Google released its 2016 Android security report today, highlighting the progress they have made over the past couple of years in terms of protecting you and I from Potentially Harmful Apps (PHA) and also getting our phones up-to-date with the latest security patches. On a PHA level, Google is still doing a bang-up job on not letting through many bad apps that could do you harm, but the security patch situation still isn’t great even after a solid year of improvements. For the year 2016, only about half of Android devices even received a security update. Woof.
Before we get into the security update stuff, let’s talk numbers for those worried about installing bad apps. If you only install apps from Google Play, Google found that only 0.05% of devices contained a PHA. That’s down from 0.15% in 2015 and essentially means you have almost zero chance of downloading something bad from Google Play.
Now, we know that some of you love to get in on some free .apk action outside of Google Play, so you might be a little worried about your chances of getting hammered with a PHA, right? Google says that just 0.71% of all Android devices had PHAs by the end of last year. That’s a slight increase from 0.5% in 2015, but still a pretty small number. Thankfully, Google says that they are now “using improved tools” and have gained new knowledge that should help them further reduce that in 2017.
OK, so about security patch updates – what’s the deal with only half of devices receiving them? It’s complicated! But yeah, Google said in its report that “more than 735 million devices from 200+ manufacturers received a platform security update in 2016.” With 1.4 billion devices in the wild, that’s not exactly a great number. Additionally, Google and its partners pushed updates for “over half of the top 50 devices worldwide” in the last quarter of 2016 alone. Again, that’s fine, but we’re still hovering around that 50% mark here.
Of course, the monthly security platform program is still pretty new and there is work to do for phones outside of Nexus and Pixel. Google thinks it can improve upon the program as partners have invested “significantly” in regular updates and Google itself will be “streamlining” the process by making it “easier for manufacturers to deploy security patches.” Google told TechCrunch that they have already cut wait time for security patches down from weeks to “just a few days” in some cases. Finally, if it makes you feel better, Google also says that 78% of flagship devices in North America were up-to-date at the end of 2016.
As has been the case the past couple of years, it still sounds like Google has PHAs under control, but is still struggling to get manufacturers to buy into releasing security patches. How do they convince them that security is important? That I do not know, but these companies should probably jump on board before they regret having out-of-date phones and something serious happens.
The full report can be read below or there is a 30 minute overview video down there too.
Full report: Android Security 2016 Year in Review (PDF)