“There’s no doubt a Google Pixel and an iPhone are pretty much equal when it comes to security,” according to Android’s security lead. “For almost all threat models, they are nearly identical in terms of their platform-level capabilities.”
Unfortunately for Google, that claim is now eight-years old and is no more true now than it was then. But that could all be about to change.
Back in 2016, Android’s then Director of Security suggested in his interview with Vice that “the open ecosystem of Android is going to put it in a much better place.” How times have changed. That open ecosystem remains Android’s primary vulnerability, but at least Google is finally getting closer to slamming the stable door.
While Play Store malware remains a risk—much more so than Apple’s App Store, sideloading carries the greater threat. Samsung is taking the lead in cracking down on third-party app store and direct installs, and it’s easy to see why. Google’s ongoing security campaign in Singapore “has blocked nearly 900,000 high-risk [sideloaded] app installation attempts on over 200,000 devices” in less than six months.
Google’s focus thus far has been to extend its Play Protect ecosystem to better defend devices against sideloaded apps as well as those from its own Play Store. The delayed introduction of Android 15’s live threat detection, powered by AI, will be the latest advance in this approach. But it’s the huge changes to Play Store itself that carry more significance and could finally bring Android’s security closer to iPhone.
Back in July, Google announced swingeing changes to Play Store, with a cull of low quality, poorly developed apps. This level of control is much more Apple-esque than Google’s approach thus far, but more critically it should wipe out most of the shell-like apps that either hide malware or link to malware once installed on user devices.
“We’re updating the Spam and Minimum Functionality policy,” the company warned app developers, “to ensure apps meet uplifted standards for the Play catalog and engage users through quality functionality and content user experiences.”
Those changes begin August 31, just five days from now.
But there’s an ironic catch—and it’s a big one. No sooner has Google come around to this new way of thinking than regulators could bring it all crashing down.
A U.S. federal judge has just warned of “major changes… to punish the company” following last year’s jury declaration that Play Store is “an illegal monopoly that has hurt millions of consumers and app developers.” Meanwhile, the U.K. regulator has “closed its existing investigations into Apple and Google’s respective app stores.” But this is a temporary reprieve, with “new laws governing digital markets” on the way.
Google’s new approach to Play Store security is smart and long-overdue. Its relentless promotion of Play Protect as a defense against rogue apps and now this app purge should condition users to see Play Store as the safe bet. Samsung’s default blocking of sideloading goes further. Apple’s unequivocal warnings that its forced opening up to third-party app stores in Europe is a security risk for users does the same.
All of which raises a critical question for regulators, tech giants and users: which is more important, security or a seemingly more open market to access our phones. The very real fear is that you can’t have both, in which case the tech ecosystems need to give users a reason to make the right choices despite the widening risks.
And on that note, we await the coming months and the extent to which there is any real bite behind Google’s threat to finally clean up Play Store. How serious is Google about deleting all those threats—we’re about to find out.