Security news that informs and inspires
Android robot on a phone.

Android License Changes Raise Security Questions

The changes Google made to its licensing for Android devices sold in Europe as a result of the European Union’s July antitrust ruling can negatively affect the security of the Android ecosystem. Android has long been viewed as the less-secure mobile operating system compared to iOS, so how device makers and app developers respond to the changes will determine whether things will become even worse for the ecosystem.

Up until now, the core Google experience on an Android phone was the same regardless of who made the phone, such as HTC, Motorola, or Samsung (Amazon’s Fire OS and Chinese phones being the notable exceptions). Google set up its licensing agreements with device manufacturers so that if they wanted Google Play, they had to install Search and Chrome as well. For users, Play is an essential part of the Android experience, since that is the de facto marketplace to find other Android apps.

Along comes the European Commission, which fined Google €4.34 billion ($5.1 billion) in July, ruling that the licensing requirement gave Search a monopoly on Android devices. Google announced this week the changes to its licensing scheme to comply with the ruling, since its appeal will take a few years to go through the courts. Android the core operating system will remain free and open source, but Google’s apps will no longer come with the mobile operating system. Device makers will have to pay for a license to load the core Google apps, which include Play, Gmail, and Maps, on the devices. There is a separate paid license for Chrome and Search, since the ruling was specifically about Search.

Bottom line, this means Android phones don’t have to have Play anymore, which would encourage users to frequent third-party marketplaces, increasing the risks of their downloading malicious apps. It likely won’t help with the current Android fragmentation problem or the difficulty in getting regular operating system updates, either.

The changes take effect Oct. 29 and will impact devices sold in the European Economic Area, which consists of the 28-member states of the European Union, Norway, Iceland, and Liechtenstein.

“Going forward, Android partners wishing to distribute Google apps may also build non-compatible, or forked, smartphones and tablets for the European Economic Area (EEA),” wrote Hiroshi Lockheimer, Google’s senior vice president of platforms and ecosystems.

Different Android Experiences

Let’s break down what the changes mean for users in Europe. Right now, Android devices have the same core apps, but may have other apps from the manufacturer and other apps from the carriers. With the new licensing requirements, European users will potentially have a choice of Android devices that don’t have any Google apps by default, similar to what Amazon has done with its Fire OS; Android devices that have the core Google apps but not Search or Chrome; or Android devices that have everything installed the way most users are currently used to seeing.

One of the things to understand about the first scenario: those Android devices would not have access to any of the apps in Google Play. That’s okay if there is a fairly robust marketplace to replace Play, such as what Amazon has for Fire OS, or the various app marketplaces that exist in China because Google doesn’t operate in that country. Samsung has a Galaxy Apps Store for its line of Galaxy phones, but not many manufacturers have their own app store.

In the second scenario, perhaps the device makers will partner with other search engines or browsers. With the last scenario, it’s pretty likely that the manufacturers would pass the increased costs for the licenses on to the users, so users wanting to keep the same experience will have to pay a premium.

"This is a complex business and economic situation that is still unclear how the costs will be borne to consumers," said Christoph Hebeisen, senior manager of security intelligence at Lookout, a mobile security company. Third-party app stores "are historically rife with malware," Hebeisen said.

No Play, No Bouncer

Going back to the first scenario, not having Play means users lose an important layer of security.

Over the years, Google has implemented many tools in Play that scans apps for malicious code and potential problem apps. Bouncer was just the beginning, but Google's efforts had a lot to do with why users who stuck with just Play for their app needs rarely encountered mobile malware. Even if malware crept past the security gauntlet, Google generally removed the apps quickly from Play and cleaned up devices when necessary. Most mobile malware typically thrive on third-party marketplaces.

"Without Google Play, device manufacturers will use third-party app stores, which definitely increases the risk of mobile malware and other risky apps, often distributed from the third-party app stores that face less review than Google Play," said Domingo Guerra, president and co-founder of mobile security company Appthority.

If the current situation in Europe means there is going to be an increase in the number of Android devices that rely on third-party marketplaces, then those marketplace owners have to pick up the slack and perform their own security scanning for each of the apps in the marketplace to protect the users.

It makes sense that device makers want the flexibility to design their own Android experience. But they then have to take the responsibility of making sure the app ecosystem is safe for users.

More Fragmentation

Android fragmentation is already bad enough because carriers and handset makers don’t have to update the operating system when Google makes security fixes. Take the current breakdown, with about 22 percent of users on Marshmallow (version 6.0, released 2015), 29 percent on a version of Nougat (version 7.0, released 2016), and just shy of 20 percent of users on Oreo (version 8.0, released 2018). And that’s not counting the remaining 30 percent or so spread across the even older versions. With carriers and manufacturers now able to create their own flavor of Android devices, expect more differences under the hood.

Google also loses any kind of leverage it had over manufacturers and carriers to roll out operating system updates. Very few devices get any kind of Android updates, as manufacturers play peek-a-boo on which devices it would update and when. It’s an open question whether the ability to customize the operating system and installed apps would make manufacturers more likely to regular update the OS or keep being lackadaisical about updates.

There is a silver lining. It's possible there may be room in the marketplace for a privacy-friendly phone, with Android, DuckDuckGo as the search engine, and a secure chat clinet.

The modern Android experience came about because the previous experience of too much choice—different browsers, skinned interfaces, and random configurations—created a confusing user experience. Apple has one consistent user experience. Android gave some choice, while keeping many things the same. That's going to change in Europe.