Google’s corporate mission statement has long included the phrase “Do No Evil,” which refers to Google as a company, but it could easily also be extended to the broader Internet as well. Google is working on multiple fronts to make sure “no evil”—be it a hack or malware attack—goes on against its users and the Internet at large.
Last week at the Google I/O conference (read Chris Preimesberger’s roundup of I/O 2016 news here), the company made a number of product and services announcements. Integrated with some of those announcements and in stand-alone sessions at the conference was the theme of security.
The upcoming Android N mobile operating system will be getting a number of important new security capabilities. Among them is a new mediaserver library approach that aims to eliminate the risks of the existing Android media server technology. In July 2015, the first Android Stagefright mediaserver library flaws were announced, and ever since, Google has been updating Android incrementally as new media server flaws are discovered by researchers. In the Google Android May 2016 update alone, Google patched seven mediaserver vulnerabilities.
A consequence of the Stagefright mediaserver flaws is that in August of 2015, Google moved to a monthly update cycle for Android. It’s a cycle that with Android N will accelerate further thanks to the introduction of automatic patching in a manner similar to how Chromebooks are updated today.
Stephan Somogyi, product manager of security and privacy at Google, delivered at I/O what he referred to as the “3rd Annual Google Security Update,” providing an overall update on security, with “updating” being a key theme.
“The charter of Google’s security and privacy engineering team is to protect users and their data,” Somogyi said during his session.
He emphasized that auto-updates are a best practice for security, and they have been an integrated part of the Chrome browser since 2008. The promise with Android N is to provide the same type of seamless experience for auto-updates.
Google Puts Encryption to Use
The widespread use of encryption at Google, for updates and everything else, was also a key theme of Somogyi’s talk. In February, Google began to show Gmail users whether email was received over an insecure connection by way of a small unlocked, red padlock icon, he said. When the icon first started to appear, Somogyi said that approximately 58 percent of all incoming mail to Gmail was making use of Transport Layer Security (TLS) encryption. After 45 days of use, he said there was a measurable improvement in the use of encryption for email. On May 13, Google found that 78 percent of incoming mail to Gmail used TLS.
The State of Google Security in 2016
While Google has vast resources of its own to find security vulnerabilities, the company has long embraced the idea of paying security researchers for finding flaws. In 2015 alone, Google paid out $2 million in bug bounties to more than 300 security researchers.
“Last year we gave out a lot of money to a lot of people for a lot of bugs,” Somogyi said.
And in 2016, Google is on track to give out even more money, he said. In March, Google increased the top reward it pays out for a Chrome OS vulnerability from $50,000 to $100,000 for the persistent compromise of a Chromebook in guest mode.
“With great research comes great rewards,” Somogyi said.
Safe Browsing Protections Extended
Google also isexpanding and improving the efficacy of its Safe Browsing technology. Safe Browsing warns both desktop and mobile browser users of potentially malicious sites. Somogyi noted that this year, Google is extending even more Safe Browsing protections, for malware and social engineering in Chrome on Android.
“Safe browsing today protects well over 2 billion devices,” he said.
In terms of best practices, Somogyi suggests that users don’t reuse passwords across services. This is something Google’s Project Abacus aims to help with. Abacus is an approach for password-less access that was first discussed at Google I/O in 2015. Google plans to roll out Abacus-based log-ins to Android by the end of the year.
Even before Abacus becomes available, though, Google has other approaches, including the use of two-factor authentication, using the FIDO U2F protocol to help enable stronger authentication than just a simple password.
While using stronger passwords (or a password replacement technology), safe browsing and paying security researchers to find bugs are all good things, Somogyi said installing updates is one of the best ways to keep users safe.
Security is a complex challenge with many unknowns, but there are many known bad items, too. While zero-day risks are a concern, good password practices and keeping users updated are likely two of the best tools to help Google achieve its mission of Do No Evil—and the broader mission of not letting evil happen to its users either.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.