MOUNTAIN VIEW, Calif.—Google’s Android mobile operating system has long been criticized for fragmentation, as millions of older devices no longer receiving regular security and feature updates continue to connect to the Internet. Privacy-focused changes (and one big security improvement) in the upcoming Android Q will undoubtedly add to the criticism, as they take years to trickle out to the majority of Android devices.

Android Q, potentially the most important security and privacy update in years, divorces some of the responsibility of approving security and privacy updates from Google’s carrier and manufacturer partners.

Until now, all Android updates, from monthly security patches to major version updates, have been subject to partner discretion. But thanks to an internal Google engineering initiative called Project Mainline, Google will be able to deliver updates to 13 modules in Android Q without manufacturer or carrier approval.



READ MORE ON ANDROID SECURITY AND PRIVACY

Fragmentation likely to hinder Android P’s security chops
Google Play is an ‘order of magnitude’ better at blocking malware
Opinion: To stay safer on Android, stick with Google Play
Primer: Why are Androids less secure than iPhones?
How to FBI-proof your Android
Hidden inside Dark Caracal’s espionage apps: Old tech
How to wipe your phone (or tablet) for resale


These modules, or components, affect security, privacy, and what Google calls “consistency,” or ensuring that devices handle certain data—such as time zone updates—the same way. The new system will enable updates to install on the device without needing to reboot it.

These changes could greatly improve Android user security, when you consider that security updates to Android’s “media frameworks,” which control the playback of audio and video, accounted for 40 percent of Android security patches, says Google’s Anwar Ghuloum, senior engineering director for Android Core OS.

“We’re working closely with partners to ensure that whatever we ship is aligned with what they’ve shipped to the store,” he explained to The Parallax at Google’s annual I/O developer’s conference here. “We don’t want to regress the experience on their devices.”

Even though the Project Mainline features will be available only on devices running Android Q, and the carriers and device manufacturers can choose to opt out of Google-pushed updates to five of the 13 modules, Ghuloum insists that the long-term benefits will outweigh short-term growing pains.

He points to efforts that the Android Go team, which reports to him, has had in breaking what he calls the “logjam” of Gingerbread and KitKat, older versions of Android, to get new Android devices that are lower-end but have modern security features such as data encryption to replace older models in some countries.

“Go is breaking that logjam,” he says. “I’m pretty optimistic about that.”

The more frequent but smaller Google-pushed module updates may become mandatory—or revert to the standard Android monthly security update process, subject to review by manufacturers and carriers. “We’re re-evaluating whether we should have optional [updates] at all,” Ghuloum says.

Ghuloum and the Android development teams are still figuring out the right balance between getting updates to devices faster, introducing the new software architecture that Project Mainline depends on, keeping billions of Android devices working properly, and assuaging manufacturer and developer concerns. But the devil continues to reside in Android’s numbers.

While Android Senior Director Stephanie Cuthbertson crowed about the 2.5 billion devices that now run Android, only 10.4 percent run the latest and most secure version, Android 9 Pie, after six months of commercial availability. More than 43 percent of Androids in use globally are stuck on 2015’s Android 6 or earlier; they cannot be updated. While Google says 84 percent more Android devices received a security update in the last quarter of 2018, as compared to the prior year, the more than 1 billion devices running Android 6 or earlier will never see an update of any kind.

“Android scored the highest-possible rating in 26 of 30 categories” in Gartner’s 2019 Mobile OSs and Device Security: A Comparison of Platforms report, which evaluated Android 9 Pie, Cuthbertson said during the conference’s Tuesday keynote. But older versions of Android, especially the ones that users are stuck on with little hope of upgrades, have not fared as well in previous years.

Similarly to how marketers had to adjust to user preferences for receiving messages, app developers must now adjust to meeting consumers’ expectations regarding the collection and use of personal information.”—Debra J. Farber, senior director of privacy strategy, BigID

The fragmentation will continue to afflict Android Q’s other improvements, many of which stand to make devices more secure and more privacy-friendly for consumers, creating different classes of consumer protection.

Phones running Android 7 Nougat or newer versions can now be configured as a physical two-factor authentication key, replacing the need to carry a second key (such as a YubiKey) and a phone. A new Privacy section in Android’s Settings menu will also let consumers access privacy options across all apps for activity data, advertising, and location tracking—similar to Apple’s iOS settings.

In practical terms, this means that devices will warn consumers when an app running in the background tries to access location information. Android Q adds an “in-app only” option to how apps can share location, expanded from the binary “Always” or “Never.”

Android Q also introduces restrictions to how apps can launch and run in the background, when the user isn’t actively using them; how apps can access and use hardware identifying numbers, such as the IMEI number and the device’s serial number; how apps can scan and use wireless signals, including Wi-Fi and Bluetooth; and how much camera data they can use, including where and when a photograph was taken.

As Google figures out how to get the new features into the hands of consumers in a timely manner, privacy advocates cautiously applaud the company’s efforts. Debra J. Farber, the senior director of privacy strategy at enterprise data privacy company BigID, says Android Q’s direction will force app developers “to be more mindful” of user privacy and data protection.

“Similarly to how marketers had to adjust to user preferences for receiving messages, app developers must now adjust to meeting consumers’ expectations regarding the collection and use of personal information,” she said in an email.

Farber warns, however, that without privacy-focused defaults, consumers must spend more time managing their data, and that forced choice may spark scrutiny from European regulators.

“[M]ost of the settings are not most-privacy-preserving by default,” she wrote. “As a result, this does put more strain on users to claw back info that they may not want to share with Google.”