First, the good news: Half of all Android devices have gotten fairly recent security updates, patching the hackable flaws that leave users vulnerable to digital crime and espionage. The bad news? The other half hasn't.
In an annual report on the security of the world's 1.4 billion Android devices that Google released today, the company touts the ever-improving state of Android security. Less malware winds up in its Google Play store, devices are better encrypted, and more hackers than ever report Android bugs to Google in exchange for so-called "bug bounties." But Google has also released solid data for the first time on Android's most serious nagging security problem: The challenge of getting dozens of manufacturers and hundreds of carriers around the world to cooperate on regularly patching Android phones and tablets. On that point, the company argues that a 50 percent annual patching rate beats where it's been in the past---but it's still not remotely good enough.
"We're proud of the fact that half of devices received an update in 2016, but that's not sufficient," says Adrian Ludwig, Google's director of Android Security. "We're making the number available, and we think it's an indication of good progress. It doesn't mean we're done."
While half of Android devices going unpatched in 2016 represents a glaring security problem, Ludwig says it's nonetheless a milestone; he estimates that twice as many people installed an Android patch in 2016 as did in 2015. And he suggested that number could reach 75 percent in 2017, though he stopped short of describing that increase as an official goal.
Those patching statistics are a mixed bag, says Josh Drake, the researcher for security firm Zimperium, who in 2015 found the so-called Stagefright vulnerability that allowed the takeover of Android phones with only a text message. "If this is really a doubling, that's great," Drake says. "But fifty percent is a terrible number."
When it comes to software upgrades for new features and security patches, Google has long struggled to get anywhere near the high rate of software update adoption that Apple's iOS boasts. Less than three percent of Android phones run the operating system's latest version, Nougat, while nearly 80 percent of iOS devices run Apple's latest version, iOS 10. And Nougat officially launched three weeks before iOS 10.
If Google's patching rate has in fact doubled, that represents an "incredibly positive" improvement, says Rich Smith, head of R&D at the mobile authentication security firm Duo. But he says Google's new data also further illustrates how starkly Android devices have lagged in security updates. The fact that half of devices received an update sometime in 2016 doesn't mean they've received one at all recently, he points out. "When exactly you got the patch can be the difference between being protected from trivial things or really critical things," Smith says.
Smith points to the well-publicized attack on Android phones known as Quadrooter, revealed in the summer of 2016. According to Duo's own data, the security flaws that attack exploited devices have only been patched in about 40 percent of phones in which Duo's authentication app is installed---and that's a more business-focused, North American collection of users than the overall Android user base Google's report measures. "This is an issue that was shouted from the rooftops, the world is on fire, and those updates still haven't happened," Smith says.
Android's biggest hurdle to better patching remains the byzantine fragmentation of its operating system. Samsung alone offers 13 models, sold by 200 different carriers, each of which customizes its operating system to different degrees. That results in close to 1,500 variations of every version of the software, says Samsung's mobile security director Henry Lee. "It might seem like we just receive a patch from Google and apply it, but it's actually not that simple," he says. About 60 percent of Samsung users received an update in 2016, Lee says, but about 15 percent use old, unsupported versions of Android, and other 15 percent simply ignore the updates.
Still, thanks to Samsung's market dominance, those percentages result in big numbers. Samsung security updates now reach 400 million devices, spread across hundreds of global carriers. That's a sizable chunk of the just over 1.4 billion total Android users.
The improvement over 2015 shows that some of Google's efforts are working. Google and several of its manufacturing partners, including Samsung and LG, have started pushing out monthly security-specific updates for Android devices that run versions as old as 2013's KitKat. Android's Ludwig says Google has worked to make its updates more seamless and smaller in size. It's pressured carriers to take patching more seriously, and convinced many of them not to count software updates against user data plans. Google also developed so-called "A/B updates" that allow businesses to try out new software, and easily roll it back if it causes compatibility issues with the any critical enterprise software.
Google's Ludwig also emphasizes that Android's security has improved in other important ways. Play Store filters catch more malware than ever, he points out, preventing malicious apps from infecting users' devices. Just .71 percent of users had any sort of malware on their phone in the fourth quarter of 2016, according to Google's report. And while that's up from the half a percent of infected users a year before, the numbers were far better when users only downloaded apps from the Play store: Just .05 percent of those phones were infected with malware in the fourth quarter of 2016, down from .15 percent the year before. (A good reminder to never download software outside of Google Play.)
As optimistic as those malware numbers may seem, they don't account for lower-volume, targeted hacks against sensitive victims. WikiLeaks' recent release of secret CIA files, for instance, revealed dozens of years-old Android hacking techniques no doubt used to stealthily spy on small numbers of individuals not accounted for in Google's statistics. Google declined to comment on whether or when the flaws those CIA hacking techniques exploited might have been fixed.
Which gets back to that original problem. Whether or not Google patches the Vault 7 flaws---or plenty of others hiding in its smartphones' code---as many as half of Android users will still remain as vulnerable as ever.
This story has been updated to include additional data points.
