“There's no question that when it comes to security, the Google Pixel and the iPhone are pretty comparable,” said Android's security chief. “In almost every threat model, they're pretty similar in terms of platform-level capabilities.”
Unfortunately for Google, that claim is eight years old and is untrue then and it's untrue now. But that may all be about to change.
In 2016, Android's then-director of security suggested in an interview: Vice “Android's open ecosystem will put it in a much better position.” Times have changed, and while the open ecosystem is still Android's main weakness, at least Google is finally getting closer to closing the stable door.
Malware in the Play Store is still a risk, but a much bigger risk than Apple's App Store. Sideloading, however, is a bigger threat. Samsung has been at the forefront of cracking down on third-party app stores and direct installs, and it's easy to see why: Google's ongoing security campaign in Singapore has “blocked around 900,000 high-risk apps.” [sideloaded] In less than six months, over 200,000 devices have attempted to install the app.
Google has been focused so far on expanding its Play Protect ecosystem to better protect devices from side-loaded apps and those from its own Play Store. The delayed introduction of AI-powered live threat detection in Android 15 will be the latest advancement in this approach. But more significant are the sweeping changes to the Play Store itself that could finally bring Android security closer to that of the iPhone.
In July, Google announced major changes to its Play Store to remove low-quality, poorly developed apps. This level of control is much more Apple-like than Google's previous approach, but more importantly, it should eliminate most shell-like apps that hide or link to malware once installed on a user's device.
“We will be updating our policies on spam and minimum functionality,” the company warned app developers, “ensuring that your apps meet the raised standards of the Play catalogue and engage users through quality features and content user experiences.”
These changes will begin to take effect on August 31st, just five days from now.
But there's a big irony: as soon as Google buys into this new way of thinking, regulators could bring it all down.
A US federal judge has just warned of “significant changes to punish the company” after a jury last year found the Play Store an “illegal monopoly that has harmed millions of consumers and app developers.” Meanwhile, UK regulators have “ended their existing investigations into Apple and Google's respective app stores,” but this is only a temporary reprieve, pending “new laws to regulate digital marketplaces.”
Google's new approach to Play Store security is smart and long overdue. Their relentless push for Play Protect as a defense against malicious apps, and this app removal, should encourage users to view the Play Store as a safe option. Samsung's default block on sideloading goes further, as does Apple's clear warning that forced opening to third-party app stores in Europe is a security risk to users.
All of this raises an important question for regulators, big tech companies and users: What is more important: security or a seemingly more open market for access to mobile phones? The very real concern is that you can't have both, and in that case the tech ecosystem needs to give users reasons to make the right choice despite the growing risks.
That's why we'll wait in the coming months to see how much force Google has behind its threats to finally clean up the Play Store. We'll soon see how serious Google is about removing all these threats.