Google wants you to know that Android device security is getting better, and we agree. But we disagree that it's getting better because Android is (partly) open-source, or that it might rival Apple's iOS in security.
"Android has achieved a strength of protection that now leads the industry," the Android Security 2017 Year in Review report, released today (March 15), states in its opening paragraphs. "With more than 2 billion active Android devices, it's essential that Google provides the best protections for users at scale."
The report touts a lower malware infection rate and higher prices for Android exploits as evidence that Android security is better. It credits swifter implementation of device updates, more secure versions of Android and the deployment of the free Google Play Protect antivirus tool as reasons for the improvement.
But the report doesn't mention some inconvenient facts. Malicious apps still turn up often in the Google Play store. Most device makers update only recent flagship models. Hundreds of millions of Android devices frequent use other app stores, creating a huge repository and testing ground for Android malware. Only about one percent of all devices run Android 8 Oreo, released seven months ago.
Compare this to the situation with iOS. There have been about four or five malicious apps in the wild for non-jailbroken iPhones -- ever. Device updates roll out to all compatible devices immediately, with uptake rates of more than 90 percent. A steady decrease in the number of jailbroken devices that can access unauthorized app stores. A virtual guarantee that any iPhone less than five years old can install and run the latest version of iOS.
All of this makes this claim from the Android report, seemingly directed at Apple, ring hollow: "As a global, open-source project, Android has a community of defenders collaboratively locating the deeper vulnerabilities and developing mitigations. This community may be orders of magnitude larger and more effective than a closed-source project of similar scale."
There is one thing that could make Android security much better, and it already exists -- but in less than one percent of Android devices. Called Project Treble, it grants Google the power to push out security updates to devices without the device maker's permission or cooperation.
Project Treble removes the biggest roadblock to better Android security that's ever existed, and puts at least one foot on the same playing field with iOS. (The other foot would be Apple-style control of the Google Play store, which Google seems philosophically opposed to implementing.)
But sadly, your phone may never get Project Treble, even if it's already been updated to Oreo. Only phones that hit the market with Oreo already installed can be guaranteed to be compatible with Project Treble.
That's because Project Treble involves fundamental changes to how the open-source, Google-proprietary, device-maker-proprietary and carrier-proprietary parts of Android work with one another. (Some phones that have updated to Oreo from Nougat, including Google's Pixel 1, do nevertheless support Project Treble. Our friends at Android Police have a handy list of them.)
The good news is that the next generation of flagship phones is launching with Oreo. The Samsung Galaxy S9 and S9 Plus, which hit the market tomorrow (March 16), are two of them, and so is the Huawei Honor View 10 that's due next week. Other include the Huawei Mate 10 Pro, the Sony Xperia XZ1, and of course the Google Pixel 2 and Pixel 2 XL.
So if your phone does support Project Treble, you're getting the best security that Android has to offer. It's a security posture that's a hell of a lot better than Android has even a couple of years ago. But it's still no match for iOS security.