Posted yesteryear Shawn Willden, Staff Software Engineer
Our smart devices, such equally mobile phones in addition to tablets, incorporate a wealth of personal information that needs to live kept safe. Google is constantly trying to honor novel in addition to ameliorate ways to protect that valuable information on Android devices. From partnering amongst external researchers to honor in addition to laid upward vulnerabilities, to adding novel features to the Android platform, nosotros piece of occupation to brand each liberate in addition to novel device safer than the last. This shipping talks nearly Google's strategy for making the encryption on Google Pixel 2 devices resistant to diverse levels of attack—from platform, to hardware, all the means to the people who create the signing keys for Pixel devices.
We encrypt all user information on Google Pixel devices in addition to protect the encryption keys inwards secure hardware. The secure hardware runs highly secure firmware that is responsible for checking the user's password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the charge per unit of measurement at which passwords tin live checked, making it harder for attackers to run a animate existence forcefulness attack.
To forbid attackers from replacing our firmware amongst a malicious version, nosotros apply digital signatures. There are 2 ways for an assailant to defeat the signature checks in addition to install a malicious replacement for firmware: honor in addition to exploit vulnerabilities inwards the signature-checking procedure or gain access to the signing fundamental in addition to larn their malicious version signed in addition to thus the device volition bring it equally a legitimate update. The signature-checking software is tiny, isolated, in addition to vetted amongst extreme thoroughness. Defeating it is hard. The signing keys, however, must be somewhere, in addition to in that location must live people who get got access to them.
In the past, device makers get got focused on safeguarding these keys yesteryear storing the keys inwards secure locations in addition to severely restricting the position out of people who get got access to them. That's good, precisely it leaves those people opened upward to assail yesteryear coercion or social engineering. That's risky for the employees personally, in addition to nosotros believe it creates also much conduct chances for user data.
To mitigate these risks, Google Pixel 2 devices implement insider assail resistance inwards the tamper-resistant hardware safety module that guards the encryption keys for user data. This helps forbid an assailant who manages to orbit properly signed malicious firmware from installing it on the safety module inwards a lost or stolen device without the user's cooperation. Specifically, it is non possible to upgrade the firmware that checks the user's password unless y'all introduce the right user password. There is a means to "force" an upgrade, for lawsuit when a returned device is refurbished for resale, precisely forcing it wipes the secrets used to decrypt the user's data, effectively destroying it.
The Android safety squad believes that insider assail resistance is an of import chemical component of a consummate strategy for protecting user data. The Google Pixel 2 demonstrated that it's possible to protect users fifty-fifty against the most highly-privileged insiders. We recommend that all mobile device makers practise the same. For help, device makers working to implement insider assail resistance tin attain out to the Android safety squad through their Google contact.
Acknowledgements: This shipping was developed inwards articulation collaboration amongst Paul Crowley, Senior Software Engineer
