Android's lead security engineer Adrian Ludwig reflected privately after his talk at the RSA Conference about the announcements of other companies' security flaws that are always timed to coincide with security conferences.
"I feel for them because we were in a similar situation last February when we learned of Android Masterkey Vulnerability. We knew from Google's Play Store and [Google's on-device malware scanner] data that the vulnerability had never been exploited, but public exposure would inform bad actors and could cause harm."
It wasn't an expression of schadenfreude; Ludwig was sincere in expressing an overriding industry concern and explaining the motivation for the improvements to Android's security.
Vulnerabilities are publicly announced and amplified in the press with the pageantry of a public hang'n in the Wild West. These reports seem to increase around the time of security conferences like RSA and Black Hat. But they lack the discipline and statistical perspective used in the field of epidemiology. Imagine the panic and chaos that would follow a Center for Disease Control's announcement of a newly discovered disease without disclosing how lethal it is, the rate of infection, and what to do if symptoms appeared. In his talk, Ludwig explained the Android security response like an epidemiological response to an outbreak, with an emphasis on effectiveness without causing public panic.
Ludwig spoke in retrospect about the highly publicized Android Masterkey Vulnerability (AMV) to explain how the Android security team operates. He spoke about his group's approach to detecting and responding to vulnerabilities. He disclosed for the first time at RSA a new technology named Safety Net that inspects apps more deeply and uses predictive data analytics to identify apps infected with hard-to-detect malware. Ludwig wants to not only patch vulnerabilities found but, use each experience to improve Android security systematically and spare the consumer the anxiety provoked by unquantified reports of vulnerabilities. It's important to understand that Android security is free, so high-profile malware reports won't send customers stampeding to pay Google for protection.
Ludwig's data indicated that the AMV had not been exploited from the time Google was notified by an independent security researcher in February 2013 until its public announcement in July. From the time AMV was announced, it took less than a week for the first exploit to surface and be detected by Google. A month later, Google's response capped installations of the exploit to fewer than 8 per million apps, all downloaded from alternative app stores, none from Google Play.
Looking closely at the timeline above reveals the new Android security component Safety Net. Its distribution was so stealthy that independent researchers were surprised by warnings when they installed the AMV even though they had Android's antivirus scanner turned off. Like Google's on-device anti-virus scanner, called App Verify, Google released and distributed Safety Net without accompanying marketing fanfare.
Sign up for Computerworld eNewsletters.