Android Security Checkup

Google added a feature called Verify Apps when it released the Jelly Bean version of the Android operating system. It has now issued an blog that says over 25,000 malicious apps have been spotted by the utility. It has also warned of the risk of Dead or Insecure (DOI) devices. The blog, written by Megan Ruthven, Software Engineer, Google looks at the work of the Android Security team in detecting DOI devices.

What is Verify Apps?

Devices with Android Play installed automatically get the Verify Apps security solution. It checks all apps loaded onto the device to make sure that they are not Potentially Harmful Apps (PHAs). Users are warned of PHAs and then helped to uninstall them. Google has spent a lot of time and effort identifying and removing PHAs from the Android Play store. This means that most PHAs that are now detected come from unauthorised app stores and are loaded by the user.

Google admits that Verify Apps is not perfect. Like any security solution it can be defeated and when that happens a device stops checking with the Verify Apps solution. As Google knows which devices are using Verify Apps it records when a device stops responding.

What does Android mean by Dead or Insecure?

A Dead or Insecure (DOI) device is one where the device stops checking with Verify Apps. This happens after an app is installed. Google tracks app installs and notes when devices stop using Verify Apps. This information is used to create the retention rating for an app. The more devices that stop using Verify Apps after install, the lower the retention rate. This means that the app is increasingly likely to be either malware or very badly written.

Google has a formula for this. It is:

Android Verify Apps retained formula

N = Number of devices that downloaded the app

X = Number of retained devices that downloaded the app

P = Probability of a device downloading any app will be retained.

This allows Google to warn users about dangerous apps and advise them not to install them. It is also possible, according to the blog, for Android to remove apps classified as a PHA and prevent it being reinstalled.


Google says that over 25,000 apps have been detected using this approach. This is good news for Android customers and will help improve the security of the platform. However, there is a caveat. The device has to be using a version of Android that is at least equivalent to Jelly Bean or later.

This poses a significant problem for some devices. The European Commission is investigating Google for abusing its market position over Android. Part of its claim is that Google is not doing enough to protect all the Android devices in the market. Google’s defence is that they cannot stop anyone taking the Android code and then using it inside their device. As a result it is unreasonable that Google is held responsible for those devices which are rarely updated and quickly become orphaned from the main Android update process.

The only way to stop this would be to make it a requirement that anyone using Android in their devices also supports Verify Apps. This is not something that Google can enforce but it is something that the current investigation needs to look at. If we are to get a universal improvement in Android security then every vendor who uses the OS has to be responsible for using the security tools that are available


Please enter your comment!
Please enter your name here