Google turns on safe browsing for Android users by default

Android users no longer have to worry about whether 'safe browsing' is turned on
Android users no longer have to worry about whether 'safe browsing' is turned on

Google has enabled safe browsing by default in its Android devices in a bid to prevent users accidentally visiting malware-infected websites.

In an official security blog, the search engine company said that its Safe Browsing technology (a technology that blocks bad sites before you can enter them) was now enabled by default on all Android devices.

The feature has been part of its desktop browser for some time and protects users against phishing websites and other malicious attacks.

Until now, the feature could be turned on if users switched on Google's optional data compression service. However, it will be available to all without any user changes.

Google said that making the feature available to all required a lot of effort.

“Social engineering — and phishing in particular — requires different protection; we need to keep an up-to-date list of bad sites on the device to make sure we can warn people before they browse into a trap. Providing this protection on a mobile device is much more difficult than on a desktop system, in no small part because we have to make sure that list doesn't get stale,” said Noé Lutz, Nathan Parker, Stephan Somogyi of the Google Chrome and Safe Browsing Teams.

“Bytes are big: our mantra is that every single bit that Safe Browsing sends a mobile device must improve protection,” said the team. “Network bandwidth and battery are the scarcest resources on a mobile device, so we had to carefully rethink how to best protect mobile users. Some social engineering attacks only happen in certain parts of the world, so we only send information that protects devices in the geographic regions they're in.”

The firm added that it made sure that Safe Browsing didn't just minimise network traffic but also optimised the service for low memory and processor usage.

According to Google, the new Safe Browsing client on Android is part of Google Play Services, starting with version 8.1. Chrome is the first app to use this, starting from version 46. User can check if it is enabled by looking at Chrome's settings and tapping on the Privacy Menu. There you will be able to see if Safe Browsing is enabled. To make sure it's working, head over to Google's Safe Browsing test site.

The move comes after an update to Chrome that patched several vulnerabilities in the browser. That update comes after another update that fixed 41 security flaws.

Marko Skomersic, head of Solutions at HAUD, told SCMagazineUK.com that the introduction of Safe Browsing for Android users is a welcome step and should help improve the system's security reputation.

“However, perhaps the greatest long term challenge to Android security is the growing number of cheap non-Google supported devices arriving in Europe from Asia,” he said.

“SMS messages containing malicious links is one of the most common forms of attack on these types of devices, and Google itself is powerless to protect devices outside of its own ecosystem. Operators have a part to play too, and must ensure they keep their networks safe from the types of traffic used to launch these attacks.”

Dave Lodge, security consultant at Pen Test Partners, told SC that the move would bring phishing protection to the same level as that for desktops, so will have a slight improvement against standard but not custom attacks. “Dangerous websites are already safer on Android than on desktops due to the Android sandboxing of apps.”

He added that Android devices are “implicitly more secure than Windows desktop due to the internal design of the app sandboxing”, but said that the move would make IT security's job any easier. “it will catch the most common phishing/malware dropper sites. It won't protect against any custom attacks”.

He said that the measures needed to compliment Safe Browsing on Android devices would be the same as the would on desktops. “Ring fence corporate data through MDM and containers,” said Lodge. “I wouldn't bother with mobile device AV — it's mostly snake oil on mobile devices.”

Sign up to our newsletters