There’s been plenty of FUD — fear, uncertainty and doubt — spread surrounding Android phone security over the years. And I’ll be honest: in the early days, much of it was well deserved. The fragmented nature of Android, the sheer amount of stuff that required a full firmware upgrade in order to change, and the reticence of phone makers to roll out those updates meant that Android phones were more susceptible to security issues than the iPhone.

Ten years ago if a major iPhone security vulnerability was discovered, Apple could quickly patch its entire ecosystem. On Android you could be left waiting months, if a fix ever made it to your device. For an Android security issue to be addressed in 2011, new code first had to be pushed out by Google, then integrated into your phone’s firmware by the manufacturer and eventually signed off by your carrier. That’s not an ideal sequence of events if time is of the essence, as it likely would be if a nasty new software vulnerability were being exploited in the wild.

But Android in general, and Android security in particular, has come a long way over the past decade. And the tired trope of Android owners never getting updates, and Android phones being mired in malware is now well and truly outdated. The best Android phones now guarantee four years of regular security patches, and Android itself is now more secure by design.

The problem is, the ways in which Google keeps Android safe and secure are nebulous and pretty technical. While Apple, with its vertical integration and relatively small number of phone models, can simply roll out full firmware updates at will, Google’s larger, more diverse and less directly controlled ecosystem requires a different approach.

Pretty much every Android phone sold in the West comes with Google Play Services — it’s an important part of the package of mobile apps preloaded onto Google Android phones, and it can be silently updated by Google in the background. But Play Services is far, far more powerful than your average Android app. That’s…