Android security is always a hot-button issue. "Dangerous malware" and "new threats" make for great headlines, after all -- and companies that make money selling anti-malware software are always happy to feed fear-inducing fodder to stats-loving reporters (go figure!).
The truth, though, is that Android security is one of the most sensationalized and misunderstood subjects you'll read about in the tech media today. Plain and simple, a theoretical breach and a meaningful threat that's actually putting users at risk are two very different things.
Google's made a lot of progress in separating one from the other over the years -- and the company's about to take another step in making nearly every Android device even more secure.
Android security: The next phase
Over the next couple of weeks, Google will be rolling out a universal update that'll enable constant on-device monitoring for potentially problematic apps. It's an upgrade to the platform's Verify Apps function that first launched with Android 4.2 in 2012, as I reported exclusively at the time, and then spread to all devices with Android 2.3 and up last July.
As it stands now, Verify Apps watches your device for any new applications -- particularly those that you download and install directly ("sideload") instead of installing from the Google Play Store. Anytime a new app appears, the system instantly checks it for potentially harmful code and warns you of any dangers it discovers.
What's changing is that Verify Apps will soon continue to monitor your applications even after they're installed, thereby extending its level of protection.
"We're constantly updating what [threats] we're aware of, so being able to detect those things where we've improved our coverage is valuable," Android Lead Security Engineer Adrian Ludwig tells me.
Ludwig says the newly expanded system will also help identify issues with apps installed before Verify Apps became available -- or those installed without a person's knowledge while, say, someone else was borrowing a device.
"We want to make sure that if that were to happen, a user would be made aware of it after the fact," Ludwig explains.
Just like it does now, the updated Verify Apps system will run silently in the background; Google suspects the majority of users will never even know it's there. And if you'd rather not have the protection in place, you can always disable Verify Apps altogether in your device's system settings.
Beyond a single system
Remember, too, that Verify Apps works in conjunction with a server-side system that scans all apps uploaded to the Google Play Store. And both systems take advantage of something Google calls the Android Safety Net, which detects everything down to SMS abuse and blacklists sources that have exhibited shifty behavior in the past.
"At this point, there really is a collection of services that we're starting to think about as the Google security services for Android," Ludwig says. "We want to make sure there is no single point of failure within our platform so users can be protected."
That "no single point of failure" concept is important: With last year's "Master Key" vulnerability, for instance -- publicized, coincidentally enough, by a company that sells anti-malware software for Android -- Google implemented protection for its Play Store scanning system within a day of learning about the exploit and for its on-device Verify Apps system a few weeks later.
Even though OS-level patches didn't start hitting devices for another few months, those initial layers of protection were available to everyone almost instantly -- and according to Google's internal data, not a single real-world exploit attempt occurred before they were in place. In other words, the real-world risk related to the vulnerability was already next to none, as I pointed out at the time -- and once the Play Store and Verify Apps protection kicked in, it dropped even lower.
And there's the dull truth of this domain: When it comes to security, real-world assessments make for far less sexy headlines than sensational shouting based on theoretical threats.
The next steps
The expanded Verify Apps system will be rolling out as part of an upcoming update to Google Play Services, which means it'll automatically hit all devices with Android 2.3 or higher. That covers almost every phone and tablet out there -- nearly 99 percent of actively running products, according to Google's latest platform measurements -- and thanks to Google's ongoing deconstruction of Android, the update will happen behind-the-scenes and without the need for any manufacturer or carrier interference.
So what's the broad takeaway from this? It's the same thing I've been saying for years: Now more than ever, malware on Android is far less significant of a real-world issue than some reports would lead you to believe. In the real world, the killer viruses that are so good for headlines actually affect next to no one. And now, even if you don't exercise basic common sense -- even if you carelessly download shady-looking stuff from unofficial sources out in the wild -- your phone will automatically protect you even more than it already did.
Anti-malware software vendors will undoubtedly keep preying on ignorant reporters and consumers, but all it takes is a little bit of knowledge to keep the big bad virus monsters in perspective -- and out of your nightmares.