The young ones who either didn’t have an Android smartphone 5 years ago because they were yet to come of age, had no money, yet, or were still in school and could only afford to borrow beaten up devices from friends and family on occassion, may not remember this but there used to be a monster called Android Market. If you think the back-to-back reports emerging every other day in the tech press touching on security concerns on the world’s biggest and most used mobile platform are anything then you are late to the party.
In those days, report after report was always casting Android in the wrong light at a time when it needed all the legitimacy it could to survive. You see, initiatives like Samsung’s KNOX didn’t just emerge from thin air. Even when it was throwing its last kicks, BlackBerry’s legacy operating system was still the go-to software for the security-conscious corporate user and the impregnable iOS continued to be a bragging right for its users and a major point of reference every time they felt like taking a piss at Android which was all the time anyway.
Over the past few weeks, hawk-eyed users have noticed the eventual appearance of a feature that Google announced at its annual developer conference, I/O 2017, back in May: Google Play Protect. Even though it has always been there, lurking in the shadows and doing its work without seeking any attention or credit (more on that later in this article), Google Play Protect was to become front and centre of Google’s plans to calm the nerves of its over global 1.5 billion Android user base.
As you may have noticed, I gave little attention to Google Play Protect when it was “announced” at Google I/O 2017 and gave the excitement laced in the many news items announcing its arrival last week a wide berth. Here is why: there is nothing new, really. If anything, Google’s ever-active malware scanner just got a nice marketable name and, for the user that has for the last 8 years been duped by security systems vendors, a way to actually verify that they are “protected” from the deep and dark horrors of the cruel online world where bad people and their software are always on the prowl, looking for their next target.
In order to allay everyone’s fears and concerns, Google came up with Bouncer. If we are to trace the ancestor of Google Play Protect then Bouncer would be it.
Bouncer’s existence was made public by Google 5 years ago. How it operated then, just like Google Play Protect operates today, was simple, at least by the way I am going to explain it.
As the Android Market, the then name of the Android app store which we now know as Google Play Store, expanded and grew, thousands of new applications and updates to older ones, were pouring in every month. With vices like code injection and other dark developer practices having existed since early on on platforms like Microsoft’s Windows and Apple, the good guy, being very strict with how it vetted and authorized apps on its iTunes app store, Google had come up with a way to automatically scan the code in every submitted app for malware.
The biggest upside to Bouncer was that Google was killing two birds with one stone: protecting its users while at the same time not restricting or delaying app approval like Apple did back then and continues to do today.
This was smart and would mark the start of a 5-year vain struggle to rid Android of malware.
Before the arrival of Bouncer, Google’s most prominent cling to doing enough to ensure the security of its users and their data was the insistence that Android used sandboxing for its apps i.e. each application operated independent of each other and in no circumstances did one gain access to data or information stored in the other. Another measure that had by then already been introduced, telling users upfront which permissions an application required, wouldn’t be implemented in the best way possible until 3 years later when Google started rolling out Android M, later Android Marshmallow.
Read the blog post by then Google Vice President in charge of Android Engineering and the current Android boss, Hiroshi Lockheimer here.
Bouncer wasn’t really a name. It was a codename. Google is usually reckless with naming things (Google’s personal assistant is called Assistant, after all) and as such, reflecting what it actually did, Bouncer ended up being called Verify Apps and would be known as such for a couple of years, until last week when Google Play Protect finally arrived to replace it.
According to the Android Security Report (2016) [PDF] released by Google early this year, “Verify Apps uses a cloud-based service to determine if applications are potentially harmful. It scans applications before installation and blocks installs of PHAs (potentially harmful applications). It also runs regular scans on all installed apps. If a PHA is found, Verify Apps prompts the user to remove it. In cases where the PHA has no possible benefit to users, Verify Apps can remove the PHA from affected devices with a notification to the user.”
In 2016, Google’s security services conducted over 790 million device security scans daily, protecting Android phones, tablets, smartwatches, and TVs.
Google Play Protect
Google Play Protect is just a fancy new name for Verify Apps which started out under the internal codename Bouncer at Google. However, what sets Google Play Protect apart is that ordinary Android users will be aware that it exists. It’s not just Android nerds like myself (and probably you who is still reading this article 1,000 words later) who will be in the know that they are already protected from most (up to 99%) of the dangers they would otherwise be exposed to.
Security software companies have made a kill by banking on user’s ignorance to sell otherwise useless solutions. How many times have you bought a smartphone that comes with a trial version of anti-virus software X pre-installed? Then once the trial 30 or 90-day period is over it starts nagging you daily to pay a Kshs 300 monthly subscription in order to stay safe.
With Google Play Protect, users are very much aware that Google is in control. If they want additional protection from a third party then they can go ahead and get it but it’s not because they weren’t aware that Google was already shielding them from the bad guys as has been the case before.