banner
News center
First-rate components, precise quality management.

Android's security has improved by leaps and bounds over the last 10 years: Here's how

Dec 14, 2023

Android was one described as a "toxic hellstew" of vulnerabilities, but that's no longer the case.

Nowadays, Android is one of the most used and secure operating systems on the planet, but it wasn't always like that. In fact, back in 2014, ZDNet famously called Android a "toxic hellstew" of vulnerabilities, which was then quoted by Tim Cook at that year's iPhone launch. Cook made a point to say that Android was so fragmented and updates were so slow to arrive that there was no way those poor people who "bought an Android phone, by mistake" could enjoy anywhere near the security of their iPhone-owning betters.

However, that's not the full story, and it certainly isn't accurate nowadays.

Thinking back to the very first iPhone, it connected over 2G, had somewhere in the ballpark of 14 apps, and took photos with a huge amount of noise and grain. However, the benefit to Apple was that the company made the hardware and the software, including all 14 of those apps, which, back before the App Store, was all you could use. Apple governed the entire experience, which also meant that they could push out updates anytime they wanted.

In contrast, the earliest days of Android were a little different, with a lot more cooks in the proverbial kitchen. First, Google would release a new version of Android, which was then adapted by chipmakers to work on whichever CPU your phone used. Then the manufacturer got to have their way with Android, add new features or apps, and usually change a bunch of things about how it looked — often for the worse. Then it needed to go to your carrier if it was a network-branded phone, and they'd make sure it worked on their network while also shoveling in more bloatware just for the hell of it.

Then, if you were lucky, maybe six months after a new Android version launched, you, as a regular person, would actually get it on your phone — along with a few extras that you may or may not have wanted. For 99% of the Android ecosystem, this was how updates worked, and it was a big pain point. Kinda like ordering a fancy hamburger at a restaurant and then having to wait around while the franchise owner and the server added a bunch of weird, gross toppings you didn't ask for.

The only people who weren't having their Android smartphones take forever to get updates that often packed additional software too were Google Nexus owners. These phones ran vanilla Android and got updates straight from Google with nothing added on top of it. The problem was that they represented just a tiny sliver of a slice of the ever-expanding Android pie.

This entire situation was pretty bad for a bunch of reasons, and one big one was security. Obviously, it's not great if Google or Qualcomm needs to fix a security bug further up the food chain, and then you've got to wait additional months for it to actually get out to most devices.

That was made worse by the nature of Android at the time and the attitude of phone makers towards updates. Software updates for existing phones were often viewed as a chore — almost like you'd screwed up if you had to make one because, well, whatever you're fixing or adding should've just been in the original ROM. As a result, the update track record of pretty much everyone in the Android world back then was basically dumpster-tier by today's standards. Flagships would get one major OS update months later if they were lucky. Even worse is that security patches just weren't a thing yet.

As if it couldn't get any worse, pretty much all the important core Android apps were still baked into the firmware at this point. Web browser updates, for example, would need to be packaged into an OTA and wait to be certified by the manufacturer and carrier. So if a vulnerability cropped up in the browser engine code from, say, Google, there was no way to get fixes pushed out widely or quickly. That meant different people would be stuck on different versions with different customizations and differing levels of vulnerability to malware and other nasties. Hence: Android fragmentation.

It's worth saying that iOS was *by no means* free from security issues, especially during the first couple of generations of the iPhone. The lack of an official app store was a big incentive for script kiddies and white-hat hackers to crack the iPhone open and make it do new and exciting things. At least one major way to jailbreak iPhones back then involved exploiting a bug in the browser. Basically, a web page could break the original iPhone's security.

The difference was that Apple could plug those security holes much more quickly when they appeared and do so across a much larger chunk of the user base. Not so on the Android side.

All of that was the "toxic hellstew" Google was allegedly serving up in the days of Android versions 4 and 5. Looking back with the benefit of hindsight, it's easy to say Google should've done more to retain control over Android.... or put systems in place from the get-go to help the updates flow more freely and frequently.

It's worth remembering, though, that back when Android was first in development in 2007, the world was a different place. The smartphones that did exist were mainly primitive email-mashing contraptions for business people. Mobile payments were nowhere near a reality. Uber wouldn't be founded for another two years. The humble retweet didn't even exist.

Point is, back then, it wasn't clear how, over the following decade, so many essential everyday tasks would be tied to your phone, nor how it would become such a treasure trove of precious, hackable personal data. To Google's credit, an awful lot has changed over the past few years to substantially make Android more secure and get security fixes out more quickly to more people. There are a number of reasons for this.

For example, Google Play Services is something you might've seen updating on your phone that maybe you haven't paid much attention to. However, it's actually a hugely important part of how Google keeps Android secure and helps bring new features from Android 13 to your Grandma's old Galaxy S7 that hasn't gotten new firmware in years.

In the case of Play Services, it's a system app, so it has top-level A+ Platinum-tier privileged access to everything on your phone. It can do way more than a regular app you'd download from the Play Store, like install or delete other apps or even remotely wipe your device if it's lost or stolen.

System apps like Play Services need to be loaded onto your phone by the manufacturer, but once they’re there, they can be updated automatically in the background. That means new versions can securely add new features and functionality. And Play Services has tentacles all over the OS, which is why, for example, Android 13's secure photo picker feature could be rolled out to phones running much older versions of the OS without any new firmware needing to be installed.

Play Services also includes Google Play Protect, Android's OS-level antimalware capability that can stop malicious apps before they're installed or remove them if they're already there. The other important thing about Play Services is it supports absolutely ancient versions of Android. Google typically only drops support for Play Services on Android versions that are around ten years old. Right now, it's summer 2023, and the current version of Play Services is supported all the way back to 2013's Android 4.4 KitKat. That seemingly random bit of nerdy trivia is important because it helps you to stay reasonably secure even on much older versions of Android. That in itself is a big part of the Android security strategy.

Interestingly, Play Services played an interesting part in the COVID-19 response of many countries across the world. An update distributed via Play Services was how Google was able to roll out the Exposure Notification System it had developed with Apple to essentially the entire Android user base in one fell swoop. Without Play Services, that kind of endeavor would've taken months and not reached nearly as many people.

In fact, it's pretty crazy to think that Google's efforts to fix Android fragmentation nearly a decade earlier likely indirectly ended up saving quite a few lives during the pandemic.

Malware apps are one thing, but there are other ways that bad actors can try and take control of your phone or steal your data. Browser exploits were a pretty major part of that, and now both the Chrome browser and WebView code for web content within other apps are updated through the Play Store. In fact, this applies to a whole bunch of different parts of Android that once required a firmware update. Others include the Google Phone dialer, Android Messages, and countless behind-the-scenes apps.

So, say a nasty browser exploit is discovered today in 2023 where a malicious web page could crash your phone or steal your passwords or make the Starbucks app mess up your order. It wouldn't matter which version of Android you're on, Google could push out updates via the Play Store covering both Chrome itself and any other app that displays web content. Back in the days of the so-called toxic hellstew, deploying the same fix would need a full firmware update to go out to every Android phone: a lot more work for a lot more people, and it would've taken months or even years instead of days.

Another kind of exploit was big news in the Android security world in 2015. The "Stagefright" bug affected the part of Android that handled the rendering of images and video: a photo that had been tampered with in the right way could do bad things to your phone. This was a big problem because back then, that Stagefright component couldn't be updated without a full firmware update. Again: loads of extra work, certification, and waiting around while potentially, the digital equivalent of a haunted painting could crack your phone wide open at any time.

The fallout from that spooky Stagefright security scare was twofold: First, Google started releasing monthly security patches for Android, tying your level of security to a specific date. Not only that, but it made Google take making Android modular a lot more seriously, so chunks of the OS like Stagefright could be updated via the Play Store without needing a full firmware update.

New Android Security Patches still go out every month to this day. And they cover older versions of the OS, too, not just the latest, so even if a phone is still on Android 11 or 12, it can still be protected. Generally, Google Pixel and Samsung flagships get security patches first, with others like Motorola jogging sweatily behind the rest of the ecosystem, releasing the contractual bare minimum of one patch per quarter.

That's the other side of this equation: Google now legally requires phone makers to commit to a minimum level of support if they want Android with Google services on their devices. Back in 2018, The Verge reported that Google mandates two years of security patches, going out at least once every 90 days

These days, popular brands like Samsung and OnePlus promise four years of OS updates and five years of security patches, possibly with some encouragement from Google behind the scenes.

Despite updates coming out a lot more frequently nowadays, they still require a lot of engineering legwork, especially when it's a big update, like a whole new OS version. Android doesn't look like Samsung's One UI or Oppo's ColorOS when it leaves Google's Mountain View chocolate factory, right? And in the early days, you, as Samsung or Oppo, would need to incorporate that whole new version of Android into your customized fork of the previous version. It's kinda like trying to swap out some of the ingredients once a meal is already cooked — you end up having to almost start over from scratch.

Google's solution? Basically, a TV dinner plate: you serve that meal in two different sections. You separate out the manufacturer's customizations -- all the One UI or ColorOS stuff -- from the core OS. And that means you can more easily update one without messing with the other. This whole endeavor is called Project Treble, and while you can't see it on your phone, you might’ve noticed how the Android device you own today gets updates a fair bit quicker than one you used seven or eight years ago.

On top of that, Google started sharing future versions of Android with OEMs at a much earlier stage. So by the time the first developer previews of Android 14 were public, the likes of Samsung had probably been peeking at it behind the scenes for a couple of months or so. As for security patches, they’re shared privately a month early to give manufacturers a head start.

So while all that's well and good, people often keep phones for longer than just a couple of years. Pushing out new firmware is still a non-trivial amount of work, and those engineers don't work for free. Project Mainline in 2019 made Android itself more modular, with software modules for things like WiFi, Bluetooth, media handling, and much more. These modules can then be directly updated by Google or the manufacturer separately, without the rigmarole of going through the whole firmware update process.

If you've ever seen a Google Play System Update on your phone, that's what that is. Think of it like this: If a light bulb blows in your home, you can now just change the bulb... whereas before, you'd go outside, burn your house to the ground, and build a new one over the top of it.

Android security scares still happen, even in 2023. But the difference today, versus the toxic hellstew times, is that there are plenty of tools to neutralize them. Take 2015's Stagefright vulnerability, for instance. The part of Android affected by that bug is a Project Mainline module today, and it easily updated all the way back to Android 10 without a full firmware update.

As another example, in 2014, the "Fake ID" bug could allow a malicious app to impersonate one with special permissions, potentially exposing your data to an attacker. If something like that happened today, Play Protect would stop it in its tracks, and the underlying bug could be quickly squished in a Mainline update to the Android runtime module. On top of that, Google has also done a lot under the hood around encryption and memory management to make it harder to do anything useful with future Android vulnerabilities if and when they crop up.

No software is ever completely secure. 0-day exploits — that is: secret, unpatched vulnerabilities — exist for all operating systems and are used by nation-states and sold for vast sums on the black market. There are many recent examples of high-profile individuals being targeted by scarily sophisticated malware based on 0-days: people like Jeff Bezos, Emmanuel Macron, and Liz Truss. In 2022, the former UK prime minister reportedly had to keep changing phone numbers after being hacked, supposedly by Russian agents. Eventually, her device was deemed to be so completely compromised that it was locked away in, basically, the smartphone equivalent of the Chernobyl sarcophagus.

If you're wondering why she was changing her phone number, it's possible her phone was targeted by something like Pegasus, the Israeli-made spyware that reportedly can take over Android or iOS devices just by having their phone number. Russia reportedly doesn't use foreign-made spyware, but it's likely they have their own homegrown equivalent based on similar 0-day exploits.

All of this shows that 100% security is an illusion — it's unattainable, whichever device or OS you're using. Nevertheless, Android is way past being a "toxic hellstew of vulnerabilities" in the same way you could’ve argued it was a decade ago. It's much better placed to tackle the garden variety threats that might be encountered by those of us who aren't heads of government or the CEO of a trillion-dollar company.

What's more, the average person is far more likely to fall victim to social engineering or some other scam as opposed to getting stung by phone-based malware. This kind of fraud is on the rise in many countries, and in the UK, it increased by 25% between 2020 and 2022, with most cases involving computer misuse. As smartphone security has improved, you could say that many bad guys are realizing it's actually easier to exploit the squishy, meaty component attached to the screen: you.

I’m Adam Conway, an Irish technology fanatic with a BSc in Computer Science and I'm XDA's Lead Technical Editor. My Bachelor's thesis was conducted on the viability of benchmarking the non-functional elements of Android apps and smartphones such as performance, and I’ve been working in the tech industry in some way or another since 2017.In my spare time, you’ll probably find me playing Counter-Strike or VALORANT, and you can reach out to me at [email protected], on Twitter as @AdamConwayIE, on Instagram as adamc.99, or u/AdamConwayIE on Reddit.

Alex has been covering mobile technology for more than a decade. He currently leads XDA's video content, which involves pointing cameras at shiny gadgets and talking into a microphone.

XDA VIDEO OF THE DAY SCROLL TO CONTINUE WITH CONTENT