The fact that Android, at the end of the development process, is an open source product might be lost on end users, but that open nature does have benefits that trickle down even to those that don’t make use of custom ROMs based on the Android Open Source Project (AOSP). In particular, this culture of openness, sharing, and cooperation has hardened and continues to improve the Android platform’s security.
“Security by obscurity” has been, and to some extent still is, the pervading mentality in a lot of software circles, but openness, specifically open source, has risen to challenge those assumptions and practices. Having code available to many eyes does have the immediate benefit of being open to inspection, making it possible to find bugs and potential exploits that may have escaped the developers’ eyes. Hopefully, those who spot these will report them in the proper channels instead of taking advantage, and Google has a few things in place to encourage that.
First there is the Google Patch Reward Program which Android is now a part of. This program provides a certain cash incentive for developers who contribute security-related fixes to open source projects including Android, Chromium, the Linux kernel, the Apache web server, and more. Google is also a contributor to HP’s Pwn2Own Mobile challenge. These contests award significant cash prizes to hackers who are able to discover and exploit critical bugs. Just recently, one of the most popular hackers, Pinkie Pie, was able to bag $50,000 for a few Chrome browser exploits.
Android also benefits from the security efforts of other open source projects and communities. Recently, in Android 4.3 to be exact, the platform gained a new security feature via SELinux, an open source framework in use by Linux distributions. And finally, there are also the handful of custom Android ROMs that use the AOSP, whose fixes, one way or another, find their way back to the Android tree, completing the cycle of sharing and contribution that an open culture encourages.