Android SecurityTransforming Perception Using Reality

Android Security & Privacy StrategyProtect every Android user

Each part of the Android ecosystem works together

to build a strong defense that runs smoothly and effectively.

We’re transparent in everything we do. From

our open source platform to keeping users informed,

we share knowledge across our community.

We partner with expert teams across Google to help

keep over 2 billion Android users safe.

Android Security & Privacy TeamTransparency Measurability

Defend against Internet-borne threats

User experience that offers security & privacy CCC

(comprehension, control, confidence)

Google Play Protect

Feature development

OS hardening, leverage HW, permissions, TEEs

Ecosystem

Platform Engineering

Vulnerability management

Full cycle, e.g. fuzzing and SPUR reviews,

for AOSP and partners

Assurance

Three myths in Android enterprise deployments

Platform vulnerability risk

Malware risk Fragmentation(e.g. patching)

1. Vulnerability Risk

It all starts with secure hardware

SOC

TEESE

TEE (Trusted execution environment) used for key generation, key import, signing and verification services are executed in hardware.

Secure Lock Screen, PIN verification & Data encryption (PIN+HW key) used to derive encryption keys.

Version binding ensures keys created with a newer OS cannot be used by older OS versions.

Rollback prevention (8.0+) prevents downgrading OS to an older less secure version or patch level.

Verified Boot provides cryptographic verification of OS to ensure devices have not been compromised.

Tamper-resistant hardware (Android Pie) offers support to execute cryptographic functions in dedicated hardware.

SELinux, process isolation and sandboxing

Android is built on SELinux where If an exploit is found, the attack vector is limited to the domain the exploit is able to execute in.

Application sandboxing ensures that application and system data is inaccessible from other apps.

Each process runs in its own user ID (UID) - limiting exposure of apps to get data from one another.

Work profile apps are prevented from communicating with personal apps by default.

Work profile apps run in a separate user space with separate encryption keys from personal apps, further limiting exposure,

EMMs cannot manage the personal device when the device is managed only via the Work Profile.

Personal app 1

Personal app 2

Workapp 1

Workapp 2

Work profile

Android device Primary profile

Anti-exploitation

ASLR/KASLR

Hardened ucopy

ASAN/Fuzzing

IOSan

CFI/KCFI

PAN

LTS

Bug = Exploit

Linux Kernel

HAL

Android Runtime

Native Libraries

Android Framework

Applications

Measuring exploitation difficulty: 0-day pricing

$200,000.00

$150,000.00

$100,000.00

$50,000.00

$0.00

Verified Boot TEE/Enclave Remote Kernel Kernel

Android

iOS

Measuring exploitation difficulty: 0-day pricing

$125,000.00

$75,000.00

$50,000.00

$25,000.00

$0.00

iPhone Nexus

Sandbox

Unuath App Install

$150,00.00

$100,00.00

$50,00.00

$0.00

iPhone X

Browser

Short distance wireless

$100,000.00

$50,000.00

$30,000.00

$20,000.00

$10,000.00

$0.00

iPhone

Browser

Kernel Bonus

$40,000.00

Mobile Pwn2Own 2016 Mobile Pwn2Own 2017 Mobile Pwn2Own 2018

Pixel

Persistence Bonus

Pixel 2

Messaging (SMS/MMS)

Baseband

Kernel Bonus

2. Malware Risk

Malware is a universal risk

Malware protection should be built-in

Windows Chrome/Chrome OSAndroid/Play

World’s most widely used Anti-Malware solution

Security protection for everyone (Play and off-Play).

Always updating to provide the latest protections from Google AI.

Scans apps daily - from both within Google Play and outside of it.

Remediates by removing potentially harmful apps (PHA).

50BApps verified

per day

2+BDevices

protected

500KApps analyzed

per day

In 2018, downloading a PHA from Google Play was 0.04%, and outside of Google Play was 0.92%.

Android PHA install rates over time

Google Play

Outside of Google Play

Q1, 2017 Q2, 2017 Q3, 2017 Q4, 2017 Q1, 2018 Q2, 2018 Q3, 2018 Q4, 2018

20180.04%

2018 0.92%

PHA

inst

all r

ate

0%

1%

2%

3%

3. Fragmentation (e.g. patching)

Better abstraction with Project Treble

As of Android 8.0 we’ve separated the firmware.

NEW

Firmware

OLD

OS

Firmware

OS

HAL (hardware abstraction layer)

This has resulted in faster upgrades to Android Pie for OEMs.

Android has many security defenders

Device manufacturers

SOC vendors

Mobile operators

Academic institutions

Independent security

researchers

The worldwide Linux

community

Source: Gartner, Inc., “Mobile OSs and Device Security:

A Comparison of Platforms” Dec 2017

Setting the pace of security innovation

Video

Thank youFor additional information checkout android.com/security