Today, we’re sharing the third annual Android Security Year In Review, a
comprehensive look at our work to protect more than 1.4 billion Android users
and their data.
Our goal is simple: keep our users safe. In 2016, we improved our abilities to
stop dangerous apps, built new security features into Android 7.0 Nougat, and
collaborated with device manufacturers, researchers, and other members of the
Android ecosystem. For more details, you can read the full
Year in Review report or watch our
Over the years, we’ve built a variety of systems to address these threats, such
as application analyzers that constantly review apps for unsafe behavior, and
Verify Apps which regularly checks users’ devices for PHAs. When these systems
detect PHAs, we warn users, suggest they think twice about downloading a
particular app, or even remove the app from their devices entirely.
We constantly monitor threats and improve our systems over time. Last year’s
data reflected those improvements: Verify Apps conducted 750 million daily
checks in 2016, up from 450 million the previous year, enabling us to reduce the
PHA installation rate in the top 50 countries for Android usage.
Google Play continues to be the safest place for Android users to download their
apps. Installs of PHAs from Google Play decreased in nearly every category:
By the end of 2016, only 0.05 percent of devices that downloaded apps
exclusively from Play contained a PHA; down from 0.15 percent in 2015.
Still, there’s more work to do for devices overall, especially those that
install apps from multiple sources. While only 0.71 percent of all Android
devices had PHAs installed at the end of 2016, that was a slight increase from
about 0.5 percent in the beginning of 2015. Using improved tools and the
knowledge we gained in 2016, we think we can reduce the number of devices
affected by PHAs in 2017, no matter where people get their apps.
Sharing information about security threats between Google, device manufacturers,
the research community, and others helps keep all Android users safer. In 2016,
our biggest collaborations were our monthly security updates program and ongoing
partnership with the security research community.
Security updates are regularly highlighted as a pillar of mobile security—and
rightly so. We launched
our monthly security updates program in 2015, following the public
disclosure of a bug in Stagefright, to help accelerate patching security
vulnerabilities across devices from many different device makers. This program
expanded significantly in 2016:
We provided monthly security updates for all supported Pixel and Nexus devices
throughout 2016, and we’re thrilled to see our partners invest significantly in
regular updates as well. There’s still a lot of room for improvement however.
About half of devices in use at the end of 2016 had not received a platform
security update in the previous year. We’re working to increase device security
updates by streamlining our security update program to make it easier for
manufacturers to deploy security patches and releasing A/B
updates to make it easier for users to apply those patches.
On the research side, our Android Security Rewards program grew rapidly: we paid
researchers nearly $1 million dollars for their reports in 2016. In
parallel, we worked closely with various security firms to identify and quickly
fix issues that may have posed risks to our users.
We appreciate all of the hard work by Android partners, external researchers,
and teams at Google that led to the progress the ecosystem has made with
security in 2016. But it doesn’t stop there. Keeping you safe requires constant
vigilance and effort. We’re looking forward to new insights and progress in 2017