Over the years, Android has been labeled by many as the most vulnerable of the mobile operating systems. Google has worked hard to remove this unfortunate stigma with every new version of Android, but it’s with Android Lollipop (5.0) that the company is attempting to showcase its improved security features with great fanfare, beginning with a blogpost published Tuesday by one of Android’s lead security engineers.
The post got us wondering: how safe is the new version of Android and will the new security features really make a difference in the way users perceive it? We talked to Paul Roberts, editor of The Security Ledger about what Android’s real threats are and whether Lollipop’s new security features will actually help squash the operating system’s unsavory reputation.
Actually, Android has always been secure
In the blogpost, Google highlighted three particular newish security features in Android 5.0: the ability to unlock a phone with Bluetooth pairing or NFC, default out-of-the-box encryption, and better Security Enhanced Linux (SELinux) to help keep malicious apps from tearing away at everything else. The kicker is that most of these features have already been available in some capacity. For instance, the first iteration of SELinux shipped with Android in 4.2.2, while encryption was always there (it was just opt-in).
“I think Android in general is a pretty secure operating system, and in some sense always has been,” said Roberts. The problem is that users weren’t taking advantage of existing security features because they weren’t easy to implement. It’s an issue with most mobile companies, however.
“The key, we saw with Apple’s Touch ID, is that it has to be pretty reliable and seamless,” said Roberts, though he admitted that even Apple’s hardware solution still isn’t all that intuitive. “I have an iPhone 5S, I use it with a case…and TouchID is not really that reliable with the case. It works probably 60 percent of the time, but 60 percent of the time is poor enough that I never want to use it.” Roberts stressed that users will only take advantage of new security features that work “quickly and more or less 100 percent of the time. If it falls short of that, people will not use it.”
Google's aim is to make security features in Android Lollipop a bit easier by enabling encryption by default on new devices and providing an easier way to unlock phones, but it will only be successful if its implementation is fast and easy.
Android’s real threat is still fragmentation
While the implementation of better application sandboxing and forced encryption in Android 5.0 makes Android safer than ever, there are still other threats that aren’t being addressed directly. “Most of the threats of the Android OS are not compromises of the core operating system, they’re just malicious apps that people installed thinking they’re legitimate apps,” said Roberts.
The other issue is the strikingly large percentage of users running older, outdated versions of Android that aren’t equipped with any new or updated security features. It’s a byproduct of the fact that Google has essentially created an environment within the Android ecosystem that is very centralized. “While Lollipop will be more secure than versions that came before it…there’s no way for Google to force existing Android device users to adopt Lollipop,” said Roberts. “That job really falls to both the handset makers and the carriers selling the phone. It’s very unlikely that any of them will proactively update existing devices from earlier Android versions to Lollipop.”
If Google really wanted to improve the overall Android experience, it would help those users left behind get up to speed—or at least rein in the carriers and manufacturers who are delayed in doing so. Providing new security features only to new phone buyers and upgrading phones bought in the last year isn't going to cut it.
Better to have some protection than none at all
Google’s built-in features will at least protect users from what they can’t immediately control, and things like application sandboxing will actually make a real difference in terms of malware and data theft.
Overall, Roberts hammered home the idea that the security features built into Android Lollipop are more than just window dressing—they’re real and substantive, and as people migrate to devices that run Lollipop the dialogue on Android security will likely change. “This is all part of the post-Snowden world," he said. "Users want to keep their data safe from prying eyes and this latest version if all about trying to make that as seamless as possible.”
Android Lollipop's new souped-up security features will hopefully shift the conversation to how much safer the operating system is now compared to its humble beginnings, but it will only be successful if users are making use of the new security add-ons. If they're annoying to use, why bother?