Google Highlights Android Nougat Security
Google this week blogged about security enhancements in Android 7.0 Nougat on the same day the first security bulletin was issued for the brand-new mobile OS.
On Tuesday, Google issued Android Security Bulletin -- September 2016, announcing that a security update was released over-the-air (OTA) to Nexus devices, among the first to get the Nougat update, announced barely two weeks earlier.
Noting that it hasn't heard of any real-world exploits regarding the new security issues, Google said, "The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as e-mail, Web browsing and MMS when processing media files."
Also on Tuesday, Google posted Keeping Android safe: Security enhancements in Nougat.
- Direct Boot. Google said this new feature improves the Nougat UX by letting encrypted devices boot up with limited functionality before users have to enter credentials. Previously, such credentials (a PIN, unlock pattern or password) had to be entered during the boot process to unlock the screen. Now certain apps can run before security credentials are supplied. Developers can make certain apps Direct Boot-aware in the manifest.
Google earlier indicated good app candidates for this functionality include:
- Apps that schedule alarms, such as alarm clocks.
- Apps that provide important and timely notifications, like messaging apps.
- Apps that provide services to other apps or the system, such as Accessibility Services.
- File-based encryption. This is what enables Direct Boot. Instead of encrypting the whole disk as a single unit, system storage and user profile storage are secured separately. "Per-profile-based encryption enables the system to reboot normally into a functional state using just device keys," Google said. "Essential apps can opt-in to run in a limited state after reboot, and when you enter your lock screen credential, these apps then get access your user data to provide full functionality."
- Hardening the media stack. This involves a revamp of the mediaserver, described as "one of the main system services that processes untrusted input." Now, Nougat is protected against integer overflow vulnerabilities. Also, components of the media stack have been separated by sandboxes with stricter privileges that allow only needed functionality.
- Improved app security. This comes via several new features, including: opt-in data sharing; tighter restrictions on certificate authorities in order to control access to secure network traffic; the ability to more easily use a declarative configuration file to control network security policies; refined app permissions and capabilities to protect against dangerous apps; enhanced "clickjacking" protection; and more.
- Enhanced OTA update system. This helps to more easily keep devices up-to-date with the latest security measures. "We've made the install time for OTAs faster, and the OTA size smaller for security updates. You no longer have to wait for the optimizing apps step, which was one of the slowest parts of the update process, because the new JIT compiler has been optimized to make installs and updates lightning fast," Google said.
The company invited developers and users to provide security feedback such as security improvement suggestions via e-mail to firstname.lastname@example.org.
David Ramel is the editor of Visual Studio Magazine.