Spotlight on Security: why the claims of Google Play Protect are misleading
In October, Google announced two contract changes for European Android device vendors. One concerned a minimum security-patch requirement, and the other involved charging a fee for Google services (e.g. Google Play Store). These announcements indicate that many Android smartphones suffer from significant security weaknesses. Let us explain (and prove) why Google’s claims about the effectiveness of their Play Protect service are misleading, to say the least.
Google is one of the best marketing machines in the world, so no wonder the Play Protect website promises you that “Google Play Protect continuously works to make sure you have the latest in mobile security, so you can rest easy.” However, even the best marketing machine can’t dismiss warnings from its own legal department. Even if Google’s claims about Play Protect are true, another very important security measure, namely OS updates, is not covered in the video. A disclaimer is hidden in the answer to an FAQ “Is my security up to date?” on Google’s website. This reads “Nexus and some of the newer Android devices receive monthly security updates.” Hold on, only ‘some of the newer Android devices’? What happened with ‘makes sure you have the latest’?
The reason is simple. Only a few smartphones use a “vanilla” (standard) Android OS. Every vendor tries to lock in their customers by providing a unique user experience, branding the Android OS with their own user interface and additional services. Because they have created a custom version of Android, smartphone vendors need to spend money to integrate Google’s security updates into their modified version of the OS. If a vendor’s revenue from a particular model/OS-version drops, the vendor will be less inclined to spend money on applying security updates for that model/OS-version appropriately.
Google has tried to get a grip on this security weakness by making Android device makers guarantee that security updates will be applied at least four times a year in the first year, and an unspecified number of times in the second year. Compared to other operating systems, this update policy is questionable at best. The problem becomes worse when looking at the average lifetime of an Android version.
According to Statista, the average lifespan of Android Operating Systems is over seven years. This implies that with the ‘new and improved’ two-year security update period, Android devices might be exploitable through unpatched security vulnerabilities for at least five years!
In many countries, telecom operators offer two-year mobile phone contracts with discounts. So, Google’s ‘new and improved’ security update requirement might work for people who can afford a new phone every one or two years, but for two thirds of the planet’s Android users, such deals are too costly.
Google Play Protect limited malware protection
Google Play Protect was officially introduced in May 2017, but most of the features were introduced much earlier (the secret behind Google Play Protect). To be fair, not all of this is a marketing gimmick. The use of Machine Learning in Google Play Protect is a real improvement. However, as stated in our Mobile Security Report 2018, “In our tests, Google Play Protect did not perform very well, as can be seen in the test results. Play Protect surely has the potential to become better in the future, as Google has the data and resources to improve its algorithms and systems, as Microsoft did with its Windows Defender.”
These poor protection results make clear why it is good practice to install a third-party mobile security solution on your Android device. Check out our latest report to find out which mobile security solutions were awarded with AV-Comparatives’ Approved Certification.
Google Play Store is not the only store where people download apps
One of the key features of Google Play Protect is that it pre-checks all the apps (.apk files) uploaded to the Google Play Store. In western countries, Google Play Store only has competition from three main stores: the Amazon App store, Getjar, and Opera Mobile. In Asia, especially in China, most smartphones have neither Google Play nor the Google Services framework installed. Therefore, Google Play Store only has a marginal market share in China (less than 1 percent). Consequently, however good the protection features of the Google Play store might be, they are irrelevant to many users.
This month Google also announced that it will start asking European Android device makers to pay a fee for using the Play Store and other Google apps. The Google Play Store and other apps (like the Chrome browser) are not part of the Android Operating System. The European Union (EU) considers these pre-installed apps a violation of its antitrust legislation. The EU ordered Google to stop tying its apps with the OS to give rival app stores and browsers a fair chance to compete for consumer preference. This will probably increase the number of apps installed from other app stores. Installations from a different app store bypass the pre-installation scans of Google Play Protect, and make redundant the protection it would offer.
For people installing apps from a different store than Google’s own Play Store, or anyone being cautious, we would like to recommend AVC UnDroid, our Android-app analysis tool, which is available free of charge to all users. It is a static analysis system for detecting suspected Android malware and adware, and providing statistics about this. Users can upload APK files and see the results in various analysis mechanisms. We invite readers to try it out: https://undroid.av-comparatives.org