Addressing a large room of hackers is enough to give anyone a case of stage fright, but that didn’t happen to Adrian Ludwig, the man who runs Android security for Google and delivered an Android Security State of the Union speech at the Black Hat USA conference.
In the front row, watching intently as Ludwig spoke, was Joshua Drake, the Zimperium security researcher who last week disclosed the Stagefright vulnerability that impacts 950 million Android phones. Stagefright was a recurring theme throughout Ludwig’s session, as he gave credit to Drake for responsible disclosure while still reassuring the Android faithful that security is improving for Android.
“The state of the union for Android security is strong and I have spent time making sure it stays strong,” Ludwig said. “It’s not just about building a safe; it’s about building something that can react and respond to security quickly.”
Android’s Biggest Update
To reinforce his point, Ludwig announced that Google and its partners are pushing out the largest software update in Android history. It’s an update designed to fix Stagefright.
“We’re updating all Nexus devices — the Nexus 4, 5, 6, 7, 9 and 10 and even the Nexus players — and we’re patching for libstagefright,” Ludwig said. “This is the single largest mobile software update the world has ever seen.”
Ludwig said Google will also now push out monthly security updates and provide monthly security bulletins to keep users and the market advised on what’s going on with Android.
Security support will now extend for three years from the time a Nexus device first appears in the market, a commitment that is also being made by Samsung and LG for their Android devices.
“The industry has looked at recent events and realized that it needs to move fast, and we need to tell people what we’re doing,” Ludwig said.
Android Security Features
Even with the Stagefright issue, Ludwig emphasized Android contains multiple layers of security to keep users protected every day. Google Play provides Google with a mechanism to interact with developers and helps prevent the proliferation of bad applications, for example.
Ludwig also touted Google’s Verify Apps technology, which he described as the world’s largest anti-virus engine. Verify Apps checks that apps are safe after analyzing the entire ecosytem of Android developers, based on interactions with Google Play.
Google also has a technology called Safety Net, an intrusion prevention system for a billion Android devices, which provides protection at an ecosystem level.
In Android code can’t run without some form of user confirmation at some point, which is another security choke point, Ludwig said.
Going a level deeper, Ludwig said that Google works with developers and performs application analysis for apps submitted to Google Play.
“We’re taking an aggressive stance to see if an application is doing something wrong, and we’re working with the developers and the development process to make it right,” he said.
Even for Android users who elect to install software from outside of Google Play, Ludwig said Google’s Verify Apps and Safety Net can help users by providing alerts about potentially unsafe apps.
Looking at the numbers, Ludwig said approximately 0.5 percent of Android devices have some form of potentially harmful application (PHA) on them.
“It’s a complex interaction, and we have no expectation that the number will ever be zero,” Ludwig said. “There will always be some bad app, and when we find it we will take it down. Our goal is to make that as low as possible.”
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.