A survey on android security: development and deployment hindrance and best practices

Android OS is the most popular mobile OS for the past few years. Vulnerabilities arise with respect to the increasing functionality of Android OS, impolitic app development practices of developers, end-user incautious and interestingly remediation for the vulnerabilities has been introduced frequently as well. To mitigate security risk factor Google has been updated, deprecated and restricted many system level APIs for 3 rd party developers. Considering the consequences, this paper provides a wide overview of Android’s system level app development, privacy issues, and guideline for the developers about what measure they should consider while developing apps. We also discussed the historical development of Android OS and the end-users role to maintain privacy and to minimize security risks. This is an open access article under the CC BY-SA license.

INTRODUCTION Current age is considered as the age of mobility. To communicate in a long-distance, we don't have to wait for days or hours; now we can communicate almost in real-time. The rapid and accelerated development in communication technology and mobile devices in recent years have made this possible. From the early nineteenth century to date, the development of mobile devices boosts massively [1]. Earlier, the only use of mobile devices is to talk with someone in a long distance but today's mobile phones specifically smartphones are powerful hand-held computers. Like any traditional computer, every smartphone operates based on its operating system. Android, iOS, Tizen, KaiOS are the major of this kind [2].
Today's smart phone Operating System (OS) allows other software to run on the phone to provide diverse functionalities to the users. It enhances the user experience but security and privacy is the main concern by allowing 3 rd party apps on users' private device quirolgico2011vetting. Moreover, unfortunately, security and privacy are not one of the main targets of many small to big 3 rd party app developers [3]. As a result, smartphone OS developers naturally don't want to allow 3 rd party apps to access root level and sensitive information. Being a flexible smart phone OS at the beginning, Google's Android is also following the restrictive access method. Accessing system-level information, system log and other sensitive information are now being restricted continuously. On our studies, we have found that development of many device optimization and security-related apps had stopped due to permission depreciation. On the other hand, more problems arise with the non-guided practices by the developers. Developers often don't find the necessity of following the rules and recommendations for developing apps on the mobile platform, and it is very hard to monitor and mine the source code and app behavior to detect unwise programming and harmful activities of the apps. Though the developers, engineers and some machine learning based technologies are always trying to find harmful apps on Google Play Store [4,5].
There are a few research works on Android's security issues in the app development and adaptation phase. Jha et al. [6] studied on 13,483 real-world Android applications and found only 2,373 apps with no configuration errors; this is a development phase scenario. These security issues become more severe when studies found that security and privacy are not the primary tasks of the developers [3]. Security and privacy are shared responsibilities of both the app service providers and the end users. Usage-pattern and misuse: both intentionally and unintentionally may raise the probability of security threats to the end users. Google's Android help and support center provide some simple guidelines for the Android device users for helping the device and information safe and secure [7].
A detailed survey on application and android ecosystem found some improvements over the traditional software systems [8]. But while improving some aspects of the ecosystem, it has also introduced a new range of problems. Moreover, a detailed analysis of Android and iOS showed that "Privacy by design" is better for mobile platform [9]. This ultimate power of platform should be enforced by the authorities to define and strictly regulate the privacy boundaries. There exists no such survey on these factors where the readers may find the current state of Android security and privacy violation, major changes in Android from the developers' point of view, restrictions and best practices for the developers as well as the users.
We have studied mobile app security related papers and blogs, privacy policies, tested different 3 rd party apps, open source projects and analyzed some of the helper classes of Google. There are very few resources on the current system level Android development. The objective of this paper is to summarize our findings from the mobile development history to the present age, including android development hindrance in different aspects, security and privacy issues, guidelines towards safe development and significant facts about the platform as well as the whole ecosystem.
The contributions of this paper are (i) discuss security vulnerabilities and possible solutions, (ii) development restrictions, (iii) recent changes and improvements, best practices for both the developers and users as well as some suggestions for the manufacturers in an organized fashion so that both the Android developers and the users could find it useful in a simpler way.
The rest of the paper is organized in the following sections. In section 2, we briefly describe the mobile device as well as the smartphone operating system development history. Section 3 characterizes the overall scenario of mobile app development, restrictions, and guidelines. Major issues of system level android app development are described in section 4. Best practice for the users to avoid security and privacy threats and recommendations for the developers for safe and secure development are explained in section 5 This section also includes the demand from the manufacturers as the developers' and the users' point of view about which security-related features should be added for the future release of Android. Applications of our findings, discussions as well as concluding notes are expressed in section 6.

MOBILE OS DEVELOPMENT HISTORY
iOS is a powerful mobile operating system, developed by Apple Inc. originally unveiled in 2007. It is the second most popular OS till now. At that time, Google was still working on Android secretly; but in November of that year, the company started to reveal its plans for Android and its functionalities. Finally, Android was released at the end of 2008. This is the beginning of today's Android revolution in the smartphone market. Now, Android is the most popular mobile OS worldwide [10]. We will discuss the mobile phone's operating system and the mobile phone development history in the following two subsections.  a number of experimental pocket-sized communications radio in 1957-1961. The weight of one model was only 70 g and it was palm-sized. The first commercial mobile phone was introduced by Motorola. In 1973, they made the first public mobile phone call on a device that weighed 1.1 Kg [11]. In the past 30 years, there were some major changes in the mobile phone architecture. Numerous revolution had been occurring in that era. Later in the late '90s, a closed-source mobile operating system called Symbian has been developed. People in that decade experienced a new form of the mobile OS which was specially designed for multitasking. On the other hand, Series 40 was a software platform, worked as OS, introduced by Nokia in 1999. It was one of the world's most widely used mobile phone platforms but it is not considered as a smartphone operating system because of its limitations. In the meanwhile, Symbian was the most popular smartphone OS until the end of 2010. Obviously, the market was slowly captured by the iOS and the Android from 2007. Timeline 1 shows the historical development of mobile phones, mobile operating systems and finally the development of Android OS till date. Google had at least two alpha builds of Android released internally before the release of version 1.0 at the end of 2008 [12]. The leading manufacturers, such as HTC, Motorola, Qualcomm, Texas Instruments and carriers including T-Mobile agreed on a formation for future mobile and related software production which is called Open Handset Alliance. For the promotion of the Android platform as a reliable smartphone operating system, OHA members are forbidden from producing devices based on incompatible forks of Android.   the market for several years and Android smartphone became a strong preference for the general people because of its' functionalities like easy file sharing and backup, enriched app-store, gaming and so on alongside with its comparatively lower price tag. Moving on, Android versions from 5.0 to 9.0 gradually have grabbed around 75 percent of the whole mobile market share [13].

3.
BIG PICTURE Android OS is significantly popular than any other existing smartphone OS. Table 1 shows the smartphone OS market share in 2019. According to Global Stats, Android OS is the dominating smartphone OS with its 75 percent market share [14]. The number of active mobile users around the globe is 4.93 Billion [15]. The primary goal of developing a mobile phone was to communicate with others. But, today's phone can do much more. Due to the increasing functionality of mobile phones, vulnerabilities arise which has become a serious concern for both the manufacturers and the developers. Many of the security vulnerabilities are unintentional, e.g., poor programming practices, app developers fail to validate input from the web, allowing adversaries to access the TELKOMNIKA Telecommun Comput El Control, Vol. 18 protected files, etc. Vulnerabilities can also be intentional as well as malicious and can be hidden within a seemingly safe and legitimate app, i.e. a simple paint app asks for internet and GPS access [16]. Security vulnerabilities and unwise programming practices can lead to the following issues: (a) Users' privacy violation (b) Performance degradation (c) Heavy battery drain (d) Poor end-user satisfaction (e) Malware, virus, adware attack, etc. Vulnerabilities result from security threats which are created with the collaboration of a group of hackers and unethical employees. The top security threats are discussed in the following:

Malicious app
Malicious apps are specially designed to attack smartphone systems. These malware apps significantly relay on the exploitation of OS and software technology of smartphone. We can enlist the malicious apps into the following four categories: [17] (a) Spyware (b) Trojans (c) Phishing (d) Hidden processes

Spyware
Spyware is unsought software that pervades one's computing devices by robbing his/her internet usage data and other sensitive information like personal information without his/her knowledge of it. Spyware is a kind of malware designed to gain access to one's device. The intentions of using spyware are diverse e.g., for tracking login information, selling internet usage data, capturing credit/debit card information, etc. Some spyware is able to install additional applications and they can change the settings of the victim's smartphone. According to the Norton Cyber Security Insights Report, in the year 2017, nearly 978 million people from 20 countries were attacked by cybercrime and victims lost 172 billion USD globally and spyware caused more damages than other types of malicious app [18].

Trojans
Trojan is a kind of malware that is often faked as legitimate software. Trojans can be devoted by hackers and other cyber criminals to gain access to someone's computing device and can severely damage the system, e.g., deleting, copying, disrupting, blocking and modifying data. Some common form of trojans includes Trojan-SMS, Trojan-Notifier, Trojan-Spy, Trojan-Mailfinder and so on [19]. Sometimes it is hard to ensure the absence of trojans in a system as they may not harm directly to the users rather steal the private and sensitive information silently.

Phishing
It is a type of social engineering attack designed to gain access to someone's private information, e.g., credit card information and login credentials. The cyber thieves accomplish this by misleading people in very convenient ways. For example, one may receive an email which claims that his/her password for a specific website is about to expire within 24 hours and put a fake link which looks very legitimate to renew the password. Once the victim inserts his/her login credentials, the attacker captures the original information and eventually get access to his/her private data.

Hidden processes
These are the applications in which some anonymous activities are embedded without providing any knowledge to the users. For example, a gaming application scans for the nearby wireless devices which is not necessary for any of the gaming functionalities. These types of hidden operations can harm users and user experience.

Malware downloader
A malware downloader (i.e. trojan downloader) is a harmful application, basically installed by an exploit or some other fraudulent causes like an email attachment or a downloaded image that triggers to install the malicious program onto a victim's computer [20].

Hidden ads
"It won't hurt if you don't know it." is a common proverb but unfortunately, this phase isn't suitable for today's smartphone security risks. Many of the free apps contain excessive ads that are available in the app store. That is legal because they acknowledge both parties that the app contains ads. But some malicious app contains hidden ads that may be harmful to users. Often these apps cause slowing down the device, sucking mobile data, draining the battery and so on. A recent study has shown that more than 5000 apps of both the major smartphone platforms contain hidden apps. It also causes a huge amount of loss to the advertising organization. They lose about $85 million per year because of the hidden ads [21].

Premium text
Sometime we may receive some messages from a four or five digit phone number e.g., get jokes for USD1 per month or send STOP to cancel the service. Majority of the users may not activate the service so they are not concern about it but after a month they get a bill of USD1. This unintentional or fake registration to a service is done by some scammers and fraudsters. They sign up for the victim by using the victim's phone number from some websites [22].

Mobile spy
Mobile spying applications have been developed to monitor child or employee's mobile and tablet usage. Targeted ads are a major source of income for an ad network which may enable this type of attackers to mine the personal information of a user [23]. Table 2 shows the top enlisted mobile threats in 2016-2017 along with their percentages. Being the most popular smartphone OS, Android has a much bigger target for malicious attacks. According to an industry research firm "J. Gold Associates" companies that manufacture Android-powered devices should take necessary measures to make global policies to mitigate security risks that the platform may pose due to its' massive growth [24]. On the other hand, though Google's Android OS is an open-source OS, it has restricted a lot of features for 3 rd party developers. The 3 rd party developers have minimized developing security related stuff due to Android's core level restrictions. For example, AutoStart restriction has been introduced in Android version 3.1 (Honeycomb), Android 6.0 (Marshmallow) update restricted apps' ability to find the current running task by using the getRunningTasks() API [25].

MAJOR ISSUES OF SYSTEM LEVEL ANDROID DEVELOPMENT
Android OS has been developed, changed and modified significantly in recent days. Security-related development, as well as process handling API, is becoming deprecated for the 3 rd party developers and Google has clearly mentioned that this is the job for mobile manufacturers [27].
Currently, developing apps for the root level platform optimization is not feasible without root access which is only available for manufacturers and trusted developers. This is mainly due to the continuous permission restrictions in every major release of the Android OS. This domain will be discussed in the following three subsections.
(a) Android security restrictions for 3 rd parties (b) Recent changes in android permission (c) Feasibility of developing security related apps 4.1. Android security restrictions for 3 rd parties Android is continuously restricting access to 3 rd party apps for different types of resources and raw data. Gradually, the majority of the apps developed to serve the purpose of further platform optimization such as battery optimization, security checking, process optimization, etc., had stopped from developing further. Some of the restrictions are shown below.
(a) Limiting directory access: world-writable directories may lead to security weaknesses and enable an application to manipulate trusted files. A proper file scanning scheme is mandatory for a security-related 3 rd party app for better threat detection [27]. (b) Logging data: it increases the risk of the exposure of core level system data and reduces system performance upon excessive requests. On the other hand, log information is necessary to gather information about the battery, CPU and network usage which are mandatory for device optimization and security analysts [27]. (c) Device Metadata: Android also restricts access to data that does not seem directly sensitive, but that could lead to revealing characteristics about the user, user preferences, and other stuff [28].

Recent changes in android permission
Android has changed as well as depreciated some system level permissions and APIs. It has led some old applications to a non-workable state in the newer versions of Android. Figure 2 summarizes the changes in recent Android versions which includes battery and memory optimization, performance enhancement and others. Runtime Permission: In Android 6.0, a new mechanism, called runtime permission, is added so that the user can identify what permissions are needed for a particular app and this gives them a chance to review the permissions to judge whether it is worthy or not. This technique reduces security risks via permission violation [29].
Doze and App Standby: If a device is stationary and idle along with the screen off, the device goes into doze mode. It is like a sleep state of the system and app standby technology enables the system to perceive that an app is idle.

Changes in Android 7 (Nougat)
Battery and Memory: In Android 7.0, the system's characteristics was changed to enhance the battery life and the memory optimization of devices. Improvement of Doze: Battery life is improved by 'Doze' by limiting CPU and network activities. Doze triggers when a user keeps device unplugged; could be moving or stationary, with the screen turned off.

Changes in Android 8 (Oreo) (a) Background execution limits (b) Android background location limits
Android Go: Android Go is a lightweight version of Android OS specially designed for low-end devices to run apps and other processes smoothly. The operating system was introduced alongside Android 8.0 (Oreo) and it's based on Android 8.0. This lightweight smartphone OS is optimized to run on smartphones having 1 GB or lower memory and it takes almost half of the storage than the regular Android versions [30].
Android Go devices are 15% faster in terms of apps opening than the regular versions. On the other hand, the apps may be faster and lightweight on Android Go but, they are lack of some features. The positive thing is that the developers can easily optimize their apps for the Android Go platform by following Google's "Building for Billions" development guidelines.

Changes in Android 9 (Pie)
Android 9.0 is the newest version of this OS offered from Google. It introduces a number of changes to the system behavior of the OS. Important behavioral changes are briefly described below [31]. Power management: Android 9 (API level 28) introduces brand new features to improve the power management of Android-based devices. These power management features are two types as follows: (a) App standby buckets: Analyzing the user's usage pattern, the system limits access to various resources like battery or CPU to the apps. (b) Battery saver improvements: The existing battery saving feature is improved with a wide area of restrictions. Privacy changes: (a) Limited access to sensors in background: In Android 9, apps running in the background can not access the camera, microphone, sensors using the continuous reporting mode as well as on-change and one-shot reporting mode. (b) Android 9 restricts apps' access to call logs and telephone numbers. (c) The system restricts access to Wi-Fi location and connection information.
Restrictions on use of non-SDK interfaces: The platform restricts the use of some popular non-SDK methods and fields if the developers attempt to access these directly, via reflection or using JNI. Security behavior changes: (a) The system's TLS implementation has experienced numerous modifications in Android 9. (b) Android 9 additionally restricts the system calls available to apps that use privileged syscalls.

Feasibility of developing security related apps
We have studied different types of utility apps developed for mobile device(Android) optimization and battery life enhancement. We have found some interesting facts, that is most of these apps didn't do anything right rather draining the battery and slowing down the performance. Android OS structure has been changing rapidly and the security involvements, process handling API, etc. are becoming deprecated for 3 rd party developers. Google has clearly mentioned that this is the job for mobile manufacturers.

BEST PRACTICES
The overall security and the privacy of an Android mobile phone user depend on the end user's usage pattern and awareness. The security and privacy related principals and efforts put by the developers in this field is also equally important for ensuring security and privacy. The first party such as manufacturers have a big opportunity to play important roles in delivering the latest security features, patches to the phone quickly. These three portions of security and privacy related practices all together result in greater protection and safety for the end users.

Best practices for the users
Almost every smart phone user has at least 100 apps on his/her mobile phone according to the survey of Fortune [32]. But, the user doesn't use all the apps. A user may need an application for a while, but after getting the job done, he/she may not delete the application, even though he/she does not require the app anymore. In addition, one may stop using many such applications. These unused applications can be detected as malicious apps [33]. Many of these unused applications may use resources, like the internet, geographic locations, call logs and other user permissions. It is harmful to a user. So, every user should follow some rules to keep his/her devices healthy, and some of the rules are shown in the Figure 3. In the following, we will discuss some important security practices that should be considered for avoiding unwanted vulnerabilities. Google Inc. and other manufacturers provide system updates which include security patches, features and functionalities, UI improvements and so on to overcome vulnerabilities and to ensure smoother user experience. To get the finest user experiences, it is definitely a good idea to update the phone software regularly. The newest versions of the software help the users to run their phones more smoothly and quickly with minimum numbers of lags and security vulnerabilities.

Installation of applications from untrustworthy sources
Unlike Google, may other third-party app stores never seem to concern about malicious applications on their stores. Many developers also offer beta apps that don't follow some of the Google's guidelines. Hence, it is a good practice not to install apps from any untrustworthy sources as well as the beta versions of smartphone apps.

Understanding app permissions
Android OS is getting better in terms of security enhancement day by day. From Android v6.0, runtime permission request is added. It means the user needs to agree with critical permission(s) during app usage. Though this process is safer than the previous versions' of agreement, people often make mistakes while opening the app for the first time: they often grant permissions without reading and knowing the consequences of it. They also do not check the list of permissions during apps installation. Instead, they just accept the requests without thinking about the consequences. It may be harmful because the developer could take advantages of it.

Data encryption and remote phone wipe
Encrypting the data of a smartphone can help to improve users' security and privacy one step ahead. A user can only get access to the encrypted data with a valid password or key. Encryption of a smartphone enables the needs for a password or key in every boot up of the smartphone. Apart from that, it doesn't change anything how a user uses his/her smartphone. From Android version 6.0, data encryption is enabled by default. Encryption may cause slowing down the performance of some older smartphone, but it doesn't affect today's Android devices. If an application does not meet certain challenges, it should not be installed on phone [34]. Anti-virus provider Kaspersky lab published a report that an IT-based company developed an app called "skygofree" which was released with 48 different commands that was able to risk a user's safety in several ways like it relies on 5 different exploits to achieve root privilege which allows it to bypass security key and it was also capable of location-based recording, capturing image, videos, calendar data and other personal information [35].
Although applying all the security measurement available, it won't feel good if the phone got stolen, unfortunately. If someone faces such circumstances that he/she won't regain his/her device again, it becomes necessary to wipe the phone. Google provides "find my device" option for all Google account linked Android smartphones. Victims need to head over to the "Google's Device Manager" website and log into the Google account and complete the desired operation. If the device has internet access, it is possible to call, set alert, find the exact location, lock or wipe the phone's data remotely from the device manager. The user must make sure that the Google account's password is strong enough so that anyone else can't wipe his/her smartphone.

Lock-screen and biometric scanner
Almost one-third of the total users don't concern about the lock-screen security and they use the traditional swipe-to-unlock method [36]. Though it helps to protect the phone from accidental touches when the phone is in the pocket but the phone can not provide any security barrier if the phone got stolen or compromised somehow. All type of Android smartphone offer PIN, password, and pattern (mostly) to secure the phone which can easily be enabled from the security options in the settings. Additionally, modern smartphones have been introducing biometric sensors like fingerprint sensor, iris, and faceID to enhance smartphone security. Among these multiple biometric-based methods, fingerprint-based biometrics is the most secure way to date.

Online backups
Limited storage on any smartphones could create some troubles, especially on lower storage smartphones. With the increasing media consumption and day to day online interactions and activities, the inbuilt phone storage is getting occupied quickly. This lead to slowing down the smartphone's performance, increase battery consumption and reduce the quality of user experience. A non-limited storage or at least visibly enough storage would solve the problem. On the other hand, if the phone is lost, stolen or damaged then all the important data and media might be lost forever if the data is not backed up. To preserve important data and access them from anywhere and from any device, cloud storage is a proper solution. Many online cloud service provider serves this purpose according to their own structure. For example, one can backup unlimited photos and videos to Google Photos free of cost. Dropbox, Google Drive, One Drive, etc. are offering online cloud storage.

. Online password selection and two-step verification
Thousands of smartphone users use easy passwords like 123456, phone number, birth date, and so on to remember it which is very simple to guess for an attacker. So, selecting passwords, especially for online accounts, should not be that much simple and straightforward job. A user should not use a single password to handle all his/her accounts because compromising one account's password can led compromise all other accounts of that user. To minimize the vulnerabilities, the selection of passwords must be based on some criteria. For example, every person should make his/her own reasoning for each password so that every time he/she can put it by remembering the reasoning developed earlier. Additionally, using two-step verification can add extra strength to an account; even if an intruder or hacker achieves the password of a particular account, he/she can't access it without compromising the two-factor authentication media such as cell phone or email account configured earlier for the verification system. So, all the passwords including lock-screen password/PIN, Google accounts, Facebook, Twitter and so on should be selected wisely in order to remember and protect them easily.

Best practices for the developers
The scenario of Android development is quite different from the earlier versions. Things have changed a lot in recent Android architectures. It seems that new things which were introduced to provide functionalities, nowadays these may cost user's safety. Along with Google, many other companies and researchers work on these issues and come up with several different decisions. That is why many developers, who started developing Android applications before the deployment of Android Studio and Android version 4.4, have faced many difficulties. Moreover, many developers, especially developers from small companies are not interested in reading the privacy policies let alone maintain the policies. A research on app developers found the alarming things [3] as follows.
(a) Developers find privacy policies hard to read. (b) Writing privacy policies is not considered useful to small developers. (c) Privacy is not a primary task. International Association of Privacy Professionals (IAPP) is a web tool that allows the user to compare, read and access ten different privacy policies from the US, Australia, and Europe. After examining the policies, many similarities and overlapping were found and the whole policies can be described with just the four major privacy practices [3] as follows.
(a) Developers should decrease the data to be collected. This will reduce the obligation of developers and save the users from unnecessary data collection. (b) Old data should not be retained and older unnecessary data should be regularly deleted.
(c) Privacy policies should be enforced to every sort of communication between the two parties. (d) Developers should encrypt every sensitive data to be stored and all communications should be through an encrypted channel. Ì ISSN: 1693-6930 Figure 4 depicts the summary of developers' practice for maintaining users' security and privacy. On the other hand, developers, working on security and core device related apps, are discoursed by Google, i.e., Android Power Usage APIs are not open for the 3 rd party developers [37].
Developers can play the most important role in securing the users' activities and privacy as well. Here, we will briefly discuss some important practices that should be abided by the developers to ensure the proper and desired security level and this will define the proper approach throughout the applications lifecycle [38].

Secure the server
Attacking on the server and its API is a common method from the attackers. The developers must secure the corresponding server and API to establish controls and prevent any sort of unauthorized access. Introducing web application firewall and conducting code reviews can help overcome this challenge.

Data encryption
All sensitive data stored on the mobile device should be encrypted. Additionally, the source code and data transmitted between applications should also be encrypted. High-level data encryption always protects valuable data from attackers.

Code obfuscation
It is important to protect the source code from human analyzer and decompiler preserving the operations correctly. This process of code obfuscation not only enhance the security of the app but also provides the confidentiality of intellectual properties.

Strong user authentication system
Two-factor authentication system, wise session management, hashing and encrypting login information can help protect sensitive information. Using advanced authorization tools like OAuth, JSON web tokens, etc. is also essential. These ensure secure and integrated access gateways for the corresponding app.

Regular updation and testing
Hackers always try to find vulnerabilities in apps and exploit them and it is a regular job for the developers to test their apps, repair the breaches and enhance the security. Google regularly updates its software to fix the vulnerabilities of Android platform but its the duty of the developers to find their own faults which may result from poor programming practices, technological changes, and unconsciousness.

Client side data storage
Data stored in smartphone can be exposed if lost or theft. On the other hand, a smartphone might not be secured always because some user roots their device for additional features or more control on the device. Therefore, sensitive data should be stored on the server side.
Alongside with the above recommendation, the Android platform maintainer Google has recommended the following checklist to the developers for securing their apps and sensitive information corresponding to the apps [

Gestures for the manufacturers
When any android phone manufacturers provide an update, they do not provide it for all the previous models that it has produced. However, Apple does not have such problem. When Apple provides a new security patch, is is provided for almost all the models of Apple product. Therefore, android developers, sometimes fail to cope up with every version of Android and they have to think about the same task in different ways for different devices. The possible solution for the problem is to make a sustainable policy for android version upgrade. These policies will be applicable to both the manufacturers and Google to push the update in a defined process. So that the developers don't have to think about handling different API levels.
As Google changes the android's core level security architectures very frequently and they are enforcing more and more restrictions day by day, it is very difficult for other developers to monitor and offer security. Google has already introduced some Google Play Services to monitor apps, harmful activities, malware, etc. But it is not still sufficient to provide full security for the users. Google should take over all the portions of security-related features and developments.

CONCLUSION
With the increasing popularity of Android smartphones, proper security of the devices is also becoming a serious concern. As the architecture of the system for smartphones differs somewhere from traditional devices, the existing security system is not enough for securing smartphones. Major market-leading companies don't provide enough flexibility to the 3 rd party developers and Google is becoming one of them. Now, the 3 rd party developers should not concern about the core security-related process of the Android OS rather than developing utility apps by following platform standards and policies. Platform security and end users' privacy is a shared responsibility among the platform maintainers, the app developers, and the users. All parties should follow the well-defined guidelines, recommendations and take proper responsibility for their actions to ensure a safe, secure and trusted smartphone platform. Android smartphone manufacturers and Google's Android development team should collaborate properly in a defined protocol to ensure security patches timely for all or the majority of the active devices. After all, proper development practices should be spread and made available to the developers by the platform maintainers.