Android P in depth: An up-close look at what's new with security
Credit to Author: JR Raphael| Date: Thu, 08 Mar 2018 08:58:00 -0800
Google is slowly pulling back the curtains on its next-gen Android P release. Yesterday, we got our first glimpse at a work-in-progress, developer-focused preview of the software — and today, we’re getting a closer look at what exactly is new when it comes to Android P and the ever-evolving subject of Android security.
I had the chance to chat with Xiaowen Xin, Google’s Android platform security product manager, about some of the significant changes on the way with Android P. Here’s the inside scoop on what you can expect:
Starting with Android P, an app won’t be able to access your camera, microphone, or most of its sensors while it’s running in the background — unless it makes it perfectly clear to you that it’s doing so.
This is basically a preventative measure to make sure bad apps aren’t able to abuse legitimate permissions they’ve been granted. The way it’ll work is this:
Whenever an app is in the background and idle, the hardware won’t deliver any data to it from the camera, mic, or sensors — even if it tries to check in with any of those sources.
If an app has a valid reason for accessing one of those elements in the background, it’ll have to create a foreground process to do it. In layman’s terms, that means you as the user will see a notification anytime that’s occurring.
“We want to make sure that whenever a sensor’s being used — whether it’s the camera, microphone, or any other sensor — that there’s a clear disclosure to the user, and so there’s always that persistent notification,” Xin says.
The change will affect all apps as of Android P, regardless of when they were last updated or what Android version level they’re targeting. The one exception to the rule is a device’s GPS sensor: Since that’s already controlled via its own standalone toggle in Android’s Quick Settings, it won’t require an ongoing foreground process to remain active.
Xin says in all of Google’s testing thus far, she and her team have yet to encounter a single app where legitimate functionality has been disrupted as a result of the change.
You know all that data Android saves from your device and then makes available for restoring when you sign into a new phone or tablet — OS-level settings, app-oriented info, all that sort of stuff? The data’s always been encrypted, but with Android P, it’ll start using a client-side secret for its encryption.
What that means is the encryption will be protected with something specific to your phone — something derived from your PIN, pattern, or password — and the whole process will take place directly on your device.
That, in turn, means it’ll be tougher than ever for anyone to access that info when they shouldn’t be able to.
(This element is not yet present in the initial Android P developer preview, by the way, but it’ll show up in a future update between now and the final P release.)
When you connect to a Wi-Fi network from an Android device today, the network is able to see your device’s MAC address — a unique and consistent number that identifies your phone or tablet. And while it’s a bit out there, that means there’s the potential, in theory, for your location to be tracked as you connect to different networks throughout the day.
“Anywhere I go, if I connect to a network, the owner of the network will know my MAC address,” Xin explains. “If those people were then to collude, they could figure out where I go.”
Android P addresses this possibility by allowing the system to generate a new and random MAC address for every single Wi-Fi network you connect to. The address will stay constant for that one network over time, but you’ll get a new and different address for each other network you use — so there’s no permanent and device-specific ID that follows you everywhere and leaves a lasting mark.
This option is starting out as an off-by-default “experimental” feature in the earliest Android P developer preview build.
Speaking of network security, Android P pushes forward with Google’s effort to move away from unencrypted “http” web traffic and toward fully secure web transmissions.
P actually takes what Oreo started in that department and turns it up a notch (so to speak): With Oreo, Google introduced a new system in which app developers could choose to prevent unencrypted network traffic — commonly known as “cleartext” — from appearing in their apps. As of P, that system is fully active and running by default.
Developers can still opt to allow unencrypted network traffic on a case-by-case basis by whitelisting specific domains as needed. And the change will only affect apps that have been updated to support Android P, so older apps that aren’t regularly maintained will continue to function without issue.
Network connections aside, every Android device has a permanent and unique identifier known as a “build.serial identifier” — basically a serial number that belongs to your phone and your phone alone. It remains present even through factory resets, so if you sell your device to someone, he or she will then have that same number.
It may seem trivial, but it’s just one more way companies could track you and learn about you without your knowledge — especially when you consider that in the past, apps were able to freely access and store that number. With Oreo, Google started the process of pulling back that ability — and with Android P, it’s fully removing the ability for apps to access your device identifier without first getting permission.
Your fingerprint is a powerful form of security — but the user interface for inputting your fingerprint across Android has thus far been anything but clear or consistent.
“We saw a very, very large variety in what apps did for fingerprints,” Xin laughs. “We saw one app that basically showed a Comic Sans font when it was asking for a fingerprint.”
So with P, Google is creating a consistent UI for fingerprint authentication — whether the prompt is coming from the system itself or from an app. Aside from the obvious surface-level benefit of this change, Xin says it could have some hidden perks for future technologies.
“If an OEM wanted to launch an in-display fingerprint sensor — say, in the bottom half of the screen — you’d need a way for them to tell you to put your fingerprint in a specific place,” she notes.
Don’t get too excited about that possibility yet, though: Xin says while some Android device-makers have absolutely been starting to consider the idea of in-display fingerprints, it’s not yet clear if or when any such system will actually launch on a device.
When we talk about Android OS updates, the shiny marquee features tend to get the most attention. Beneath the surface, though, new releases always contain important foundational improvements — including sets of new APIs, or interfaces developers use to access data and tap into features within their apps.
Newer APIs can provide more advanced possibilities as well as more effective privacy and security — and so when an app doesn’t take advantage of such opportunities and continues to target older APIs instead, it can be bad news for you as the user.
“We tighten down the API year after year,” Xin says. “A lower API level might not be as secure.”
In Android P, Google is proactively working to keep developers using the latest tools available — and to keep you aware of any instances when they might be failing to do so. How? Simple: The P-level operating system will actually show a warning to you anytime an app is targeting older-than-acceptable APIs.
(Side note: I hope this warning will be phrased in a way that explains the potential problem in plain English and thus actually means something to a typical user — because if a message pops up on an average person’s phone about an “app targeting outdated APIs,” I can’t imagine it’ll be effective at much other than befuddlement.)
This change actually goes hand in hand with an effort announced for Google Play late last year. On that side of the equation, any new or updated apps will be required to use recent API levels starting this summer. Xin tells me this two-prong approach is designed to allow for ongoing support of older apps that haven’t been updated — but also to make sure users are aware of the potential downsides of using any such titles.
And that, dear friends, is what’s new in terms of security with Android P. We’ve got a lot more to discuss with this release as it continues to take shape in the weeks and months ahead, so stay near — and don’t miss out on the newsletter, below, as we’ll be exploring P’s most significant intricacies there tomorrow (and on plenty of other Fridays in the future).
Sign up for JR’s new weekly newsletter to get this column along with bonus tips, personal recommendations, and other exclusive extras delivered to your inbox.