The biggest value proposition of Google’s Android–its openness–requires a distinct approach to security. On Wednesday, at the 2016 Structure Security conference in San Francisco, Google’s Adrian Ludwig took the stage to explain how the Android team balances openness and security.

Ludwig, who is the director of security for Android, opened by explaining that the approach Google has been taking to keep Android as open as possible is also a strategic decision from a security standpoint.

“We believe that being as open as possible will ultimately lead to better security,” Ludwig.

SEE: Interview questions: Android developer (Tech Pro Research)

Android is often criticized for not properly vetting the apps that end up on its app store. Ludwig said that there are measures and safeguards in place for the Google Play Store that he believes are likely similar to those implemented by Apple in its App Store.

However, he said, Google believes that allowing for any expression on mobile is important. That has led them to allow for third-party app stores, which is where many of the major malware scares for Android have originated. Still, does that mean that Google isn’t responsible for protecting those stores as well?

In terms of malware, Ludwig said that his team definitely has to think about it and are actively working against it. According to Ludwig, over a billion devices have an endpoint security system on them that allows Google to better monitor the devices and safeguard against bad apps or malware. In terms of spyware incidents, Ludwig said those are very rare.

Ludwig said he is most worried about developers who are trying to establish push messaging to promote applications, as a type of commercial fraud.

Another major worry for Ludwig is the supply chain. Smartphones have a complicated supply chain, and he wants to make sure he has true visibility into that chain and what happens to the devices along the way, especially at the chip level.

Being open source means a certain level of transparency is coming from Android. But, as Ludwig mentioned: “Transparency doesn’t solve the problem.” Platform providers need to provide transparency, Ludwig said, but they also need to be responsible for what happens “because of that transparency.” So, he said, they need to make everything visible, but they need to shepherd that transparency in the right direction.

One of the biggest challenges in the Android ecosystem is the issue of device updates. This is an issue for IoT devices as well as Android smartphones, Ludwig said, and Google is trying to solve it from a technical standpoint, but also from a business standpoint. The core problem, he noted, is that building a software supply chain that encourages updates is difficult for manufacturers and often costly.

On the Android level, Ludwig said they are continually working on a smoother update cycle. Google has also been working on building features like verified boot on Chrome OS, and now on Android, that will help return the device to a secure state after it’s been compromised.

In the past, security has been tactically focused. Now, in a strategic shift in mobile and cloud, Ludwig said that manufacturers and companies are starting to realize that they can no longer rely on users or entities to protect themselves. That’s a major shift that he believes will define the next 10-15 years of security.

The 3 big takeaways for TechRepublic readers

  1. Android’s balance between openness and security is the biggest challenge facing the Android ecosystem.
  2. Updates continue to be problematic for Android, but Google’s Adrian Ludwig explained that it is based on the fact that building a software supply chain that encourages updates is expensive and difficult.
  3. Companies realize they can’t rely on users and entities to protect themselves, so they must take a stronger role in guaranteeing security.