Google published a "Year in Review" on the topic of Android security. Much of the report is laudable: The company got better at stopping the spread of Potentially Harmful Apps (PHAs) from Google Play. Also, Android Nougat brought file-based encryption and other security features along with it, and more than 735 million devices from over 200 manufacturers received at least one platform security update over the course of 2016. But it's not all good news.
The problem with a platform security update reaching 735 million devices is that it means roughly 50% of Android smartphones weren't updated. That means hundreds of millions of smartphones in use last year didn't get an entire year's worth of security patches delivered via these monthly updates. A lot of that is outside Google's control--manufacturers and distributors are free to release or not release updates to their devices--but it's still bad news.
As the company noted in its blog post:
We appreciate all of the hard work by Android partners, external researchers, and teams at Google that led to the progress the ecosystem has made with security in 2016. But it doesn’t stop there. Keeping users safe requires constant vigilance and effort. We’re looking forward to new insights and progress in 2017 and beyond.
There is a silver lining in that Google's manufacturer and wireless carrier partners released "updates for over half of the top 50 devices worldwide in the last quarter of 2016." And, in addition to those efforts, Google said that it will "increase device security updates by streamlining our security update program to make it easier for manufacturers to deploy security patches and releasing A/B updates to make it easier for users to apply those patches."
The question is how much those efforts will matter. Android's update problem isn't new; people have known about it almost since the platform started to become popular. Letting manufacturers do basically whatever they want with the platform helped Android reach many more people than it might have otherwise, but it also means that Google's security updates only matter to consumers if their particular manufacturer or carrier decides to distribute them.
This problem also raises questions about Google's plan to secure Internet of Things (IoT) devices. Android Things was announced in December 2016 to help manufacturers respond to security problems in their products. That's an increasingly dangerous issue in IoT: Connected devices have been used to take down popular websites, potentially spy on children via teddy bears, and otherwise create problems for their owners and for the internet writ large.
There's a certain irony (even if only of the Alanis Morrissette variety) in Google using Android to try and fix an IoT problem that has plagued Android smartphones for years. This "Year in Review" really drives that point home. Things are improving, and they could get even better in the future, but Google isn't "shooting for the moon and reaching the stars" so much as it's cleaning up after other companies with a broom and dustpan.