Blog

Security and Privacy Changes in Android O

Google has released a developer preview for their next major Android release. This release will be called Android O and will get version number 8.0. The first public stable release is rumored to be in May, right around the time Google I/O 2017 will take place. In this blog post we will take a closer look at the announced security changes for this new version of Android. Most of the announced changes can affect all apps, regardless of what version of Android they target. However, there are some changes that only affect apps targeting Android O. To give a clear view in this blog post, we will make a distinction between apps that target all API levels, and apps targeting Android O. Finally, we also briefly discuss the announced privacy enchancing features.

Security

Apps that target all API levels

  • Support for SSLv3 has been removed. This means that apps will no longer be able to connect to servers over HTTPS using SSLv3. This is due to the fact that the protocol is susceptible to the serious POODLE attack.

  • A Secure Computing (SECCOMP) filter is applied to all apps. The list of allowed syscalls is restricted to those exposed through bionic, which is Android's specific libc implementation. Although there are several other syscalls provided for backwards compatibility, Android engineers recommend not to use those.

  • Applications that use WebView objects will now run in multiprocess mode. It ensures that web content is handled in a separate, isolated process from the containing app's process. This enhances the security because attacks through webkit are now much harder thanks to these processes which are sandboxed. This means that exploits and potential zero days through the webkit are contained in their process sandbox.

APPS that target Android o

  • Network configuration has been added in Android 7.0, to enable developers to configure network security policies, specific to their application. In Android O, if your app's network security configuration opts out of supporting cleartext traffic, your app's WebView objects cannot access websites over HTTP. Each WebView object must use HTTPS instead.

  • Android will no longer load native libraries if they contain any load segment that is both writable and executable. Some apps might stop working because of this change if they have native libraries with incorrect load segments. This is a security-hardening measure and will break a lot of debugging/hacker tools that are now availble. Most of these tools rely on the fact that they can inject a rwx library segment. This new security measure will prevent a lot of memory corruption attacks and makes it considerably harder to successfully exploit a memory vulnerability.

Privacy

APPS THAT TARGET ALL API LEVELS

Android N already introduced some privacy enhancing measures by returning a default value for hardware identifiers (e.g., WiFi MAC address). In this new version of Android, this will be extended to other hardware identifiers. This is good news, because these identifiers were widly used by advertisement companies to track users and their interest. The following changes are directly copied from the Android O changelog:

  • Values of ANDROID_ID are now scoped per-app instead of per-user.
  • The value of ANDROID_ID is unique for each combination of application package name, signature, user, and device. Two apps running on the same device no longer see the same Android ID, and so cannot correlate.
  • The value of ANDROID_ID does not change on package uninstall or reinstall, as long as the package name and signing key are the same.
  • The value of ANDROID_ID does not change if the package signing key changes due to an update.
  • For apps that were installed prior to the OTA, the value of ANDROID_ID remains the same unless uninstalled and then reinstalled.

APPS that target Android O

  • The system properties net.dns1, net.dns2, net.dns3, and net.dns4 are no longer available.
  • To obtain networking information such as DNS servers, apps with the ACCESS_NETWORK_STATE permission can register a NetworkRequest or NetworkCallback object. These classes are available in Android 5.0 (API level 21) and higher.
  • Build.SERIAL is deprecated. Apps needing to know the hardware serial number should instead use the new Build.getSerial() method, which requires the READ_PHONE_STATE permission.
  • The LauncherApps API no longer allows work profile apps to get information about the primary profile. When a user is in a work profile, the LauncherApps API behaves as if no apps are installed in other profiles within the same profile group. As before, attempts to access unrelated profiles causes SecurityExceptions.

Conclusion

These security and privacy enhancing measures show that Google is making the Android operating system more and more secure by further extending their in-depth defense strategy. Adding to that, they further apply the security principle of least privilege, by sandboxing content using process isolation and preventing the possibility to load writable and executable segments in the process memory. There is no doubt that these measures will positively impact the security posture of applications running on this new Android platfom and eventually benefit the end-user.

References

Add comment