Adrian Ludwig

We've been talking a lot about security on your Android device recently, and as the conversation continued it was clear there were questions that needed to be answered by a person a greater authority. Things like whether you need antivirus software for your phone, identifying malware, and being sure your devices are generally safe through daily use are topics that have become unnecessarily muddy. While we can place some of the blame for this on the seemingly endless barrage of articles telling us about all of the software out there being made to exploit Android users, there also are some legitimate questions about Android security that don't have plain, simple answers.

To help address this, we've gone straight to the source. Adrian Ludwig, a lead engineer for Android security at Google, took some time via email to give the answers we've been looking for.

Read more: Android Security - a Q&A with Google's Adrian Ludwig

Google's role

Google Android

Q: What, exactly, is Google trying to protect its Android users from?

Ludwig: We designed Android using multiple layers of security — Starting with device hardware features (Trustzone, NX), through the operating system (Application Sandbox, SELinux, ASLR) and up to applications and services that Google provides (Google Play, Device Manager, Verify Apps, etc). We also encourage security innovation by enabling third parties to provide security solutions.

The most pressing security threats facing mobile devices these days include: 1. Lost and stolen devices (for which we provide protections like lockscreen, device encryption, and Android Device Manager) 2. Network-level attacks (for which Android provides cryptographic services and exposes a minimal attack surface by having no listening services by default) 3. Potentially harmful applications (for which the Android Application sandbox, Google Play review of applications, and Verify Apps are all designed)

When we hear about a new potential threat, we begin to incorporate that into our future plans and design.

Support policy

Google Play Services

Q: How long does Google offer support for things like security vulnerabilities that are discovered in the operating system?

Ludwig: Our approach to a support policy for Android security is to provide updates everywhere we believe they will actually be delivered to users and improve security. In practice this means we provide multiple different types of support for potential security issues:

  1. If an issue can be resolved by updating Chrome, Gmail, Google Play, or any number of Google applications — we'll resolve the issue in a manner that goes back to all Android versions on which each application is available.
  2. Google Nexus devices and Google Play edition devices regularly receive security updates in a timely fashion.
  3. We provide patches for the current branch of Android in the Android Open Source Project (AOSP) and directly provide Android partners with patches for at least the last two major versions of the operating system. Currently, we're providing backports for security issues that cover Android 4.3 and greater. WebKit on Android 4.3 is the one exception. It is supported on Android 4.4 and above as a binary update. Nevertheless, when an OEM requests assistance in developing a patch for a device that is running an older version of the platform and they commit to delivering that patch as an OTA to devices, we'll provide them with assistance.
  4. Where possible, we also update Google's security services for Android to provide an additional layer of protection for all Android devices, regardless of whether they are still supported by OEMs. This includes checking for potentially harmful applications and other security behavior.
  5. We also provide application developers with information and tools to ensure their applications are protected against potential security issues. This includes providing APIs within Google Play Services such as the updatable Security Provider that can be updated by Google without a device OTA. We also provide best practices that can help developers make sure their applications work safely on all Android devices, regardless of whether they are still supported by OEMs. Recently, we've begun to scan applications in Google Play for potential security vulnerabilities and notify developers when those vulnerabilities are detected.
  6. Last, but not least, we share information about security issues (including information we have about fixes and any known exploitation) with Android partners to make sure they understand the issue, including the risks associated with devices not receiving an update for the issue. This includes adding tests for potential security issues in the Compatibility Test Suite to reduce the chance that an OEM inadvertently ships a device with a known security issue.

User control

App Permissions

Q: In the event an app has been deemed malicious but not necessarily dangerous — for example an app that spams the notification tray with unwanted ads — what tools are available to help users?

Ludwig: Android provides users with controls that allow them to control the experience on their device. This includes capabilities like viewing application permissions, configuring settings such as the ability of an application to display notifications, or the ability to disable or remove applications at any time.

If a notification is unwanted, the user can long-press on the notification to see which app produced it and then change the application's notification settings or uninstall the application.

Security checks

Android Security Verify Apps

Q: What happens when Google sends a message warning users of a malicious app and the user doesn't remove the app, either because they choose not to or the message was accidentally dismissed?

Ludwig: There are multiple redundant security checks that are designed to make sure that an app that is known to be potentially harmful won't be accidentally installed. At each of these checks, the majority of users who receive a warning about a potentially harmful app choose not to proceed.

Here are all the major steps:

Google has integrated its warning system for known potentially harmful apps into the backend of many of our apps. So, for example, the Chrome browser with Safe Browsing might warn the user before they even download an app from a website that it looks like they are on a website that hosts potentially harmful apps.

If they choose to download and install anyway, they would receive a warning at install time (as well as other information such as the application permissions that can help them decide if they want to install).

If they still decide to proceed, the application is installed, but it still can't do anything until the user actually decides to run the app. So they have one more chance to choose to remove the application before it could possibly cause any harm.

Whether they choose to run the app or not, if it's installed on their device, then the Verify Apps background scanning will flag the app and provide another warning recommending that they remove the app. This warning will generally occur about once a week — though the user does have the option to say "don't remind me again."

Antivirus apps

Avast Antivirus

Q: Are third-party security apps keeping me even more safe from potentially harmful Play Store apps?

Ludwig: The protections built into Google Play are very robust. For users installing apps outside of Google Play, we strongly recommend they enable Verify Apps, which is provided on Android devices running Android 2.3 or greater (that's more than 99 percent of Android devices) that have Google Play installed.

In 2014, according to Verify Apps data collected by Google and ignoring rooting apps that were intentionally installed by users, fewer than 0.15 percent of Applications installed from outside of Google Play to U.S. English devices were classified as Potentially Harmful Applications. Given the built-in protection provided by Verify Apps and the low frequency of occurrence of installation of PHAs, the potential security benefit of an additional security solution is very small.

Custom ROMs

Android Security ROMs

Q: Do any of Google's Security features apply to users who have installed third-party versions of Android (read: community-made ROMs)?

Ludwig: Yes, third-party ROMs are generally built on AOSP, so they support the Android sandbox, and many of them use Google's applications, including our security services.

And there you have it. Google does an incredible amount of work to keep Android safe, and a huge portion of that is being prepared for whatever happens next. But it's always going to be a bit of a cat-and-mouse game. As has always been the case, keeping your device safe is all about being aware of where you are tapping, what you are installing, and being as informed as possible.

Be sure to check out the rest of our security series if you'd like to learn more.

Russell is a Contributing Editor at Android Central. He's a former server admin who has been using Android since the HTC G1, and quite literally wrote the book on Android tablets. You can usually find him chasing the next tech trend, much to the pain of his wallet. Find him on Facebook and Twitter

  • Tq so much AC. This is very comforting. Posted via the Android Central App
  • good Posted via the Android Central App
  • And this is why AC is the #1 Android site. Know-one else takes the time to get this type of reach and get the answers that really matter.
  • +1 Posted via the Android Central App
  • I like how they went out and got answers. Posted via the Android Central App
  • So I really don't need a third party battery draining security app like Lookout. Posted via My htc One M8
  • Yeah I think that app is named after what you yell at your battery when you install it Posted via the Android Central App
  • I still want to know where Factory Reset Protection is. There are countless articles that lamented that Google was adding a 'kill switch' to lollipop. As far as I've seen it's not there. Is this something that Google still plans on implementing at some point? Since Apple implemented their version of the 'kill switch' theft of iDevices has dropped significantly. I want to see the same thing happen with Android. I've lost a tablet before and thankfully an honest person found it because there was nothing to stop him from factory resetting it. After that he would of been free to do whatever he wants with it.
  • If there was a kill switch that you had activated before it was returned to you, you would have that working tablet, either. Kill switched are generally more important to iPhones because they have such a large market and a small number of models, so resale is very profitable, both for the device as a whole as well as for parts. There are so many models of Android devices that no single one of them is really worthwhile for a thief to focus on stealing for high-markup resale.
  • Thieves might be looking for iPhone more but if they see an opportunity to steal a phone, no matter what manufacturer they will take it. My tablet was secured with a pin and I remotely locked it with device manager. If the person wasn't honest all they would of needed to do was factory reset it from recovery. The factory reset protection that was announced as a feature of lollipop was supposed to prevent this. Edit: I will have to test factory resetting through recovery while encrypted as someone mentioned below. Posted via the Android Central App
  • It's been in Android for a while. You just have to enable device encryption in the security settings. People are talking about it now because Lollipop enabled encryption (and the accompanying 'kill switch') default out of the box.
  • Encryption does nothing to prevent a device from being factory reset through recovery. When lollipop was announced one of the features announced was 'factory reset protection' that was supposed to somehow prevent a lost or stolen device from being factory reset through recovery. There has been nothing mentioned about since that initial announcement. I'm just curious what happened to it. Posted via the Android Central App
  • If you factory reset with Encryption enabled, it will ask for your Google account password on first boot.
    And you can't use ADB to force a factory reset like you could before.
  • I will have to test that out. I just factory reset my nexus 5 which was encrypted but I didn't do it through recovery. I did it through the backup and reset settings and it did have me input my pin there. Posted via the Android Central App
  • i think you are wrong, but please post a screen shot or take a photo of it on your phone / tablet and ill pay you for it. Nowhere in the "Encrypt Tablet" option does it even mention Factory Reset Protection, it only mentions that you can decrypt by doing a factory reset, with your personal data getting erased as a result.
  • Yeah yeah, security shmecurity. What I really want to know is... Where do I get one of those really cool metal Xenomorphs seen in the banner picture of this article? ;-)
  • ^^^LOL! Posted via My htc One M8
  • You can buy these off an etsy artist at Kreatworks. They ship from Thailand.
  • Thanks for this, just bought one!
  • I know this is probably besides the point but... can I get that alien desk thingy??!!! :D
  • What I'd really like to know is how to protect my device from 3rd party snooping! From what I understand, its nearly impossible on regular consumer devices and nearly no one seems to be talking about it. Am I wrong??
  • Pay for a VPN service that meets your requirements and direct all of your phone's data through that connection.
  • Check out Zonealarm Capsule, it might be the app you're looking for. It shows exactly what information your app's can access, and it has a built-in VPN.
    Just bought a year subscription.
  • Take some time and read the permissions an app's requesting before installing it. But, yeah. You can also read that app's privacy policy as it is required by Google to have one while publishing an app on Play Store.
  • I like to think that Text Secure and red phone do a pretty good job, if you are talking about snooping on your messages and calls. But let's be honest, you aren't making phone calls right?
  • I want to know where I can get a copy of that awesome scrap-built alien in the photo.
  • Great article, very informative and it really just reinforces what I would suspect many of us knew: There's no point in running AV apps. Thanks for the article AC, would love to see more stuff like this!
  • Check it out. Anti viruses are a scam! Yes it's true! Think about it. They make the problem and for x amount of dollars. They have a solution. If there isn't any viruses, then there's no need to purchase any software!
  • Good read. Major typo in the very first sentence of the article, though. Posted via the Android Central App
  • I saw that too. This is typical in today's blog-disguised-as-journalism world. Smh every day. Glad the rest of the article was decent - although it mainly contained quotes which can be c/p'ed. Posted via the Android Central App
  • I want the alien scorpion thing too! Where can we get one? A "due-to-popular-demand" piece may be in order, AC! ;) Posted via my SGS5 from the Android Central App
  • Just uninstalled Lookout Posted via Android Central App
  • Not much mention on restricting apps from using the microphone or contacts etc.
  • Google says: "Recently, we've begun to scan applications in Google Play for potential security vulnerabilities and notify developers when those vulnerabilities are detected." How about notifying the users first? They have hopefully started using the list on Certs about the 26,000 + apps that are not secure. They handle ssl/tls incorrectly and with the webview vulnerabilities, there is a real chance of your phone being taken over,or malware installed,and your personal information disappearing. Or even having your files encryted for ransom. Here is the link to the list in Certs. Or the link is in the report I should say. I am unable to download it on mobile because it is way too big,but I saw it early on when there were only a couple hundred. I think its great that Google takes all these actions,but they are leaving millions open to real,and severe vuln's. It will take years for everyone to migrate to lollipop. Abandoning the ASOP versions after 18 months is a joke. If they told you that you have to throw away your perfectly good laptop after two years how would you feel. Or maybe your big screen tv has to be replaced after two years. Sorry,but we don't support that any longer. Bull! They have a responsibility to do more when something this big comes up! Bet you did not know that kitkat is vulnerable to this,did you. And why care when you all have the latest device's given to you all. I find this whole question and answer session a bit disingenuous by Ludwig. He made many statements on this subject,but AC fails to call him out on them. Ludwig also has made statements to the effect,that android is perfectly safe,but over 16 million devices were infected last year alone.(just read the report today) I know I'm just spitting in the wind here. But this is not the only place I've writen to or at. If Google spent more time on fixing their own screw ups (yes it is their code I'm talking about) and less time on finding others software flaws,then maybe all os versions would be safe,and not just the newest. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • I agree that important apps need to be fixed, but this really only affects people "packet sniffing" on your network.  A quick scan through the apps and I see several that my reaction is "who cares?" "Where's my water" is not going to be transmitting any sensitive data.  The 1800Contacts app is more concerning, assuming you can pay with the app. The philosophy has always been to be care about doing "sensitive" stuff on public networks.  It's a problem, but it's not an "Android" problem as much as it's a web problem, and it's not going to affect very many people in the long run.
  • The only thing secure on my device rhat i use is BBM. Sorry but android is as secure as my groceries are in a wet paper bag . Love my samsung gal but with all the crp that's out there these days for android that I only use my devise for music games and vids. Posted via the Android Central App
  • And this position is based on what technical knowledge or expertise?
  • Im trying to figure out how to close previous windows/tabs whatever there called.I can't open a window until I close other one. Help??
  • Help me, do I new an app to get help/how to do things or what? Do I need google? Android app? Or a forum. Or do I.go to questions and answers to figure it out???
  • Usually, your best bet is to Google it.  As for your previous comment, what do you mean you can't open a "window" until you close the other one?  You (usually) don't explicitly close apps on Android.  The OS leaves them cached in RAM in an idle state, and will close them automatically as it needs more resources.
  • Lollipop update systems Xperia z2 modile