By now, you’ve probably heard all about the changes introduced with Google’s Android 4.3 release. But those fresh features and bits of polish are only part of the story. One of Google’s biggest changes to the Android platform is actually happening outside of the operating system — and it’s affecting almost every Android device in the world.
It’s the widespread launch of a universal app-scanning system — a system that watches your device for any new application, even one loaded directly onto the device (“sideloaded”) from outside of the Google Play Store, and instantly checks the app for malicious or potentially harmful code.
That’s huge. And while we’ve been busy focusing on new devices and fun features, Google’s been busy making sure every Android user has that system on his phone — whether he realizes it or not.
Google initially launched the feature, known as Verify Apps, with Android 4.2 last November (Android VP of Engineering Hiroshi Lockheimer discussed it with me exclusively at the time). Now, Google has pulled the program out of the OS and made it automatically available to every device running Android 2.3 or higher. That covers almost every phone and tablet out there — about 95 percent of the actively running products, according to Google’s latest platform measurements.
How did that happen? Simple: Google made the code a part of Google Play Services, a standalone utility that’s updated regularly behind-the-scenes by Google — independent of any manufacturer or carrier rollouts. It’s part of the ongoing deconstruction of Android that we’ve been talking about for a while now.
The new system works alongside an automated scanning system that’s been in place since early 2012 for all apps on the Google Play Store. With the new device-level scanning added into the picture, that means every app you put on your phone — whether from the Play Store or from an unofficial third-party source — is now scanned, analyzed, and compared to a massive database of malicious code, all in a fraction of a second.
On the Play Store side, if something is flagged as problematic, it won’t be published. On your device, if a red flag comes up — even just for something as seemingly innocuous as an app that might send SMS messages on your behalf without your knowledge — the system will warn you and recommend you avoid proceeding with the installation.
“We wanted to make sure those protections were available even for users who were choosing to install applications from a source other than Google Play,” Android Security Engineer Adrian Ludwig tells me. “It’s always been a focus for Android to make sure that we’re supporting an open ecosystem and that it’s possible for users to get applications that developers, for any number of reasons, aren’t distributing through [the official Play Store channel].”
Just like in its original 4.2-based incarnation, the newly widespread Verify Apps feature is on by default but can be bypassed or disabled if you want. The system prompts you the first time you install something from outside of the Play Store and confirms that you want its protection; even if you opt in then, you can always disregard its advice and proceed with a flagged app installation down the road, if you’re so inclined.
So in the big picture, what’s this all mean? Simple: All those big, bad, scary Android malware stories we’re constantly seeing are even more blown out of proportion than ever. They’ve always been sensational; all it takes is a little basic caution and common sense to avoid having your device devoured by an evil mobile genie. In the real world, the killer viruses that are so good for headlines actually affect next to no one. But now, even if you aren’t careful — even if you do carelessly download shady-looking stuff from out in the wild — your phone will automatically protect you.
And there’s the rub: That means the pay-to-play programs pushed by antivirus vendors — the same companies that, coincidentally, are almost always behind the press campaigns surrounding the big, bad Android malware of the moment — are now completely redundant with the protection provided by the operating system itself. Not that that’ll stop the vendors from trying to scare you into using their products.
Beyond the Verify Apps expansion, Android 4.3 itself includes a number of OS-level security enhancements. Perhaps most significant is the addition of a security feature called SELinux — or Security-Enhanced Linux — which protects certain core aspects of the system’s functionality.
There’s also an apparently still-under-development feature known as App Ops that allows users to selectively disable permissions from installed applications. (Android, unlike other mobile operating systems, requires all apps to request specific permissions in order to gain access to any function of the device or area of user data — and those permissions are always disclosed to the user prior to installation.) The function was discovered by the gang at Android Police and has yet to make its public debut.
All combined, there’s less reason than ever to panic the next time the inevitable “OMG THE ANDROID MALWARE MONSTER IS COMING!!!” story comes along. And it will: If history’s any indication, we’ll probably see another such story and accompanying set of fear-inducing headlines within a matter of weeks.
But a little bit of knowledge goes a long way. Here in the real world, the monsters aren’t nearly as scary as the storytellers make them out to be.