Adrian Ludwig - Google
Tuesday in San Francisco at Structure Security 2017, Google's lead Android security engineer Adrian Ludwig talked about the evolution of Android security and new steps the company is taking to make Android more secure. William Mansell

When Apple unveils a new phone, as it did with the iPhone 8 and iPhone X this month, the praise, the snark and interest that follows is annoyingly predictable. The product release cycle generally ignites the Apple vs. Samsung debate for a few months about which products have the best camera, memory or new features. The argument also brings up the never ending iOS vs. Android debate.

At Structure Security 2017 in San Francisco, Adrian Ludwig, lead engineer for Android security at Google, wasn’t there to talk about the rollout of Android Oreo or the bugs and adoption rate of iOS 11: Instead, he spoke about the evolving security of the Android operating system.

One of main differences between the operating systems is the flexibility and customization of Android versus the stringent rollout and protocols for iOS. While it would appear that having multiple carriers and product companies would create more entry point vulnerabilities, Ludwig said Google’s transparency with its operation system only creates a more secure network by allowing more people to help spot security weaknesses.

He said Google lays out some "rules of the road" for those that use Android as well as a compatible devices and basic security characteristics android devices should have (such as having encryption being enabled on all devices).

“We’ve seen our protection get stronger, seen strong relations being created with other security researchers. Ninety-nine percent of devices are clean, it’s because of constant innovation and we have other parties contributing,” Ludwig said Tuesday. “Android itself is not tied to any one company, it defines clear security models that constrains applications.”

Ludwig said Google needs to have anybody in the world available to look for a security vulnerability and report. “That’s why using an open standard is important. [It’s] not possible if you’re solely depending on one manufacturer or software provider,” he said.

Google does this not just with opening Android to other companies but through its Google Vulnerability Reward Program. Ludwig said this program and its openness mentality leads to Google taking a lot of arrows, "but that's because we invite them in. Because we want to know about those issues. We want to fix them."

As mobile computing becomes increasingly important and advanced while security threats evolve Ludwig said Google has learned to lean on machine learning. He said with more than 2 billion devices operating Android and years of data, machine learning was a natural progression for Google to help identify security risks. Google, he said, is already seeing a huge return of investment.

“Almost 50 percent of the detection that we did of new malware last week [was] through ML,” Ludwig said. “Six months ago that was five percent.” The number of devices where a user installed malware earlier this year was about .6 percent. Ludwig said with the help of its machine learning that figure is down to .25 percent.

While its machine learning advancements are already paying dividends, Ludwig said Google still has to use its transparency and humans to help keep Android secure. “It’s not pixie dust, it doesn’t solve the problem… it’s just another tool.”

Editor’s Note: Newsweek Media Group and International Business Times partnered with Structure to host Structure Security 2017.