The State Of Google Security In 2016
ANALYSIS: Google is actively working on multiple efforts to make the Internet safer for everyone, as it pushes good password practices and auto-updates
Google’s corporate mission statement has long included the phrase “Do No Evil,” which refers to Google as a company, but it could easily also be extended to the broader Internet as well. Google is working on multiple fronts to make sure “no evil”—be it a hack or malware attack—goes on against its users and the Internet at large.
Last week at the Google I/O conference (read Chris Preimesberger’s roundup of I/O 2016 news here), the company made a number of product and services announcements. Integrated with some of those announcements and in stand-alone sessions at the conference was the theme of security.
The upcoming Android N mobile operating system will be getting a number of important new security capabilities. Among them is a new mediaserver library approach that aims to eliminate the risks of the existing Android media server technology. In July 2015, the first Android Stagefright mediaserver library flaws were announced, and ever since, Google has been updating Android incrementally as new media server flaws are discovered by researchers. In the Google Android May 2016 update alone, Google patched seven mediaserver vulnerabilities.
A consequence of the Stagefright mediaserver flaws is that in August of 2015, Google moved to a monthly update cycle for Android. It’s a cycle that with Android N will accelerate further thanks to the introduction of automatic patching in a manner similar to how Chromebooks are updated today.
Stephan Somogyi, product manager of security and privacy at Google, delivered at I/O what he referred to as the “3rd Annual Google Security Update,” providing an overall update on security, with “updating” being a key theme.
“The charter of Google’s security and privacy engineering team is to protect users and their data,” Somogyi said during his session.
He emphasized that auto-updates are a best practice for security, and they have been an integrated part of the Chrome browser since 2008. The promise with Android N is to provide the same type of seamless experience for auto-updates.
Google Puts Encryption to Use
The widespread use of encryption at Google, for updates and everything else, was also a key theme of Somogyi’s talk. In February, Google began to show Gmail users whether email was received over an insecure connection by way of a small unlocked, red padlock icon, he said. When the icon first started to appear, Somogyi said that approximately 58 percent of all incoming mail to Gmail was making use of Transport Layer Security (TLS) encryption. After 45 days of use, he said there was a measurable improvement in the use of encryption for email. On May 13, Google found that 78 percent of incoming mail to Gmail used TLS.
Continued on page 2…
Originally published on eWeek.