Android Security: Know Why Mobile Developers Need to Implement

Google I/O 2015 is one of the perfect occasions when the world looks forward not only to the key announcements that are to be made, but also to the strategic decision at the core that can change the future of how mobility is perceived. In this article, let’s talk about Android security.

As most of you are aware, Google has made some significant developments by adding multiple security enhancements to the platform to improve Android security in 2014. This was an utterly necessary step considering the popularity of its Android mobile operating system, and the associated security threats that looms with it. But have we been able to get over the threat perception? Perhaps not.

While Google proclaims that more than a billion devices benefit from Google Play’s security mechanisms, it is blatantly true that Android users still face quite a number of non-trivial challenges and prominent security risks.

Android Security – Significant Developments in 2014

• Enabling deployment of full disk encryption.
• Expanding the use of hardware protected cryptography.
• Improving the Android application sandbox with SELinux (Security Enhanced Linux) based Mandatory Access Control system (MAC).
• Developers provided with improved tools to detect and react to related security vulnerabilities, including the SecurityProvider and the nogotofail project.
• Providing device manufacturers with ongoing support for fixing vulnerabilities related to device security – along with development of 79 security patches.
• Better adapted to respond to potential susceptibilities in key areas, such as the updateable WebView in Android 5.0.

IDENTIFYING THE LOOPHOLES

As per Google’s report on Android Security,  “By February 2, 2015, Android 4.4 has become the most widely distributed version of Android with over 41 percent of Android devices that check in to Google services running Android 4.4 or greater”. So the catch here is identifying the loopholes and creating viable solutions for it.

• Android app developers has a crucial role to play in implementing Android security. It has been identified that in spite of Google trying to help app developers improve SSL transport security for Android apps by providing developer resources to educate and help improve the state of mobile SSL, not many mobile app developers implement SSL correctly.
• Now with Android 4.4 representing almost 41 percent of Android devices, it is understood that more than half of all Android devices and the majority of Android users are running older software. Thereby, the challenge and the risk not just remains confined to the older versions of Android being actively maintained or patched by either Google or its Android device partners.

TAKEAWAYS & IMPLEMENTATIONS in 2015

Google besides releasing 2 major milestone updates to Android in 2014, with Android 4.4 and the Android 5.0 preview; reveals in its Android security report that it has provided 79 security patches for Android in 2014.

• Addition of SELinux controls in Android 4.4. SELinux provides an auxiliary layer of security policy and control to shield running processes and applications. Beginning with Android 5.0, you will find that there are even more security enhancements including improved full-disk encryption and verification mechanisms.
• Enhanced Android Security features supports use of the Google Safety Net technology that aims to provide security for all Android applications a user might install (even the ones that were not installed from Google Play). Elaborately speaking, Google’s report explains that Safety Net “detects and protects against non app-based security threats such as network attacks.”
• It has been widely known by now that Google is scanning every single mobile application that finds its way on to your phone, irrespective of whether you downloaded it from Google Play or a third-party source.

SYNOPSIS

Google has always been very clear about its deliverables and aspirations regarding the implementation of Android Security. While Google’s systems use machine learning to realize patterns and make connections, which is beyond human capability; its app store Google Play can help analyze millions of data points, asset nodes, and relationship graphs so as to build a high-precision security-detection system. The addition of the Safety Net from Google empowers Android Security as it helps scans all apps regardless of their source/origin.