Inside Android 4.2's powerful new security system

We've talked plenty about the new features in Google's Android 4.2 release -- Photo Sphere, multi-user support, a reimagined tablet UI -- but one of the most significant changes to the software is something you might not notice at a glance.

Android 4.2 marks the launch of a powerful new security system built right into the platform. The key component is a real-time app scanning service that instantly checks apps put on your device for any malicious or potentially harmful code.

The feature is an extension of the security technology Google introduced for the Play Store this past February. While that technology worked exclusively on the server side, analyzing apps that were uploaded to the Play Store, the new system works with your device and scans any apps you install from third-party sources (a process known as "sideloading").

"We view security as a universal thing," Android VP of Engineering Hiroshi Lockheimer tells me. "Assuming the user wants this additional insurance policy, we felt like we shouldn't exclude one source over another."

Following typical Google fashion, the new scanning service is completely opt-in: The first time you install an app from a source other than the Play Store -- including a third-party app market like Amazon's app store -- Android pops up a box asking if you want such applications to be checked for "harmful behavior." (There's also a checkbox in the "Security" section of the 4.2 system settings that lets you turn the service on or off at any point.)

Initial confirmation aside, everything with the new security system happens seamlessly and almost instantaneously behind the scenes. Whenever you sideload an app, your phone sends identifying information about the program to Google's servers. Google's servers then analyze the info and compare it with the company's database of known applications.

"We have a catalog of 700,000 applications in the Play Store, and beyond that, we're always scanning stuff on the Web in terms of APKs that are appearing," Lockheimer says. "We have a pretty good understanding of the app ecosystem now, whether something's in the Play Store or not."

If Google's servers recognize the app as a known safe program, your installation will continue uninterrupted. If it matches it to an app that's known to be dangerous, meanwhile -- a designation Lockheimer says is extremely rare for the platform -- the system will prevent you from installing it. And if the app raises some red flags but no definite evidence of harm, the system will alert you of the situation and let you decide whether you want to proceed.

All of that happens in a split second. I tried sideloading some apps onto my Nexus 4 review unit, and following the initial opt-in confirmation, I couldn't detect any noticeable delay in the process compared to what happens on pre-4.2 devices.

"The server does all the hard work," Lockheimer explains. "The device sends only a signature of the APK so that the server can identify it rapidly."

(Incidentally, Lockheimer tells me the new functionality is not related to Google's recent acquisition of VirusTotal, a startup focused on online malware scanning; rather, it's based completely on the app-scanning technology announced for the Play Store back in February.)

Accompanying the system is a new and improved app permissions screen -- the screen that shows up anytime you install an app from outside of the Play Store. The new Android 4.2-level screen is cleaned up and far easier to read than what we've seen in the past.

And last but not least, Android 4.2 has an added behind-the-scenes feature that alerts you anytime an app attempts to send a text message that could cost you money. If an app tries to send an SMS to a known fee-collecting short code -- a number that'd automatically bill your carrier when it receives a message -- the system jumps in and alerts you to the action. You can then opt to allow or deny the process.

As I've written numerous times before, malware on Android is far less significant of a real-world issue than some reports would lead you to believe. (Those reports, coincidentally enough, are almost always propagated by companies that make money selling malware protection software. Go figure.)

Still, these new layers of integrated security will no doubt bring extra protection and peace of mind to Android users -- and no matter how you look at it, that's certainly a good thing.

http://blogs.computerworld.com