The year 2016 was huge for Android overall – version 7 was announced; Google Assistant took everyone by surprise; Android Wear and Android Auto were released; Google unleashed its own flagship phone, Pixel; among other things. But equally important was the security landscape, which saw various interesting events take place. Let’s recap how the year 2016 was for Android security, and see what we can learn from it.
- App permissions: In Feb 2016 Google announced a major change in the way Android handles app permissions. The end-users were frustrated with sneaky apps that grabbed as many device permissions as possible during app install. This was finally addressed in Marshmallow release, which moved permissions to run-time. This update also bundled permissions into groups, so that it’s easier for the end-user to figure out what something is actually about.
- MAC address unavailable: As part of the “user trust” initiative, local WiFi and Bluetooth MAC addresses were made unavailable. This means that developers will now get 02:00:00:00:00:00 when they call getMacAddress() or BluetoothAdapter.getDefaultAdapter().getAddress().
- OAuth Sign-Ins: In March, Google did a major revamp to their sign-in APIs. Android now supports both client-side and server-side sign-ins, though these are nothing but OAuth2 in disguise. For developers, this meant registering their test clients separately as well. A minor headache, some would argue, but much better from a software engineering perspective.
- Application sandbox: The most important announcement of this month was the Application Sandbox. Android apps would now be run in an isolated environment and given access to their own resources by the runtime. This update was a major step towards improving security in Android.
- SSL Security: Android also launched a new API for security service providers, hardening the security around SSL used in apps.
- Direct Boot: This month also saw the introduction of Direct Boot, a limited, pre-boot mode for the Android that apps such as alarm clocks can use. Although device access is quite restricted in this mode, it remains to be seen where Direct Boot lands in terms of security.
- Android Pay: Android Pay was released as a unified API to make mobile payments smooth. For this, Google partnered with major names like Uber, Airbnb, etc., and it’s something that will become an integral part of the Chrome ecosystem too. Going forward, this will be interesting from a security angle!
- “Stage Fright”: In this month, Google also announced some updates related to tightening of security around the libstagefright library. With sandboxing and SELinux policy restrictions in place, Google believes the vulnerability has been addressed.
- Increase in vulnerability rewards: This month, Google re-asserted its commitment to a stronger Android by increasing vulnerability bounty by 33%. While reporting a critical vulnerability will now fetch $4,000, a Kernel-level bug will bring in $30,000!
- Default “Crypto” provider discontinued: Code relying on the old “Crypto” functionality for encrypting its data was forced to upgrade to stronger, more reliable encryption. This was done because the default provider was using the SHA1PRNG scheme for encryption, which was found to have a critical bug that allowed compromising the security key.
- NDK security updates: This month Google announced two new security updates for NDK developers. First, use of private API was discontinued on the linker level. This was done to ensure consistent user experience no matter what level the app was working at. Further, Text Relocation support was dropped since API 23. This makes code loading simpler and more secure for native developers and makes them rely less on tricks and workarounds.
- Kernel protection in Android: This month saw Android work more on plugging kernel vulnerabilities. This included restricting kernel access from user space, removing default access to debug features, marking kernel memory pages as read only + execute when needed, and the introduction of stack-protector-strong, an enhanced version of stack-protector to prevent buffer overflow attacks.
- The final developer preview of Nougat: In this month, Google also released the final developer version of its much-hyped Nougat (v7) flavor of Android. This was the last chance for the developer and tester communities to evaluate the version before it started reaching consumer devices.
- Security certificate restrictions: Android v7 brought a major change with respect to certificate authorities apps can depends on use. Customizing trusted certificate authorities is gone, which means developers will have to choose from a given set of authorities trusted by Android. Adding a custom CA has become more work and is not recommended.
Not much happened until September 2016, when Google had more security changes released for Android 7:
- Direct boot: Direct boot allows some features of your phone to be unlocked and ready before you enter your PIN/pattern at boot time. The services allowed to be ready in this mode are calling, alarms, etc., which aims at improving user experience. This was achieved by doing away with full-disk encryption and using separate encryption for separate partitions.
- Platform enhancements: A number of hardenings were announced for the platform, such as Verified Boot, SELinux, Mediaserver enhancements, new API signature scheme, etc.
- App security: App security announcements included explicit use of Content Providers for sharing data between apps. Default permissions for app data were also changed to 700. Finally, this release plugged the long-pending “clickjacking” vulnerability by disallowing overlays over permission dialogs.
- Google Play trust: As part of improving user trust on Google Play, the company announced the roll-out of a new content discovery system that is aimed at identifying fake reviews, deceptive app installs, rigged ratings, etc. It remains to be seen how potent these measures will prove to be.
- End of Eclipse ADT: This month, Google announced increased support for Android Studio 2.2 and completely dropped Eclipse Android Development Tools (ADT) plugin from the list. So if you’re a developer that loves Eclipse, tough luck!
- Sign-In API for Games: The Sign-In API introduced earlier this year was also adopted for Google Games. On an interesting side note, Google+ was removed from Games.
- Android Wear Developer Review: This month also saw Google release the 4th Developer Preview for Google Wear 2.0. Offering seamless authentication and experience across devices, Google Wear is a project that will have large security implications.
All in all, a massive year for Android. Some major security holes were plugged, and the version 7 was released. Google Wear offers some exciting possibilities for app developers, but as usual, the security angle remains unaddressed.
2017 gives way to Android developers for endless possibilities.
How secure are your Android users in this race?