MOUNTAIN VIEW, Calif.—Google is prepping the Android world for its next upgrade, code-named Android P, with an array of security and privacy enhancements. But even locking down a long-criticized Android privacy flaw won’t help the operating system beat its biggest security flaw: its own success.
Android P, expected to be released this fall, locks down privacy in a way no other Android version has. Until now, Android has allowed apps running in the background to access the camera and microphone without user permission. Android P will force background apps to ask for user permission before tapping into those sensors. It will also force apps to include an icon on the taskbar indicating that they are using the camera or microphone.
“That gives users a lot more control and more transparency into which apps have access to their sensors,” Xiaowen Xin, Android security product manager, said at Google’s annual I/O developer conference on May 10.
READ MORE ON ANDROID SECURITY
Google Play is an ‘order of magnitude’ better at blocking malware
Opinion: To stay safer on Android, stick with Google Play
Parallax Primer: Why are Androids less secure than iPhones?
How to FBI-proof your Android
Hidden inside Dark Caracal’s espionage apps: Old tech
How to wipe your phone (or tablet) for resale
Of course, there’s some indication that many users accept all permission requests, but this gives those who want more control to have it. Apps, Xin says, will hear only silence from the microphone and an empty screen from the camera, if they don’t first gain user permission.
Xin and Dave Kleidermacher, Google’s product security lead for Android, Chrome OS, and Google Play, also addressed a longtime thorn in Android’s side: fragmentation, which prevents many users from getting any update at all. Versions of Android on older devices don’t receive the security and feature updates that newer versions do.
“We’ve been trying to make Android just easier to patch,” Kleidermacher said at the conference. To that end, Google has been contractually mandating its Android hardware-manufacturing partners, including Samsung and LG, to push security updates to all supported devices. “We have a pretty steady track record for years now—every single month delivering those patches to the market [on Android Pixel devices]—but we want to make sure that all Android OEMs are delivering patches regularly to their devices as well.”
Google has promised monthly security patches for Android devices since August 2015, motivated by the Stagefright vulnerability, which exposed multiple paths by which hackers could attack devices. But nearly three years later, the company struggles to get those security patches to devices other than the Pixels it controls.
It’s part of Google’s larger, ongoing Android fragmentation problems, where newer versions of the operating system battle for adoption by consumers with devices that function well enough, but ultimately may not be secure.
Android has long since owned the crown as the world’s most popular mobile operating system, having commanded at least 36 percent market share since 2011. It’s now hovering in the 85 percent range globally, though when you look at just the United States, it’s almost an even split with Apple’s iOS.
Because Apple controls its manufacturing pipeline much more tightly, only allowing iOS on Apple hardware, it doesn’t face the same level of operating-system fragmentation that Google does. And when it comes to security, that makes it easier for Apple to guarantee that its users get security updates. (Sometimes to their chagrin.)
Android version fragmentation, naturally, has led to security fragmentation. Android 7.0 and 7.1 Nougat, first released in 2016, collectively run on about 33 percent of Android devices around the world. Android 6.0 Marshmallow, released in 2015, powers another quarter of the devices. And Android 5.1 Lollipop, released in 2014, and Android 4.4 KitKat, released in 2013, together account for a full quarter of the Android market. (The rest is split between Android 8.0 Oreo, released in 2017, at 5.7 percent, and even older versions.)
Devices running Marshmallow and newer versions are significantly more secure than those running older versions, says Andrew Blaich, head of device intelligence at Lookout Mobile Security, noting that there is still a lot of security disparity even among newer Android devices.
“Android’s getting interesting [in] becoming a more secure platform,” he says. But fragmentation, where every manufacturer can have its “own strategy,” has “plagued Android.”
Recent studies belie the effectiveness of Android security-patching efforts thus far for most users. In a February report, independent security research company SecurityLab accused Samsung, the world’s largest manufacturer of Android devices, and others, of being excessively slow to deliver security updates. And an April study by the similarly named organization Security Research Lab finds that some of the biggest Android manufacturers, including Samsung, have at times lied about which security patches have actually been installed on consumers’ devices.
While Kleidermacher didn’t directly address the fragmentation issue during Google I/O, he told the crowd that he’s “really excited” about the coming “massive increase in the number of devices and users receiving regular security patches.”
Beyond its attempts to tame the chaos associated with version fragmentation, Google made encryption a major theme of the Android P improvements.
Among other encryption features, it has added the ability to secure Android P backups with a personal identification number, or PIN, on their devices before a backup is sent to the cloud. The antisnooping measure will make it extremely difficult to restore lost data, if the user forgets the PIN, but for many people, that’s a risk worth taking.
Google has also beefed up Android’s protection of the secure keys required to decrypt app data, so that the keys don’t show up in the Android device’s memory. It’s a change that makes it harder for hackers to steal app-specific data.
And it is forcing apps, by default, to use HTTPS to send traffic, though they can request unencrypted traffic for some, but not all, connections.
Google has created a secure channel in Android P for when services want consumers to approve financial transactions. It will ask the user for confirmation, and if approved, the app will receive an encrypted code that indicates a “high confidence” level that the user has seen and approved the transaction, Kleidermacher said. Google anticipates that this will better lock down mobile financial transactions.
Android P also includes “awesome” pro-privacy changes, says Filip Chytry, the director of threat intelligence at Avast, which sponsors this site. For one, the new version hides the unique hardware identifier that all Internet-connected devices have, known as the MAC address.
“You could walk into multiple Starbucks, connect to the Wi-Fi, and if Starbucks wanted, they could have looked up logs of connected devices and track down your history of visits,” he explained in an email. “With this new future, you can set [a] random MAC address each time you connect to Wi-Fi. This leads to greater privacy while on public networks.”
Android P is also the first major operating system ever to encrypt Internet address lookups by default. This is a crucial part of how the Internet functions, and by protecting Domain Name System lookups over Transport Layer Security encryption, Google is taking steps to further reduce the risks of having a user’s traffic intercepted.
Similarly, Android P stops apps from monitoring user traffic, unless asking for permission first.
Android P, says Lookout’s Blaich, is nearly on par with Apple’s iOS, when it comes to security. “They have similar security features,” he says. “The security of all the phones is being brought up. It’s all going in the right direction.”