In order to secure its mobile operating system Android, Google uses a multi-pronged approach that includes monthly security updates to patch vulnerabilities reported through its Vulnerability Rewards Program (VRP) as well as hardening measures to protect against undiscovered vulnerabilities.
All vulnerabilities submitted through VRP are analyzed by the company's security engineers to determine the root cause of each vulnerability and its overall severity using these guidelines. At the same time though, Google also relies on internal and external bug reports to identify vulnerable components and reveal coding practices that commonly lead to errors.
Relying solely on vulnerability reports can be a problem though as security researchers often flock to areas where others have already found vulnerabilities or use readily-available tools that make it easier to find bugs. For this reason, internal Red Teams at Google analyze less scrutinized or more complex parts of Android so that its mitigation efforts are not biased only towards areas where bugs and vulnerabilities have been reported.
- We've built a list of the best Android antivirus apps around
- These are the best identity theft protection services on the market
- Also check out our roundup of the best endpoint protection
Additionally, continuous automated fuzzers run at-scale on both Android virtual machines and physical devices to ensure that bugs can be found and fixed early in the development lifecycle. Vulnerabilities discovered this way area also analyzed for root cause and severity to inform mitigation deployment decisions.
Of the critical and high severity vulnerabilities fixed in Android Security Bulletins in 2019, memory bugs accounted for 59 percent of all vulnerabilities followed by permission bypass flaws at 21 percent. To prevent memory bugs going forward though, Google is encouraging developers to move to memory-safe programming languages such as Java, Kotlin and Rust.
The Android Security and Privacy Team provided further insight on how it's working to migrate to memory-safe languages in a blog post, saying:
“C and C++ do not provide memory safety the way that languages like Java, Kotlin, and Rust do. Given that the majority of security vulnerabilities reported to Android are memory safety issues, a two-pronged approach is applied: improving the safety of C/C++ while also encouraging the use of memory safe languages.”
With each new Android release, the Android Security and Privacy Team uses the data available to it to balance security improvements that benefit the entire ecosystem with performance and stability.
- We've also highlighted the best antivirus
- Check out the latest cheap Android tablets
- Stay safer on your phone with the best Android VPN
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.