Posted past times Gian G Spicuzza, Android Security team Android Oreo is stuffed total of safety enhancements. Over the past times few months, we've covered how we've improved the safety of the Android platform together with its applications: from making it safer to larn apps, dropping insecure network protocols, providing to a greater extent than user command over identifiers, hardening the kernel, making Android easier to update, all the mode to doubling the Android Security Rewards payouts. Now that Oreo is out the door, let's conduct maintain a await at all the goodness inside.
Expanding back upwards for hardware security
Android already supports Verified Boot, which is designed to foreclose devices from booting upwards alongside software that has been tampered with. In Android Oreo, nosotros added a reference implementation for Verified Boot running alongside Project Treble, called Android Verified Boot 2.0 (AVB). AVB has a brace of cool features to brand updates easier together with to a greater extent than secure, such equally a mutual footer format together with rollback protection. Rollback protection is designed to foreclose a device to kick if downgraded to an older OS version, which could survive vulnerable to an exploit. To exercise this, the devices salvage the OS version using either special hardware or past times having the Trusted Execution Environment (TEE) sign the data. Pixel 2 together with Pixel 2 XL come upwards alongside this protection together with nosotros recommend all device manufacturers add together this characteristic to their novel devices.
Oreo also includes the novel OEM Lock Hardware Abstraction Layer (HAL) that gives device manufacturers to a greater extent than flexibility for how they protect whether a device is locked, unlocked, or unlockable. For example, the novel Pixel phones work this HAL to travel past times commands to the bootloader. The bootloader analyzes these commands the side past times side fourth dimension the device boots together with determines if changes to the locks, which are securely stored inward Replay Protected Memory Block (RPMB), should happen. If your device is stolen, these safeguards are designed to foreclose your device from beingness reset together with to perish along your information secure. This novel HAL fifty-fifty supports moving the lock dry soil to dedicated hardware.
Speaking of hardware, we've invested back upwards inward tamper-resistant hardware, such equally the security module works life inward every Pixel 2 together with Pixel 2 XL. This physical chip prevents many software together with hardware attacks together with is also resistant to physical penetration attacks. The safety module prevents deriving the encryption fundamental without the device's passcode together with limits the charge per unit of measurement of unlock attempts, which makes many attacks infeasible due to fourth dimension restrictions.
While the novel Pixel devices conduct maintain the special safety module, all novel GMS devices transportation alongside Android Oreo are required to implement key attestation. This provides a machinery for strongly attesting IDs such equally hardware identifiers.
We added novel features for enterprise-managed devices equally well. In piece of work profiles, encryption keys are straightaway ejected from RAM when the profile is off or when your company's admin remotely locks the profile. This helps secure enterprise information at rest.
Platform hardening together with procedure isolation
As constituent of Project Treble, the Android framework was re-architected to brand updates easier together with less costly for device manufacturers. This separation of platform together with vendor-code was also designed to improve security. Following the principle of to the lowest degree privilege, these HALs run inward their own sandbox together with solely conduct maintain access to the drivers together with permissions that are absolutely necessary.
Continuing alongside the media stack hardening inward Android Nougat, nearly direct hardware access has been removed from the media frameworks inward Oreo resulting inward improve isolation. Furthermore, we've enabled Control Flow Integrity (CFI) across all media components. Most vulnerabilities today are exploited past times subverting the normal command catamenia of an application, instead changing them to perform arbitrary malicious activities alongside all the privileges of the exploited application. CFI is a robust safety machinery that disallows arbitrary changes to the master copy command catamenia graph of a compiled binary, making it significantly harder to perform such attacks.
In add-on to these architecture changes together with CFI, Android Oreo comes alongside a feast of other tasty platform safety enhancements:
- Seccomp filtering: makes some unused syscalls unavailable to apps together with so that they can't survive exploited past times potentially harmful apps.
- Hardened usercopy: Influenza A virus subtype H5N1 recent survey of safety bugs on Android revealed that invalid or missing bounds checking was seen inward unopen to 45% of substance vulnerabilities. We've backported a bounds checking characteristic to Android kernels 3.18 together with above, which makes exploitation harder piece also helping developers location issues together with laid upwards bugs inward their code.
- Privileged Access Never (PAN) emulation: Also backported to 3.18 kernels together with above, this characteristic prohibits the substance from accessing user infinite direct together with ensures developers utilize the hardened functions to access user space.
- Kernel Address Space Layout Randomization (KASLR): Although Android has supported userspace Address Space Layout Randomization (ASLR) for years, we've backported KASLR to assistance mitigate vulnerabilities on Android kernels 4.4 together with newer. KASLR works past times randomizing the location where substance code is loaded on each boot, making code reuse attacks probabilistic together with thence to a greater extent than hard to deport out, particularly remotely.
App safety together with device identifier changes
Android Instant Apps run inward a restricted sandbox which limits permissions together with capabilities such equally reading the on-device app listing or transmitting cleartext traffic. Although introduced during the Android Oreo release, Instant Apps supports devices running Android Lollipop together with later.
In society to grip untrusted content to a greater extent than safely, we've isolated WebView past times splitting the rendering engine into a form procedure together with running it within an isolated sandbox that restricts its resources. WebView also supports Safe Browsing to protect against potentially unsafe sites.
Lastly, we've made significant changes to device identifiers to give users to a greater extent than control, including:
- Moving the static Android ID together with Widevine values to an app-specific value, which helps boundary the work of device-scoped non-resettable IDs.
- In accordance alongside IETF RFC 7844 anonymity profile,
net.hostname
is straightaway empty together with the DHCP customer no longer sends a hostname. - For apps that postulate a device ID, we've built a
Build.getSerial() API
together with protected it behind a permission. - Alongside safety researchers1, nosotros designed a robust MAC address randomization for Wi-Fi scan traffic inward diverse chipsets firmware.
Android Oreo brings inward all of these improvements, together with many more. As always, nosotros appreciate feedback together with welcome suggestions for how nosotros tin improve Android. Contact us at security@android.com.
_____________________________________________________________________
1: Glenn Wilkinson together with squad at Sensepost, UK, Célestin Matte, Mathieu Cunche: University of Lyon, INSA-Lyon, CITI Lab, Inria Privatics, Mathy Vanhoef, KU Leuven