The Android ecosystem is immense, represents a diverse manifold of use cases and participants, and is therefore highly complex. At the same time, Android primarily targets end-users and acts as the gateway to digital services for a majority of often non-technical Internet users. Balancing flexibility, security, and usability raises interesting challenges; many trade-offs are not immediately apparent and non-trivial to resolve. This talk will cover some of my own lessons learned before and since joining the Android Security & Privacy team, starting with the Android platform security model, complexities of the ecosystem that are particularly relevant to security, and methods to improve security across many partners. Current and future challenges include insider attack resistance, transparency different layers, and new use cases such as identity credentials.