Also, 7.x and 8.x have data encryption (if enabled), cryptographic key storage, kernel self-protection, sandboxing, SELinux, Userspace hardening, secure lock screens, and verified boot.

Google says 83% of Oreo devices have a secured lock screen/fingerprint enabled compared to 75% of Nougat and 53% of Marshmallow.

Google ups the ante with security rewards program

As Android security has matured, it has become more difficult and expensive for attackers to find high severity exploits. This is where open source shines. As a global, open source project, it has a community of defenders collaboratively locating the deeper vulnerabilities and developing mitigations.

This community may be orders of magnitude larger and more effective than a closed source project (e.g. Apple iOS). Its defenders come from thousands of device manufacturers, SOC vendors, carriers, academic institutions, independent security researchers, and the worldwide Linux community.

While Google offers one of the highest reward programs for uncovering vulnerabilities the quantum of claims has dropped considerably. In 2017 not one vulnerability was found for ‘core’ Android platform security exploits.

On device protection

A range of on-device protections were introduced in 2017 including: safe browsing, locking out unknown APIs, PHA scanning, and find my device.

Play protect has blocked more than 10 million harmful app installs since October 2017.

Google says buy a Pixel!

It says at the 2017 Mobile Pwn2Own competition, no exploits successfully compromised Google Pixel devices.

None of the exploits affected a device running unmodified Android source code from the Android Open Source Project (AOSP).

GadgetGuy’s take

We have extracted the most relevant parts of the 55-page report. If we had any doubts about Android security at the beginning, they were assuaged by the end.

Maybe distilling the report wore us down but three things stand out about Android security.

  1. Buy an Android 8.x phone or at worst 7.x (preferably with a guaranteed upgrade). Android just keeps getting better and more secure.
  2. Buy from one of the top makers – Samsung, LG, Sony, Lenovo (Moto), Huawei, BBK (includes OPPO, vivo and Oneplus), ZTE, Xiaomi, TCL (Alcatel and Blackberry), HTC (including Google Nexus) and of course Google if you want any semblance of manufacturer commitment to security. There are around 1,300 Android smartphone makers all up with about 85-90% of the global smartphone market!
  3. Only download from Google Play and do not root Android to load app from elsewhere.