‘Safe Browsing’ in Android Chrome
Google Safe Browsing has been protecting well over a billion desktop users against malware, unwanted software, and social engineering sites on the web for years. Yeserday Google announced they are turning on Safe Browsing by default for Chrome and Android users.
How To Get It
If you’re an Android user, you probably already have it! This new Safe Browsing client on Android is part of Google Play Services, starting with version 8.1. The first app to use it is Chrome, starting with version 46—we’re now protecting all Android Chrome users by default. If you look at Chrome’s Settings > Privacy menu, you can verify that Safe Browsing is enabled and that you’re protected. Chrome warns you about dangerous sites as shown below. It does this while preserving your privacy, just like on desktop.
What Came Before
The Android platform and the Play Store have long had protection against potentially harmful apps. And as our adversaries have improved their skills in trying to evade us, we’ve improved our detection, keeping Android app users safe. But not all dangers to mobile users come from apps.
Social engineering—and phishing in particular—requires different protection; we need to keep an up-to-date list of bad sites on the device to make sure we can warn people before they browse into a trap. Providing this protection on a mobile device is much more difficult than on a desktop system, in no small part because we have to make sure that list doesn’t get stale, yet:
- Mobile data costs money for most users around the world. Data size matters a lot.
- Mobile data speeds are slower than Wi-Fi in much of the world. Data size matters a lot.
- Cellular connectivity quality is much more uneven, so getting the right data to the device quickly is critically important. Data size matters a lot.
Maximum Protection Per Bit
Bytes are big: our mantra is that every single bit that Safe Browsing sends a mobile device must improve protection. Network bandwidth and battery are the scarcest resources on a mobile device, so we had to carefully rethink how to best protect mobile users. Some social engineering attacks only happen in certain parts of the world, so we only send information that protects devices in the geographic regions they’re in.
We also make sure that we send information about the riskiest sites first: if we can only get a very short update through, as is often the case on lower-speed networks in emerging economies, the update really has to count. We also worked with Google’s compression team to make the little data that we do send as small as possible.
Together with the Android Security team, we made the software on the device extra stingy with memory and processor use, and careful about minimizing network traffic. All of these details matter to us; we must not waste our users’ data plans, or a single moment of their battery life.
We hunt badness on the Internet so that you don’t discover it the hard way, and our protection should never be an undue burden on your networking costs or your device’s battery. As more of the world relies on the mobile web, we want to make sure you’re as safe as can be, as efficiently as possible.