Mobile, app, and IoT Security

Mobile, App, and IoT Security

Protecting data and devices worldwide
With the dramatic rise of state-sponsored cyber attacks and malicious actors online, we believe our products and services are only as helpful as they
are secure. At Google, we are more focused than ever on protecting people, organizations and governments by sharing our expertise, empowering the
society to address ever-evolving cyber risks and continuously working to advance the state of the art in cybersecurity to build a safer world for everyone.
As such, it's imperative for us to stay ahead of the curve and constantly evolve our security solutions to tackle the ever-growing threat landscape,
particularly when it comes to securing all connected devices and apps, in order to provide consumers with a safe environment where they have agency
and choice in the devices they engage with.

Challenge
Connectivity comes with a price
We conduct so much of our daily lives from our smartphones, apps, and IoT devices—spending more and more time online and sharing more and more
valuable data, such as banking or healthcare information, in the process. Because of this, sophisticated cybercriminals are targeting these devices more
than ever before to obtain sensitive information.

More devices, more data—more threats

There are now an estimated 17 billion IoT devices in the world, from Our collaboration with industry organizations
printers to garage door openers, each one packed with software
(some of it open-source) that can be easily hacked.1 Overall, the
number of compromised IoT devices almost doubled in 2020. 2

Although we are becoming deeply connected through IoT devices,

there are no global standards for measuring the security quality of
connected products leaving consumers to make uninformed device
security decisions.

Consumers should have the right to transparency about their digital
products just like they have the right to know what ingredients are
there in the food or cleaning supplies they purchase.

Mobile devices are just one vector to other attack surfaces, and
the interconnectivity of devices increases the need for security NEST

transparency at scale. Hence, the security of the connected device

ecosystem is as important as the security of networks and systems.

Our Solution

At Google, we’re advancing the security and transparency of our connected devices through mobile, app, and IoT security:

Mobile Security App Security

Android, our open source operating system, leverages a layered Out-of-the-box anti-malware helps keep bad apps out and data safety
security approach to keep mobile devices safe: information provides transparency to users when downloading apps.

Layered Security
Google Play Store: Machine-learning detection tools and human
• Verified Boot, roll-back protection, and factory reset protection analysts review all apps before they’re available for download. Data
ensure the latest, safest Android version. Safety section explains what types of data apps collect and what that
data is used for.
• PIN and biometric authentication shield against outside access.

Google Play Protect: Scans more than 125 billion apps every day and
• ‘Find My Device’ helps locate the device or swipe it clean if it’s notifies, removes, or disables if security risks are detected.
stolen or lost.
App Defense Alliance (ADA): Google worked with top mobile threat

Identity and password protection detection partners to launch the App Defense Alliance that helps
• 2-Step Verification, Phone as a Security Key, and Password safeguard Android users from Potentially Harmful Applications (PHAs)
Manager shield your Google account against outside access. through shared intelligence and coordinated detection.

• Security checkup and optional Advanced Protection keep the IoT Security
device running safely and smoothly. IoT security labels clearly convey privacy and security practices on a
device, like what data is being collected.

Anti-phishing protection
• Phone by Google and Messages by Google help detect and
We believe in five core principles for IoT security labeling schemes:
prevent scam and phishing attacks. live label, evaluation schemes, security baselines coupled with
flexibility, broad based transparency, and adoption incentives.
• Google Safe Browsing safeguards over 5 billion devices globally.

We are working with the Connectivity Standards Alliance (CSA) and
GSM Alliance (GSMA) to standardize an industry-wide certification
program for existing and future regulatory requirements.
 Mobile, app, and IoT Security

Our Principles

At Google, we apply 3 core principles to advance the security and transparency of our connected devices:

Defense in Depth: We utilize multiple layers of
Open & Transparent: Transparency is key to
The best of Google and our Ecosystem:
security architecture that work together to build our philosophy. By keeping our platform users We partner with expert teams across Google
a strong defense that runs smoothly informed and sharing knowledge to bolster our and the industry to help keep billions of
and effectively. protection, we believe an open source ecosystem users safe.
can be more secure than a closed one.

Applications
IoT security labels: putting control in consumers’ hands
Without established IoT security labeling, there are no global standards for device manufacturers to follow. Users also don’t have the visibility they deserve
into whether their devices protect their data. The industry needs to come together to push IoT security forward and put control back in the consumers’
hands. We’re working towards an IoT security labeling scheme through our processes and partnerships.

First, we invest in outside security research to pinpoint possible vulnerabilities (Google Nest participates in the Google vulnerability reward program
and provides rewards for security researchers outside Google who find vulnerabilities).

From there, we issue critical bug patches and fixes for at least five years after launch.

All our devices developed in 2019 and beyond use Verified Boot to ensure the right software is running and access is protected. For example, our
Google Nest devices are validated using third-party, industry-recognized security standards, like those developed by NIST, ETSI, and ISO.
These standards, and our secure Software Development Life Cycle (SDLC), reduce the likelihood that consumers will be exposed to poor security practices
and pave the way for an open, safer internet.

Our industry investments and milestones

Safe Browsing Google Transparency Launched Google Security Key Google Play launched Passkey: the
2019

2022
2007

2010

2017

2023
established to Report launched Play Protect which is introduced as a built-in a Data safety section passwordless future
proactively alert to show how now the most widely feature on Android and to give people more is being set into motion
users when they visit governments and deployed anti-malware then for iPhone in 2020. information about how with extended passkey
dangerous websites corporate policies and solution scanning over apps collect, share and support after a decade of
and now protects over actions affect privacy, 125 billion apps a day secure users’ data and driving open standards
5 billion devices. security, and access across 3+ billion devices. initiated the first badge with the FIDO Alliance and
to information online. system for any app tech leaders worldwide.
In 2018 we added that has completed an
an Android specific independent security
Transparency Report. review through the App
Defense Alliance.

Our Approach
Committed to an open, secure digital world
Security concerns will only heighten with more data on more devices across different networks. We're helping advance the future of connected device
security through our product development, transparency criteria, and industry partnerships.

A cornerstone of our product strategy We help democratize security operations By collaborating within CSA, ADA
is ensuring our products are secure by by being open and transparent in how and GSMA, we strive to advance the
default. Safe Browsing, Google Play we tackle issues and sharing connected state of the art in cybersecurity for
Protect, and built-in Security Keys protect device security knowledge. We believe a safer internet and future for all.
mobile devices and apps to give the an open source ecosystem can be
highest level of security in our products. more secure than a closed ecosystem
with our layered security approach.

We are committed to raising the bar for connected device security and setting the standard for
a safer online environment for everyone, everywhere. Learn more about Google’s progress in
connected device security: g.co/connecteddevicesafety

Sources: 1 CNBC Cyber Report, Jan 9, 2023, 2 What is an IoT Attack? The Ins and Outs of IoT Security, July 20, 2021