Android's lead security engineer Adrian Ludwig reflected privately after his talk at the RSA Conference about the announcements of other companies' security flaws that are always timed to coincide with security conferences.
"I feel for them because we were in a similar situation last February when we learned of Android Masterkey Vulnerability. We knew from Google's Play Store and [Google's on-device malware scanner] data that the vulnerability had never been exploited, but public exposure would inform bad actors and could cause harm."
It wasn't an expression of schadenfreude; Ludwig was sincere in expressing an overriding industry concern and explaining the motivation for the improvements to Android's security.
Vulnerabilities are publicly announced and amplified in the press with the pageantry of a public hang'n in the Wild West. These reports seem to increase around the time of security conferences like RSA and Black Hat. But they lack the discipline and statistical perspective used in the field of epidemiology. Imagine the panic and chaos that would follow a Center for Disease Control's announcement of a newly discovered disease without disclosing how lethal it is, the rate of infection, and what to do if symptoms appeared. In his talk, Ludwig explained the Android security response like an epidemiological response to an outbreak, with an emphasis on effectiveness without causing public panic.
Ludwig spoke in retrospect about the highly publicized Android Masterkey Vulnerability (AMV) to explain how the Android security team operates. He spoke about his group's approach to detecting and responding to vulnerabilities. He disclosed for the first time at RSA a new technology named Safety Net that inspects apps more deeply and uses predictive data analytics to identify apps infected with hard-to-detect malware. Ludwig wants to not only patch vulnerabilities found but, use each experience to improve Android security systematically and spare the consumer the anxiety provoked by unquantified reports of vulnerabilities. It's important to understand that Android security is free, so high-profile malware reports won't send customers stampeding to pay Google for protection.
Ludwig's data indicated that the AMV had not been exploited from the time Google was notified by an independent security researcher in February 2013 until its public announcement in July. From the time AMV was announced, it took less than a week for the first exploit to surface and be detected by Google. A month later, Google's response capped installations of the exploit to fewer than 8 per million apps, all downloaded from alternative app stores, none from Google Play.
Looking closely at the timeline above reveals the new Android security component Safety Net. Its distribution was so stealthy that independent researchers were surprised by warnings when they installed the AMV even though they had Android's antivirus scanner turned off. Like Google's on-device anti-virus scanner, called App Verify, Google released and distributed Safety Net without accompanying marketing fanfare.
Safety Net is a nice consumery name for Google's on-device monitoring of app behaviors that detect malware that otherwise would evade identification with antivirus scanning technology. Behavioral monitoring on the device isn't new, but it is not widely used. Scanning apps when developers upload them to the Play Store, and scanning apps for viruses before installation, reduces the number of potentially harmful apps that get installed. But not all harmful apps can be detected with these kinds of tools, especially polymorphic malware that continuously changes its signature, like the malware used to steal credit card data from Target's cash registers.
This additional layer of defense that monitors app execution behavior was added as a push update to Google Mobile Services (GMS) in the Play Store app. It compares how apps behave to Google's repository of behavioral graphs that grows with the addition of 15 million new pieces of data per day, including apps, developers, app behaviors, relationships and third-party analyses.
An app need not register positive from a malware scan to become suspect. Google's data can be used to single out an app that may be harmful. In the spirit of Google's analytical core, more data means better security. Ludwig would not go into specific detail, but in response to a question about how Google assesses developers' reputations as a predictor of malware, he suggested that the data available to the Android security team extended beyond just Android:
"How we do it is something of a secret sauce, but Google has a lot of historical attack data from people attempting to violate our systems."
As the creator and a contributor to Map Reduce, Google is experienced in distilling massive amounts of data into meaningful conclusions. Using the data derived from the hundreds of millions of Android devices and Google's security experience, many signals can flag an app as suspicious.
Building a defense through containment isn't possible with an ecosystem of the scale and diversity of Android. Looking for a needle in the haystack by scanning, monitoring, and using massive amounts of data with predictive analytics to detect vulnerabilities and remediating them is the only way that Android can be secured.
Not surprising for a Google talk, Ludwig shared a lot of data to explain Android's security methods. In retrospect, the AMV is only exploited 35 times per million app installations downloaded from outside of Google Play. More interesting than the tiny number of exploits is that the Android security team has visibility into what kind of apps use this exploit. As it turns out, more than half of these exploits are performed by knowledgeable users on their personal devices to install a Nintendo game emulator.
If the Android security team's work prevails, and with a little luck, Ludwig will still be speaking retrospectively at the next security conference about the AVM, and not a new vulnerability.