Android SecurityTransforming Perception Using Reality
Android Security & Privacy StrategyProtect every Android user
Each part of the Android ecosystem works together
to build a strong defense that runs smoothly and effectively.
We’re transparent in everything we do. From
our open source platform to keeping users informed,
we share knowledge across our community.
We partner with expert teams across Google to help
keep over 2 billion Android users safe.
Android Security & Privacy TeamTransparency Measurability
Defend against Internet-borne threats
User experience that offers security & privacy CCC
(comprehension, control, confidence)
Google Play Protect
Feature development
OS hardening, leverage HW, permissions, TEEs
Ecosystem
Platform Engineering
Vulnerability management
Full cycle, e.g. fuzzing and SPUR reviews,
for AOSP and partners
Assurance
Three myths in Android enterprise deployments
Platform vulnerability risk
Malware risk Fragmentation(e.g. patching)
1. Vulnerability Risk
It all starts with secure hardware
SOC
TEESE
TEE (Trusted execution environment) used for key generation, key import, signing and verification services are executed in hardware.
Secure Lock Screen, PIN verification & Data encryption (PIN+HW key) used to derive encryption keys.
Version binding ensures keys created with a newer OS cannot be used by older OS versions.
Rollback prevention (8.0+) prevents downgrading OS to an older less secure version or patch level.
Verified Boot provides cryptographic verification of OS to ensure devices have not been compromised.
Tamper-resistant hardware (Android Pie) offers support to execute cryptographic functions in dedicated hardware.
SELinux, process isolation and sandboxing
Android is built on SELinux where If an exploit is found, the attack vector is limited to the domain the exploit is able to execute in.
Application sandboxing ensures that application and system data is inaccessible from other apps.
Each process runs in its own user ID (UID) - limiting exposure of apps to get data from one another.
Work profile apps are prevented from communicating with personal apps by default.
Work profile apps run in a separate user space with separate encryption keys from personal apps, further limiting exposure,
EMMs cannot manage the personal device when the device is managed only via the Work Profile.
Personal app 1
Personal app 2
Workapp 1
Workapp 2
Work profile
Android device Primary profile
Anti-exploitation
ASLR/KASLR
Hardened ucopy
ASAN/Fuzzing
IOSan
CFI/KCFI
PAN
LTS
Bug = Exploit
Linux Kernel
HAL
Android Runtime
Native Libraries
Android Framework
Applications
Measuring exploitation difficulty: 0-day pricing
$200,000.00
$150,000.00
$100,000.00
$50,000.00
$0.00
Verified Boot TEE/Enclave Remote Kernel Kernel
Android
iOS
Measuring exploitation difficulty: 0-day pricing
$125,000.00
$75,000.00
$50,000.00
$25,000.00
$0.00
iPhone Nexus
Sandbox
Unuath App Install
$150,00.00
$100,00.00
$50,00.00
$0.00
iPhone X
Browser
Short distance wireless
$100,000.00
$50,000.00
$30,000.00
$20,000.00
$10,000.00
$0.00
iPhone
Browser
Kernel Bonus
$40,000.00
Mobile Pwn2Own 2016 Mobile Pwn2Own 2017 Mobile Pwn2Own 2018
Pixel
Persistence Bonus
Pixel 2
Messaging (SMS/MMS)
Baseband
Kernel Bonus
2. Malware Risk
Malware is a universal risk
Malware protection should be built-in
Windows Chrome/Chrome OSAndroid/Play
World’s most widely used Anti-Malware solution
Security protection for everyone (Play and off-Play).
Always updating to provide the latest protections from Google AI.
Scans apps daily - from both within Google Play and outside of it.
Remediates by removing potentially harmful apps (PHA).
50BApps verified
per day
2+BDevices
protected
500KApps analyzed
per day
In 2018, downloading a PHA from Google Play was 0.04%, and outside of Google Play was 0.92%.
Android PHA install rates over time
Google Play
Outside of Google Play
Q1, 2017 Q2, 2017 Q3, 2017 Q4, 2017 Q1, 2018 Q2, 2018 Q3, 2018 Q4, 2018
20180.04%
2018 0.92%
PHA
inst
all r
ate
0%
1%
2%
3%
3. Fragmentation (e.g. patching)
Better abstraction with Project Treble
As of Android 8.0 we’ve separated the firmware.
NEW
Firmware
OLD
OS
Firmware
OS
HAL (hardware abstraction layer)
This has resulted in faster upgrades to Android Pie for OEMs.
Android has many security defenders
Device manufacturers
SOC vendors
Mobile operators
Academic institutions
Independent security
researchers
The worldwide Linux
community
Source: Gartner, Inc., “Mobile OSs and Device Security:
A Comparison of Platforms” Dec 2017
Setting the pace of security innovation
Video