February 14, 2017, RSA Conference: Delivering Secure, Client-Side Technology to Billions of Users Adrian Ludwig, Director of Android Security, Google.
Google aims to make the web safe for all. Director of Android Security Adrian Ludwig will discuss the progress they’ve made, the gaps that remain and how client-side security can make the web more secure.
30 Aug 2016, WIRED UK: How Google is putting security at the heart of Android By ADRIAN LUDWIG. Google’s director of Android Security explains the operating system’s built-in security features
Android has been the fastest growing operating system of all time.
The total ecosystem is huge: 400 companies partner with 500 carriers to produce over 4,000 distinct phones, tablets, and TVs running Android.
When we founded Android, the idea was somewhat crazy — build an open standard for hardware makers. Android is open-sourced and provided for free on all hardware.
This makes it possible for hardware makers to build a wide variety of different devices (phones, tablets, and even watches) while simultaneously making it easier for developers to build one app that works across any of these different devices.
Having an open ecosystem and over a billion users means that we take security very seriously. From the very beginning, security has been baked into the heart of Android. For example:
All Android applications run in what we call an “Application Sandbox.” Just like the walls of a sandbox keep the sand from getting out, each application is housed within a virtual ‘sandbox’ to keep it from accessing anything outside itself. This means that even if a user were to accidentally install a piece of malware, it’s forbidden from accessing any other app on the device.
The latest security technology
Android devices use leading hardware and software security technologies such as encryption, application signing, system integrity checks, SELinux, ASLR, and TrustZone to protect user data and the device.
More control in Android M
Users are even more safe with the new permissions model in Android M by giving them more control over what apps are allowed to access. Apps trigger requests for permissions at the time they need to do something.
For example, if your photo posting app wants to access your photo roll, it has to ask you first. So if a flashlight app starts asking for access to your phone book, you can just say no.
Google Play — our official marketplace for Android apps and games — is also an important part of Android security. Before applications become available in Google Play, they undergo an application security review process to confirm that they comply with Google Play policies, prohibiting potentially harmful applications. We suspend developer accounts and apps that violate our policies.
Third Party Verify Apps Feature
Since Android allows alternative app stores other than Google Play, our users often download apps from third-party app stores. In order to help make this third-party experience secure, we also have a feature called Verify Apps that warns the user or blocks potentially harmful apps, even if the app wasn’t from the Play Store.
It will check apps when you install them and periodically scans for potentially harmful apps to keep users safe. Over 1 billion devices are protected with Google Play which conducts 200 million security scans of devices per day.
The results of these efforts have made malware relatively rare on Android. Based on our research, fewer than one per cent of Android devices had a Potentially Harmful App (PHA) installed in 2014, and fewer than 0.15 per cent of devices that only install from Google Play had a PHA installed.
In future installments, we’ll talk more about how we work with the broader security community to protect Android users, and offer a few tips for you to protect your phone as well.
THE CONTRIBUTION FROM THE PARTNERS COMMUNITY
31 Aug 2016, WIRED UK: How Google’s bug bounties reward you for hunting out flaws in its Android software By ADRIAN LUDWIG. Google’s head of Android Security explains how bug bounties keep the OS secure.
Our last post looked at the ways in which we protect users against harmful software inside of Android and through our app store Google Play.
Android, however, is an open ecosystem used by more than 1.4 billion people around the world, so it makes sense to tap into all of those Android partners, developers, users, and researchers to help locate vulnerabilities and problems. This is the advantage of an open ecosystem: we can work with the broader security community who help us improve security and make Android stronger.
The priority for this approach is that we must be transparent about how exactly Android works. Android is open source, and this means we publish the latest programming source code for Android here.
Anyone can review the code to identify potential security risks. Anyone can build a device using this open source code (as well as add their own customisations). And anyone can suggest modifications or improvements to the core open source project.
Secondly, we work hard to encourage research on Android. We have come up with many ways to incentivise people to poke around in our code and find problems.
In 2010, Google started what we call security reward programs to pay security researchers who find major flaws. In 2014 alone we paid more than $1.5 million to security researchers who found vulnerabilities in Chrome and other Google products.
The success of this program led us to extend it directly to Android. In 2014, we started Google Patch Rewards — an experimental program to reward proactive security improvements for a few of our open-source projects. Rewards for qualifying submissions range from $500 for one-line improvements, up to $10,000 for complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code.
Then in 2015, we started the Android Security Rewards Program to help reward the contributions of security researchers who invest their time and effort in helping us make Android more secure. Through this program we provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team.
The reward level is based on the bug severity, increasing for higher quality reports that include reproduction code, test cases, and patches. In the last six months of 2015, we paid more than $200,000 to researchers for their work, including our largest single payment of $37,500 to an Android security researcher. This was part of the total $2 million paid out to researchers across all the programs.
On top of our own programs, we also sponsor third-party competitions such as Mobile pwn2own, ZDI’s annual contest that rewards security researchers for highlighting security vulnerabilities on mobile platforms.
Finally, we work closely with our hardware partners so devices can be updated with the latest patches. For more than three years, we have been working with Android manufacturers every month through bulletins of security issues with which they can keep their users secure.
Nexus devices have always been among the first Android devices to receive platform and security updates. Since last year, Nexus devices have been regularly receiving security-focused, over-the-air (OTA) updates each month in addition to the usual platform updates. These fixes are also released to the public via the Android Open Source Project.
For Android, security has always been a priority. We are extremely grateful to the wider research community for helping us find security flaws. It’s great to us — but more importantly, to 1.4 billion people around the world — to see so many people pitching in to make Android safer.
FROM THE USERS THEMSELVES
2 Sept 2016, WIRED UK: How to keep your Android phone safe from prying eyes By ADRIAN LUDWIG. Google’s director of Android Security reveals practical ways to keep your data safe.
Over the course of this dedicated security series we have focused on how security is baked into the very heart of Android.
But the Android operating system also empowers you to take safety into your own hands.
This final piece in our series focuses on how each and every Android phone user can play an active role when it comes to safety on the internet. Today, smartphones have become nearly indispensable. So it’s important to keep your phone, but also its contents, secure.
We’re going to walk you through some top ways to keep your mobile security skills as sharp as possible. These are simple but highly effective ways to keep you safe, such as finding your phone if it’s lost, keeping your personal information secured, and making sure the apps and games you download are safe.
One of the most basic threats to mobile security is pretty simple and is probably something that has happened to all of us: losing your own phone. We entrust our phones with some of our most personal data – texts from loved ones, family photos, work emails, bank account information, and more. In the wrong hands, that data could cause trouble but when your phone goes missing, it’s not always easy to figure out where to start, who to call, or how to keep your information safe.
Find Your Phone is a new Android feature that will help you if your phone is ever lost or stolen. In a few simple steps, you can not only locate your phone, but also lock and call it, secure your account, leave a callback number on the screen, and more. The feature can be used to find lost Android and iOS devices, and soon, you’ll also be able to access it by searching Google for “I lost my phone.”
You can use Find Your Phone in My Account, or just by searching ‘find my phone’ on any Google browser. Plus, it works for both Android and iOS devices.
A second easy thing you can do if you don’t want anyone who picks up your phone or tablet to have access to your stuff is to switch on your mobile device lock. On an Android phone or tablet, you can pick a PIN, a password, or a pattern.
For added security, you should also set your device to automatically lock when it goes to sleep. You can take this even one step further and customise your settings so that your patterns and passwords are not visible when you’re entering them.
Download apps from trusted stores and marketplaces and help ensure your phone is safe when it’s in your own hands. Some apps can affect your device’s security, so only download them from places you trust. We work to make sure that all apps available on Google Play pass stringent policy checks, including checks for potentially harmful behaviour.
If you have Google Play installed, you’re automatically protected from potentially harmful apps with the Verify Apps feature. It’s turned on by default and warns you before you install an application we believe is potentially harmful. It’ll also check your device once a week for potentially harmful apps. If you see a warning from Verify Apps, we recommend not installing that app.
In the last year, we’ve significantly improved our machine learning and event correlation to detect potentially harmful behaviour. We protect users from malware and other Potentially Harmful Apps (PHAs), by checking more than 6 billion installed applications per day. We protect users from network-based and on-device threats by scanning 400 million devices per day. And we protect hundreds of millions of Chrome users on Android from unsafe websites with Safe Browsing.
We have also continued to make it even more difficult to get PHAs into Google Play. Last year’s enhancements reduced the probability of installing a PHA from Google Play by over 40 per cent compared to 2014. Within Google Play, install attempts of most categories of PHAs declined. Data Collection decreased over 40 per cent to 0.08 per cent of installs, spyware dropped 60 per cent to 0.02 per cent of installs and hostile downloaders also decreased 50 per cent to 0.01 per cent of installs.
Overall, PHAs were installed on fewer than 0.15 per cent of devices that only get apps from Google Play. About 0.5 per cent of devices that install apps from both Play and other sources had a PHA installed during 2015, similar to the data in last year’s report.
It’s critical that we also protect users who install apps from sources other than Google Play. Our Verify Apps service protects these users and we improved the effectiveness of the PHA warnings provided by Verify Apps by over 50 per cent. In 2015, we saw an increase in the number of PHA install attempts outside of Google Play, and we disrupted several coordinated efforts to install PHAs onto user devices from outside of Google Play.