`Case 2:17-cv-00514—JRG Document 221-5 Filed 02/21/19 Page 1 of 14 PageID #: 19204
`
`
`
`EXHIBIT D
`EXHIBIT D
`
`
`
`..
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 2 of 14 PageID #: 19205
`
`EXHIBIT 3
`~ndrew Wolfe, Ph.D.
`
`2/1/19
`
`Reported by: Holly Thuman
`CSR 6834, RMR, CRR
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 3 of 14 PageID #: 19206
`
`Contents
`
`3
`
`Overview
`
`27
`
`Ecosystem
`Data
`
`8
`
`Google Play
`Protect
`
`47
`
`PHA Family
`Highlights
`
`15
`
`Android Platform
`Security
`
`55
`
`Acknowledgements
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 4 of 14 PageID #: 19207
`
`Overview
`
`Smartphones and other connected devices improve lives around the world
`every day. People depend on connected devices to exchange messages,
`navigate from here to there, and take lots-and lots-of photos.
`
`With more than 2 billion active Android devices, it's essential that Google
`provides the best protections for users at scale. We are committed to
`protecting users' privacy and security across different device types, such
`as smartphones, automobiles, wearables, TV, Things, and more.
`
`Android security made a significant leap
`forward in 2017 and many of our protections
`now lead the industry.
`
`We measure our improvement based on our own data about the Android ecosystem.
`We look at metrics, such as how many devices have installed Potentially Harmful
`Applications (PHAs), what protections they have in place, where PHAs are coming
`from, as well as third-party analysis and industry signals
`
`Third-party data also pointed to improved overall security. Platform
`exploitation difficulty, as measured by vulnerability rewards program payouts,
`independent security researcher analyses, and premier security vulnerability
`contest results, signaled that Android's protections have become significantly
`stronger. Exploit pricing is correlated to attacker cost, which is determined by
`many factors, including time, people, expertise, product knowledge, product
`accessibility, specialized equipment, and money. Growth in exploit pricing and
`difficulty demonstrates that Android has achieved a strength of protection
`that now leads the industry.
`
`This is Google's fourth annual report on Android security. The report details
`improvements to Google's security offerings for Android, new and updated
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 5 of 14 PageID #: 19208
`
`Android platform features, metrics that informed our view of Android security,
`and security trends for Android devices in 2017.
`
`In 2017, we improved Android security in a variety of ways, such as reducing
`the number of PH As on devices and in Google Play, improving security
`visibility and control for users with Google Play Protect, and reducing
`vulnerability exploitation with faster security updates. To make these changes,
`we collaborated closely with device manufacturers, system on a chip (SoC)
`vendors, telecom carriers, and Android researchers and academics.
`
`We hope that sharing this information gives you more insight into the state
`of security in Android, and our constant efforts to keep our users and their
`data secure.
`
`The best of Google security for Android
`
`Android devices that only download apps
`from Google Play are 9 times less likely to
`get a PHA than devices that download apps
`from other sources.
`
`While all Android devices benefit from protections built into the platform,
`Android devices with Google Play services have an additional layer of
`defense to keep them safe. Google protects these devices right out of the
`box with Google Play Protect, our built-in device, data, and apps security
`scanning technology.
`
`With nearly 2 billion protected devices, Google
`Play Protect is the most widely deployed mobile
`threat protection service in the world .
`
`Google Play Protect includes on-device capabilities that protect users from
`PHAs in real-time and cloud-based services that analyze device and app data
`to identify possible security concerns. Google is constantly improving our
`tools and methods, applying new machine learning techniques, and updating
`our detection and response systems to protect against new vulnerabilities
`and PHAs. Because Google Play Protect doesn't rely on firmware or platform
`updates, Android devices benefit from our innovation right away.
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 6 of 14 PageID #: 19209
`
`Google Play Protect gives a visible home
`to all the security protections that have kept
`Android users and devices safe behind the
`scenes for years.
`
`These protections include ways to find a lost device, safeguarding from
`deceptive websites, and systems that detect and remove PH As-no matter
`where the questionable apps came from. Google Play Protect also helps users
`check the security state of their Android device, providing peace of mind that
`their device is secure.
`
`We leverage machine and human intelligence to get the job done and keep
`our users safe. Our automated systems detect and classify PHAs and compare
`behavior to make meaningful connections across billions of data points.
`Our security experts analyze these findings and check suspected PHAs that
`our systems discover.
`
`In 2016, the annual probability that a user downloaded a PHA from Google Play
`was .04% and we reduced that by 50% in 2017 for an annual average of .02%.
`
`In 2017, downloading a PHA from Google Play
`was less likely than the odds of an asteroid
`hitting the earth.
`
`Up-to-date platform security
`
`Google's protections are a real-time shield against PHAs, and those protections
`sit on top of core security smarts that are built directly into Android. All Android
`devices share a common, platform-level security model. We've enhanced this
`model over the years with SELinux protections, app isolation using sandboxing,
`exploit mitigations, and cryptographic features, like file-based encryption and
`Verified Boot.
`
`In 2017, we expanded platform-level security in Android Oreo. Android Oreo
`increases security by making devices easier to update with Project Treble,
`giving apps a way to verify Android devices, reducing privilege, and mitigating
`sophisticated attacking techniques.
`
`Google works closely with our device manufacturing, SoC, and carrier partners
`to bring the best of Android security to all devices. On top of that, the breadth
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 7 of 14 PageID #: 19210
`
`and depth of Android's ecosystem-with over 60,000 different device models(cid:173)
`makes exploitation harder by limiting the impact of a mobile vulnerability and
`making it more complex to develop successful attacks. We provide compatibility
`resources, such as a detailed series of security requirements and a testing
`framework to ensure support across the diverse device ecosystem. In 2017,
`we also extended our security checks to proactively identify and remove
`preinstalled PHAs on Android devices.
`
`In addition to our proactive compatibility resources, we work with our partners to
`keep Android device security up-to-date. In 2017, we improved our collaborative
`security maintenance programs and provided faster and easier updates across
`all Android devices.
`
`In 2017, we increased the number of Android
`devices that received security patches by more
`than 30%.
`
`Protective power of open
`
`One of Android's most important security strengths is its open source
`development approach
`
`As Android security has matured, it has become more difficult and expensive
`for attackers to find high severity exploits. This is where open source really
`shines. As a global, open source project, Android has a community of defenders
`collaboratively locating the deeper vulnerabilities and developing mitigations.
`This community may be orders of magnitude larger and more effective than
`a closed source project of similar scale. Android's defenders come from thou(cid:173)
`sands of device manufacturers, SOC vendors, carriers, academic institutions,
`independent security researchers, and the worldwide Linux community.
`
`As of 2017, Google's Android Security Rewards
`program offers one of the highest reward values
`in the industry.
`
`Another example of exploit pricing is Mobile Pwn20wn, the premier mobile
`hacking contest where security experts from around the world compete to
`find exploits in mobile devices. Mobile Pwn20wn 2017 reward values were
`comparable across operating system platforms. In addition, the contest did
`not reward any core Android platform security exploits.
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 8 of 14 PageID #: 19211
`
`Enterprise growth
`
`Secure devices engender greater user and business confidence. Many enterprises
`have stringent device security requirements, so enterprise adoption and analyst
`reports help gauge the positive impact of Android security improvements.
`
`For example, Gartner's December 2017 Mobile OSs and Device Security:
`A Comparison of Platforms report by Patrick Hevesi reviewed Android among
`security controls for mobile devices. These controls included 10S 9, iOS 10,
`iOS 11, Android 4, Android 5, Android 6, Android 7, Android 8, Samsung Knox 2.6,
`Samsung Knox 2.9, Google Pixel (Android 7), Google Pixel 2 (Android 8),
`Windows 10, and Microsoft Surface Pro.
`
`Google continued to invest in Android's enterprise security features in 2017.
`One of Android's primary enterprise security capabilities is the work profile, which
`separates business apps and data from personal apps and data. Work profiles
`enable privacy for users (the business can't see the apps, data, or activity on the
`personal side) and improve data and network security for the business. In 2017,
`we established a validation process to ensure consistent, quality implementations
`of work profile, managed device, and dedicated device solution sets with nearly
`40 Enterprise Mobility Management (EMM) solution providers We also released
`manag_ed Google Play, a curated Google Play store for enterprise customers.
`
`In 2017, the number of 30-day active devices
`running managed Google Play increased
`by 2000%.
`
`We also launched the Verify Apps API, which helps administrators determine
`whether a device is protected by Google Play Protect, encourage users to enable
`Google Play Protect, and identify any PHAs that are installed on the device.
`
`As we celebrate Android security's successes in 2017, we are far from content.
`We look forward to eradicating more PHAs, further enhancing privacy and
`security in future Android releases, and providing the most up-to-date security
`features across Android devices. We are deeply grateful to our ecosystem
`partners, developers, researchers, and the rest of the global Android community
`for helping to protect Android devices and users.
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 9 of 14 PageID #: 19212
`
`Google Play Protect
`
`Google Play Protect
`in Settings
`
`• - _. I 445
`
`Play Protect
`
`i
`
`(-
`
`ft Google Ptay Prote:;t regula rly chec<s your
`Vlf apps and dev ce fOf !'" armful behawor
`
`Vou11 be notrfi ~ of imy securrty
`risks found.
`
`LEARN MORE
`
`RecMt~· $C3nne-d apps:.
`
`M • a ".
`
`Scan de,.,ce for secunty threats
`, c:.1-dt
`'" •d
`·~
`~.1•1)'
`'
`:t
`'•
`.....
`
`lrrprove harmfLI i pp ~ etectton
`~ u'16<r ;,,.
`is:Ds ·o Co::iq
`fOf
`
`•
`
`••
`
`•
`1f :c·ecl>O •
`•
`
`Google has long contributed to the security of Android devices with
`multiple layers of on-device and cloud-based technologies . All devices
`with Google Play have a set of endpoint and mobile threat protection
`services that protect against common threats, including network attacks,
`app exploits, potentially harmful applications (PHAs), and physical
`attacks, such as device theft.
`
`In 2017, these protections evolved to form Google Play Protect, which
`provides a visible home for Google's comprehensive security protections
`for Android . While Google Play Protect's core features have been part
`of Android for years, we added several features that better identify and
`address mobile threats in 2017, which we'll cover below.
`
`Google Play Protect leverages the technical talent of security experts,
`app analysis, response tools, and machine learning advancements
`to detect PHAs. It also presents device security information in Settings
`and Google Play, providing users with comfort, ease, and control over
`their device's security.
`
`Google Play Protect is enabled on over
`2 billion devices running Android 4.3+
`with Google Play, and constantly works
`in the background to keep users' devices
`and data safe.
`
`Google Play Protect regularly updates across all devices to remove
`new threats; it doesn't rely on releases or Over the Air updates (OT As)
`to improve.
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 10 of 14 PageID #: 19213
`
`On-device protections
`
`This table lists Google Play Protect's on-device capabilities with a brief
`description of how they help keep devices and data safe. Most of these services
`integrate with a cloud-based component that allows Google to push updates.
`
`The following sections explain how these on-device protections work
`and details new features and improvements made in 2017.
`
`Service
`
`I
`
`Protection
`
`Collection of mobile threat protections and removal
`options for downloaded PH As including:
`
`- Automatic daily PHA scanning
`
`PHA scanning
`
`- User-initiated, on-demand scanning
`
`- Scanning for threats even when device is offline
`
`- Automatically disabling or removing PHA threats
`
`- Uploading new apps to the cloud for scanning
`
`Find My Device
`
`Protection for lost or stolen devices (Formerly Android
`Device Manager)
`
`Safe Browsing
`
`Protection from deceptive websites
`
`Developer APls
`
`APls that allow third-party apps to use Google's
`security services
`
`PHA scanning services
`
`Google Play Protect leverage cloud-based app-verification services to determine
`if apps are potentially harmful. Google Play Protect scans Android devices for
`evidence of PHAs. If it finds a PHA, Google Play Protect warns the user and can
`disable or remove particularly bad PHAs.
`
`Daily PHA scan
`Since 2014, Google Play Protect's Verify Apps service runs a periodic
`full-device scan that looks at apps before installation and runs regular scans
`on all installed apps. If a PHA is found, a notification asks the user to remove
`it In cases where the PHA has no possible benefit to users, Google Play
`Protect can remove the PHA from affected devices and block future installs.
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 11 of 14 PageID #: 19214
`
`We have always scanned devices for PHAs about once every 6 days. (Devices
`that had indicators of installed PHAs or other risk factors were scanned more
`frequently.) In 2016, we started scanning all devices for PHAs once a day. Daily
`scanning allows Google Play Protect to respond quickly to a detected threat,
`reducing how long users could be exposed to the threat and how many devices
`may be affected. To conserve data, these daily scans only contact Google
`servers to request verification when a suspected PHA is detected.
`
`In 2017, daily scans led to faster identification
`and removal of approximately 39 million PHAs.
`
`Though Google Play Protect works in the background, users can check when
`their device was last scanned and the list of scanned apps in the Google Play
`Protect section of their Google Play app.
`
`On-demand PHA scan
`In addition to a lightweight, daily, automatic scan, users can start a full(cid:173)
`device scan at any time. Upon request, the device contacts Google servers
`for the latest information and scans all apps on the device. If a harmful app
`is discovered, Google Play Protect notifies the user to take action or takes
`action on their behalf This visibility gives users peace of mind that they have
`the latest protection at all times .
`
`Offline PHA scan
`In early 2017, we investigated more PHA install patterns. Our research
`showed that about 35% of new PHA installations occurred when the device
`was offline or had lost network connectivity before Google Play Protect
`could determine if an app was a PHA.
`
`To address this, in October 2017, Google Play Protect added offline
`scanning, which helps prevent well-known PHAs from being installed offline.
`When the device regains network connectivity, it undergoes a full scan .
`
`Since October 2017, offline scanning blocked
`over 10 million harmful app installs.
`
`Automatically disable PHAs
`In November 2017, we updated Google Play Protect to disable PHAs without
`uninstalling them . Whenever possible, we try to leave as much choice in users'
`hands as possible. To walk the line between user choice and safety, when
`Google Play Protect detects certain kinds of PHAs, it automatically disables
`
`User-initiated scan
`in Google Play Protect
`
`• - ~ I 44!
`
`Play Protect
`
`l
`
`f-
`
`. . Google Play Protect regul!irto; checks your
`'VI apps and de-1ice for rarmrut behavicr.
`Vou'I be not rf~ of any secumy
`nsks found.
`
`lCARN MORE
`
`Recent!-,• scanned apps:
`
`ea M ·
`
`Looks good
`Play Prote ·t s
`
`aPl"I ng
`
`Scan de-"lce for secu111y threats
`:tw-::•. )"CJ" ·:tevr::.r ~~d
`C ...q w uq.11•
`'li:'m
`p~.1:it1,11·.-. . . . ..,1p;..11:
`
`lmp(ove ha1mf1..I app detection
`:ps 'c Gooq~ f(Jf btn'r
`"lkr ,
`.""'1
`
`•
`'t1.1.C •
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 12 of 14 PageID #: 19215
`
`the app. Users are asked to uninstall the app or re-enable it without losing
`their data. This mitigates the potential harm the PHA could cause while
`providing minimal inconvenience to the user while they decide what to do.
`
`In 2017, Google Play Protect automatically
`disabled PHAs from roughly 1 million devices.
`
`Review apps from outside of Google Play
`Because we try to protect users from PH As regardless of the source,
`it is important that our systems analyze and understand as many apps
`as possible.
`
`Google reviews all apps before publishing
`them in Google Play.
`
`In addition to reviewing apps submitted to Google Play, our cloud-based
`systems look for apps in publicly available sources . Google Play Protect
`also reviews the apps it finds outside of Google Play for PHAs.
`
`Users can allow Google to review new apps by enabling "Improve harmful
`app detection" in Google Play Protect on their device. This feature sends
`apps that we haven't previously analyzed to Google. The more apps our
`systems analyze, the better they are at identifying and limiting the impact
`of PHAs for all devices.
`
`In 2017, Google Play Protect reviewed about
`23 million new apps, up 65% from 2016.
`
`Find My Device
`Since 2013, Google has provided the Android Device Manager service
`to locate lost devices. In 2017, this service got more features and became
`Find My Device.
`
`Find My Device is enabled by default on Android devices running Android 4.4
`and above. To work, the device needs to be connected to the internet, signed
`in to a Google Account, and have Location enabled .
`
`In 2017, we helped users find their lost devices with the Find My Device app
`and android.corn/find . In addition to a better app and website, we added
`these new features:
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 13 of 14 PageID #: 19216
`
`- Display last known location. If the device isn't connected to the internet
`and can't report its current location, Find My Device displays the last known
`location of the device from the user's Google Maps location history. Users
`can also launch Maps' location timeline from the Find My Device app so they
`can retrace their steps.
`
`- Display last connected Wi-Fi access point. Helps users determine the
`location of their lost device (such as, home or work) even if the device can't
`be reached to report its location.
`
`- Display battery level. Helps users estimate how much longer they can reach
`their phone.
`
`-
`
`Improved usability. It's now easier for users with multiple devices to select
`the one they're looking for and perform common actions, such as ring, lock,
`and erase.
`
`Android Wear and Google Home also support Find My Device. Users can find
`their watch with their phone and their phone with their watch (as long as both
`devices have location enabled) or ask their Google Home to find their device
`by saying, "Ok Google, where is my Phone?"
`
`Developer APls
`Since 2013, Android devices have included SafetyNet, which allows devices
`to contribute security-related information to Google's cloud-based services.
`This can include information about security events, logs, configurations, and
`other security-relevant details
`
`In 2017, SafetyNet added new APls to allow developers to raise the security
`bar for their apps.
`
`The SafetyNet attestation API helps an app evaluate whether it is talking
`to a genuine Android device For more information, see the developer
`documentation and the SafetyNet API Samples on GitHub.
`
`In June 2017, SafetyNet launched the reCAPTCHA API, which uses an advanced
`risk analysis engine to protect apps from spam and other abusive actions. If the
`service suspects that the user interacting with an app might be a bot instead
`of a human, it serves a CAPTCHA for the user to solve before continuing. Since
`its release, many major social, travel, and gaming companies have incorporated
`this API to help keep their apps safe. For more details, see the reCAPTCHA
`Android API biog post.
`
`
`
`Case 2:17-cv-00514-JRG Document 221-5 Filed 02/21/19 Page 14 of 14 PageID #: 19217
`
`Developers and enterprises can use the Verify Apps API to determine whether
`a device is Google Play Protect capable, encourage users to enable Google Play
`Protect, and identify any known PHAs that are installed on the device. For more
`details, see the SafetyNet Verify Apps API biog post.
`
`Safe Browsing
`Google introduced Safe Browsing in 2007. Safe Browsing protects users against
`threats by allowing apps to check URLs against lists of unsafe web resources,
`such as social engineering sites (phishing and deceptive sites), and sites that
`host PHAs or unwanted software. When users attempt to visit an unsafe web
`resource, their Safe Browsing-supported browser displays a warning.
`
`In 2016, Safe Browsing added a device-local Safe Browsing API and started
`protecting users from repeatedly dangerous websites.
`
`In 2017, Android 8.0 added Safe Browsing as an opt-in feature. Now apps can
`choose to easily take advantage of the Safe Browsing API, which protects users
`from phishing and PHA host sites while they are browsing in the app's Web View.
`Together with Chrome, Safe Browsing protects over 3 billion devices and shows
`over a million warnings a month.
`
`Cloud-based security analysis
`
`Google analyzes data from over 2 billion Android devices to identify signals
`that indicate potential abuse or security concerns . This section describes how
`we updated our analysis capabilities in 2017.
`
`Application security analysis
`Before apps become available in Google Play, they undergo a review to confirm
`that they comply with Google Play policies. Google created an automated
`app risk analyzer that performs static and dynamic analysis of APKs to detect
`potentially harmful app behavior. If the risk analyzer discovers something
`suspicious, it sends the offending app to a team of security experts for
`manual review.
`
`For a more details on our security analysis process, see 2016's Year in Review.
`
`Machine learning improvements
`In 2016, our systems started using machine learning to help detect and classify
`mobile threats. Machine learning consists of training a computer algorithm
`to recognize behavior by giving it hundreds of thousands of examples of
`that behavior. In 2017, we expanded Google Play Protect's machine learning
`
`