Author Archives: Dave Kleidermacher

How Google is helping to make the Internet of Things more secure

The growing adoption of Internet of Things (IoT) technology affects consumers around the world in significant ways. Not only are we becoming more deeply connected through IoT devices, we’re now putting more of our lives and trust in the hands of digital technology. Yet, the IoT industry still lacks a global harmonized way for measuring the security quality of connected products, which means consumers may not have the visibility they need into whether their IoT devices protect their data.

Today, Google participated in a White House strategic discussion on IoT Security Labeling to discuss the future of connected device security and shared additional steps we’re taking to secure more of our IoT products.

IoT security today is in the early stages of standardization. We are encouraged by the US government’s efforts to accelerate that process, and to give people more transparency in the security of the IoT products they use every day. Achieving standardized security best practices and consumer transparency at scale could be a tide that raises all boats – giving consumers the ability to understand the level of security in IoT products, choose accordingly, while driving demand for “healthier” security choices from IoT device manufacturers.

Moving IoT security and transparency forward

Since Google began our "helpful home" IoT device journey over a decade ago, we’ve learned a lot and continue to work to deliver even more helpful and secure connected devices — and the software that supports them — to our users. Today, we are excited to announce additional steps that we’re taking to make connected IoT devices safer for consumers.

  • Google is helping lead industry efforts to create a functional, clear, and harmonized cybersecurity label for IoT devices that can help consumers make better device decisions, in an ongoing dialogue with government leaders in cybersecurity, including at NIST, CISA and the White House.
  • Google is extending its commitment to conduct security assessments to Fitbit devices. Announced last year for Nest and Pixel devices, we validate the security of our devices and publish the results. This gives consumers even more transparency by allowing them to review the results while demonstrating our commitment to developing the strongest security protections for our users across all of our IoT products.

Our unwavering commitment to security

We don’t take these commitments to security and transparency lightly. We see these steps as an opportunity to increase transparency and help improve the cybersecurity baseline for the entire ecosystem. And we’ll continue to encourage the community to leverage the security enhancements we continually make to the operating systems we maintain, the open source libraries and tools, and our first-party products which often act as reference implementations to help our broader ecosystem steadily improve their cybersecurity hygiene.

We’re also committed to partnering with organizations working to advance IoT security. Google welcomes the approach taken by the Connectivity Standards Alliance (CSA) to build a harmonized global certification program that addresses the requirements set forth in the major global IoT baselines. We believe a global and harmonized approach will raise the bar on IoT security for both enterprise and consumer devices.

As the IoT market continues to mature and adoption grows, we look forward to working with U.S. policymakers, industry partners, developers and public interest advocates to drive strong, standardized IoT security practices and transparency for everyone.

Top tips for keeping data safe and secure on Android

Keeping data safe and private is a key priority for Android—and we’ve built a number of features to keep your device secure and give you control. As part of Cybersecurity Awareness Month, here are a few of these features, and our top tips for staying safe on your phone.


Warding off sneaky phishing attacks


Video explaining phishing attacks

Phishing is when a bad actor (we’re talking criminal here, not someone with low-rated movies on Rotten Tomatoes) tricks you into giving them your private information. Phishing can come in the form of a convincing email that looks like it’s from a company or co-worker you know, spam phone calls, and even text messages. 

Typically, these bad actors want to steal credit card numbers, social security numbers, or account login information (usually for financial gain or identity theft), but there may be other pieces of data they’re looking to steal.

Thankfully, you have three important features on your Android device that protect them from phishing:

  • Caller ID & Spam Protection: This shows you when a call you’re receiving may be coming from a suspected spammer.
  • Safe Browsing: This Chrome feature lets you know if you stumble across a website we know to be bad, and will help you quickly get to safety.
  • Phone-as-a-Security-Key: While other forms of on-device two-factor authentication, such as SMS one-time codes and push notifications, can be phished by a remote attacker, Android's built-in security key gives you the strongest form of Google account protection. 

Privacy controls you can depend on

Video explaining Android permissions and privacy controls.

How to protect your privacy with Android

On mobile devices, apps can access a lot of pertinent information such as contacts, web histories, location, photos, and more. This makes apps more useful—for example, helping you navigate to a desired destination in Maps—but you still want to make sure that you control who sees what. 

You can choose how their data is shared with apps and services through a number of different means:

  • Permissions: Apps have to ask you for permission to access certain types of data, like your photos or contacts. To grant or revoke permission, head to Settings > Privacy, if you are using Android 10. For Android Pie and below, head to Settings > Apps & notifications > Advanced > App Permissions.  
  • Location permissions: You can tell an app that it may only access your location when you’re actually using that app, as opposed to “all the time” or “never.”
  • Incognito mode in Google Maps: When you turn on Incognito mode in Maps, your Maps activity on that device, like the places you search for, won’t be saved to your Google Account and won’t be used to personalize your Maps experience.

Keeping bad apps off your device


ASL_ASAP Subheader_10.28.19_01.gif

Bad actors also use potentially harmful applications to steal information. Google Play Protect makes sure these applications stay off your device by automatically scanning your apps to make sure everything is safe. If you do encounter one of these bad apps, Google Play Protect will quickly alert you and instruct you on how to remove the app from your device. 

You can access Google Play Protect by going to the security section of your settings. If you ever want to run a scan manually, you can prompt it to do so there. When it comes to security and privacy on Android, you’re never alone. You have both the underlying, automatic protections and the personalized control you need to keep your information safe and private. Want to learn more? Visit our Security Center today. 

Source: Android


The Android Security 2017 Year in Review has good news for enterprises

Device security is of paramount importance to enterprises. It’s why the Android Security team (and many other teams at Google) continuously work to improve protections across more than 2 billion active Android devices.

To ensure customers, partners, and Android users are up to date on our ongoing work, we recently published the fourth annual Android Security Year in Review. This document details improvements to Google’s security offerings in Android, updated platform features, and key metrics that inform our initiatives.

While the report provides a broad view of the breadth of the security work across the ecosystem, there are important highlights for our enterprise users.

Enterprise-grade security in Android

In 2017 we launched Google Play Protect, Android’s built-in device, data, and apps security scanning technology. Google Play Protect protects users from potentially harmful apps (PHAs) in real-time and uses cloud-based services for analyzing device and app data to identify possible security concerns.

Every day, Google Play Protect automatically reviews more than 50 billion apps, other potential sources of PHAs, and checks devices, warning users about potential harm. These automatic reviews enabled us to remove nearly 39 million PHAs last year.

PGA install rates
The installation of potentially harmful apps (PHAs) from outside the Google Play store saw a significant drop in 2016.

Enterprises can leverage Google Play Protect with managed Google Play, a curated Google Play Store for enterprise customers. By using managed Google Play, an organization can ensure that team members are selecting prescribed apps for work that are secured through Google Play Protect. Last year, the number of 30-day active devices running managed Google Play increased by 2,000 percent.

We also introduced a bundle of new security features in Android Oreo, making it safer to get apps, dropping insecure network protocols, providing more user control over identifiers, and hardening the kernel.

In its second year, the Android Security Rewards program paid researchers $1.28 million in 2017 for work identifying potential vulnerabilities in Android. We also introduced the Google Play Security Rewards Program for developers that discover and disclose select critical vulnerabilities in apps hosted on Play.

Additionally we launched zero-touch enrollment, a fast and secure method for simplified provisioning of corporate-distributed devices. Our focus on security starts from the moment a device is powered on, through deployment, and during daily interaction with apps and services.

Looking ahead

Our efforts continue into 2018. We recently launched the Android Enterprise Recommended program for OEMs, which addresses the pain point that many organizations face when choosing devices for large deployments. Our program features a curated selection of devices that meet common requirements for security (including which devices are getting regular security patches), and supported features, all validated by Google.

For a more detailed look at all of the Android security improvements during the last year, see the dedicated Security Blog or read the full security report at g.co/AndroidSecurityReport2017.