All new security and privacy features of Android 10

Each new version of the Android operating system brings improvements to almost every aspect, whether in terms of design, features, APIs, and so on. Earlier this month, at Google I / O, we were informed of all the improvements made by Android Q and of course, new announcements relating to privacy and security were not omitted during of the conference. The safety of the platform is one of the most important aspects of an operating system, especially for an operating system that we carry everywhere with us in our pockets. If Android was not secure, we would not give it half as many functions as us. NFC payments would be out of the question, file sharing would be at best dubious, and connecting to other devices would be sheer madness. Despite the persistent problem of version fragmentation, Google has been extremely successful in minimizing the number of security issues.

Android has become a feature-rich and highly secure operating system. But there is always room for improvement. This security is related to many factors, some of which are being improved with Android Q.

---

encryption

As one of the most basic security methods, it is important for each device to support strong encryption. Nowadays, many OEMs deliver their peripherals with dedicated encryption hardware. While this is beneficial, it is also expensive. As such, dedicated hardware is usually limited to medium-to-high level devices. That's not to say that low-end devices can not Supports encryption, but without accelerated encryption, the overall user experience is degraded due to slow reads / writes. This is where Adiantum comes in.

Adiantum

In February, Google announced Adiantum as an alternative encryption algorithm for low-end phones that do not support standard AES instruction sets. Adiantum is specially designed to work without dedicated hardware. It is a lighter alternative to Android AES encryption. Google's performance tests tell us it's 5 times faster than AES, the downside being that it slightly compromises security. This makes it the ideal candidate for low-end phones, such as those powered by Android Go Edition. Adiantum is also aimed at products such as smartwatches and various devices of the Internet of Things.

Until now, Adiantum was optional. manufacturers could activate it on devices running with Android Pie, but this was not the default encryption algorithm. Adiantum is now included natively in Android Q. This means that all devices launched with Q will need to encrypt user data, without exception. As a result, storage encryption for devices starting with Android Q is guaranteed, whether via Adiantum or not.

Jetpack Security Library

Jetpack is a set of Android support libraries, and one of the latest additions is in Alpha: the Jetpack Security Library. The library simplifies the process of securing your application by managing tasks such as managing keystores backed up on hardware and key generation and validation.

TLS 1.3

Storage is not the only encryption domain that has been improved. Communication with other devices has been significantly improved with the introduction of TLS 1.3 support by default. TLS 1.3 is the latest network cryptography standard, developed by the IETF in August 2018. TLS 1.3 offers more privacy for data exchanges by further encrypting the negotiations. In addition, it is faster than TLS 1.2 due to the tear of a round trip from the handshake of the establishment of the connection. Coupled with more efficient modern algorithms, this results in a speed increase of up to 40%.

TLS can now be updated directly from Google Play because it is part of the "Conscrypt" component. You can read more about this and about the Mainline project here.

Because we trust many sensitive transactions on our devices every day, upgraded TLS is more important than ever. Storing similar boarding passes – and even digital driver licenses in the future – on Android means that all devices need to better encrypt user data. Adiantum and Forced Encryption will pave the way for the storage of even the most sensitive data on the cheapest devices. But encryption is not the only way for Google to increase the security of Android in the Q version.

---

Changes to permissions and privacy in Android Q

Scoped Storage

Scoped Storage is a new backup used to prevent applications from reading / writing files stored in external storage that are not contained in their own sandbox application-specific directory. Google's goal is threefold: better attribution of applications that control which files, protection of application data and protection of user data.

Google doubles on the MediaStore API for audio, video and photo-shared content. By default, all applications can insert, edit, or delete their own files in the MediaStore.Images, MediaStore.Video, and MediaStore.Audio collections without requiring permissions. Android Q also adds a new MediaStore.Downloads collection to store the content downloaded by the user, to which all applications using the MediaStore API can contribute. While files stored in sandbox application-specific directories are removed during uninstallation, all files added to the MediaStore collections persist beyond uninstallation.

To access all files created by another application (whether the file is in one of the MediaStore's collections or outside of them), the application must use Storage Access Framework. In addition, EXIF ​​image metadata is written unless your application has the new ACCESS_MEDIA_LOCATION permission. In Android Q, applications can also control the storage device on which to land a media by querying its volume name with the help of getExternalVolume ().

Originally, Google imposed Scoped Storage restrictions on all Android Q apps, regardless of their target API levels, but after commenting, Google gives developers more time to make adjustments. You will find all the details about the changes made to Scoped Storage on this page. To learn more about Google's best practices for shared storage, watch this Google I / O discussion.

Warnings for applications targeting an API level <23

Authorization restrictions do not stop there. If you install an application that targets an API level lower than 23 (Android Lollipop or earlier), the operating system will display a warning to the user if this application requests sensitive permissions when l & # 39; installation. Before installation, users will have the option to manually specify the permissions they wish to grant to the application before proceeding. Thus, Android Q no longer allows applications to bypass the permissions.

SYSTEM_ALERT_DEPRECATION for the benefit of the Bubbles API

The Bubbles API in action. Source: Google

Overlay permission (SYSTEM_ALERT_WINDOW) can no longer be granted to applications running on Android Q (Go Edition). For non-Go Edition devices, Google pushes developers to the new Bubbles API. The Bubbles API is a feature introduced in Android Q Beta 2 that allows features such as the Facebook Messenger chat heads. Application notifications appear as small bubbles on the edges of the screen, which expand when the user operates them. In the balloon, an application can display an activity.

This change was necessary because allowing applications to draw overlays freely over other applications poses obvious security risks. The famous feat "Cape and Dagger" largely used this weakness. The overlay API features have been restricted soon Android Oreo, but now the edition of Go Android Q has completely removed access to the API and a later version. Has completely depreciated.

Activity launch restrictions in the background

Background apps can no longer automatically launch an activity when the phone is unlocked, regardless of their target API level. There is a whole list of conditions in which applications can now launch activities, which you can read here. Background applications that do not meet these requirements and want to start an activity urgently will now need to notify the user via a notification. If the notification is created with a pending full screen intent, it is immediately started if the screen is off, which is useful for alarms or incoming calls.

Restriction of access to the bottom of the clipboard

Access to the clipboard in the background is no longer possible. Any application that is neither in the foreground nor defined as the default input method will not be able to read your clipboard. This strikes particularly hard applications such as clipboard managers. Google indicates that this change only applies to apps that exclusively target Android Q, but our tests indicate that the restriction makes no distinction. no application we tried could see the clipboard.

Of course, this change makes sense. We often copy sensitive information to the clipboard, such as passwords and credit card information, but it's always a shame to see clipboard managers get lost.

Access to the site only when an application is in use

A new user-activated setting only allows applications to reach your location while the application is in use. The latest version of Android Q beta has also added a notification reminding you if you have granted an application permanent access to the site.

roles

A new API "Roles" has been added. Roles are essentially groups with predefined permissions. For example, applications with the gallery role may have access to your media folders, while applications with the dialing role may be able to handle calls. Applications to which the user assigns a certain role must also have the required components. Applications with the role of gallery, for example, must have the intention filter of action Android.intention.action.HOME and the category intention filter android.intent.category.APP_GALLERY to appear as an application of the gallery in the settings.

Mosaic Sensors disabled Quick Settings

A new thumbnail of Quick Settings "Sensors Off" disables readings from all sensors (accelerometer, gyroscope, etc.) on your device for true confidentiality. This Quick Settings tile is hidden by default, but can be enabled by going to the "Development Thumbnails for Quick Settings" in the Developer Options.

Restrictions to / proc / net

Applications can no longer access proc / net, making services such as netstat unviable. This protects users against malicious applications that monitor the websites and services to which they connect. Applications requiring continuous access, such as VPNs, must use the NetworkStatsManager and ConnectivityManager Classes.

Randomized MAC Addresses

Your MAC address is a unique identifier that networks use to remember which device is which device. In Android Q, every time you connect to a new network, your device uses a new random MAC address. As a result, networks can not track your location by matching the WiFi networks you connect to the MAC address of your phone. The actual factory MAC address of the device can still be obtained by the applications via the getWifiMacAddress () order.

---

Strengthening the platform in Android Q

A single bug within Android does not mean that attackers now have full access to the operating system or that they can bypass all security systems. This is partly due to a number of protective measures such as process isolation, reduction of the attack surface, architectural decomposition and mitigation measures. These guarantees make vulnerabilities more difficult or impossible to exploit. As a result, attackers usually need a multitude of vulnerabilities to achieve their goals. In the past, we have witnessed attacks like DRAMMER that work by chaining several feats.

Android Q takes guarantees such as these and applies them to more sensitive areas such as multimedia and Bluetooth components as well as the kernel. This brings significant improvements.

• A sandbox forced for software codecs.
• Increased use of production sanitizers to mitigate entire classes of vulnerabilities in components that process unapproved content.
• The ghost call stack, which provides control flow integrity (CFI) backwards and complements the protection provided by the LLVM CFI.
• Protection of address space format randomization (ASLR) against leakage with the help of eXecute-Only memory (XOM).
• Introduction of the Scudo enhanced allocator, which makes it harder to exploit a number of heap related vulnerabilities.

This is a lot of software jargon. First, software codecs are now running in sandboxes with fewer privileges, which means that malware is less likely to execute commands that could harm your device, such as in the case of StageFright. 2015.

Secondly, Android now checks off-network access to tables in more places, as well as overflows. Preventing overflows and ordering processes to fail safely greatly decreases the percentage of vulnerabilities in the user space. In other words, if a malicious program tries to crash something by deliberately trying to access data that does not exist, Android will recognize it and exit the program instead of crashing.

Third, the ghost call stack protects return addresses by storing them in a separate shadow stack, making them inaccessible to conventional programs. Return addresses are usually pointers to functions. It is therefore important to protect these addresses to prevent attackers from accessing functions that they should not be able to do.

Fourth, ASLR is a protection method that randomly selects where programs are stored in memory, making it more difficult to determine where programs are stored in memory based on the location of other programs. The eXecute-only memory reinforces this by rendering the code unreadable.

Finally, Scudo is a dynamic heap allocator that proactively manages memory to make heap-based vulnerabilities much more difficult to exploit. You can read more about it here.

---

Authentication

Update of BiometricPrompt in Android Q

The new BiometricPrompt API was introduced over a year ago by Google, in Android P Developer Preview 2. It had to be a generic Android prompt for biometric unlocking methods. The idea is that devices that support more than just scanning fingerprints, such as scanning the iris on the Samsung Galaxy S line, will be able to use these methods when applications require verification.

Android Q adds robust support for fingerprint and face verification, as well as extension of the API to support implicit authentication. The explicit authentication requires the user to authenticate one way or another before continuing, while implicitly no longer requires any interaction from the user. ;user.

In addition, applications can now check if a device supports biometric authentication via a simple function call, which allows them to save time invoking a BiometricPrompt on devices that do not support it. Ideally, applications would like to set a "Enable biometric login" setting based on biometric authentication support by a device.

Building blocks of the electronic identification support

Earlier this year, we discovered evidence that Google was working on support for Android-based electronic credentials. At I / O, Google informed us of the progress of the feature. Google says that they are working with ISO to standardize the implementation of mobile driver's licenses, with ePassports in the works. For developers, Google will provide a Jetpack library so that identity applications can begin to be created.

---

Mainline Project in Android Q

The Mainline Project is a major Google initiative to reduce the fragmentation of certain system modules and applications. Google will monitor updates for about 12 system components through the Play Store. We talked about the Mainline project in depth in a previous article if you want to read more.

---

Conclusion

Security has always been at the heart of Android's development. Google has managed to keep Android up to date with the latest security features and to bring its own innovations. They continue this development process with Android Q, providing it with security features designed to ensure the security of your data.

---

Source 1: What's new in Android Q security [Google]
Source 2: Security on Android: Next Steps [Google]
Source 3: Queuing Reinforcement Enhancements [Google]

With the contribution of Mishaal Rahman and Adam Conway.