MOUNTAIN VIEW, Calif. -- The newest Android P security enhancements make it clear that Google has been watching the news and has seen the various ways its mobile operating system has been compromised over the past year.
In addition to the near constant reports of Android malware (regardless of how likely it is any of such malware makes it to users), the past year has brought spying tools that use a device's microphone and camera and a continued effort by the FBI and law enforcement to crack device encryption. Android P security includes mitigations for these issues with trusted identity verification, as well as other features.
Dave Kleidermacher, product security lead for Android, Google Play and Chrome OS, and Xiaowen Xin, product manager for security features in Android at Google, detailed the Android P security improvements at the company's I/O developer conference Thursday.
Kleidermacher said there are "three pillars" to the Android Security Strategy -- Google Play Protect, platform engineering and the security development lifecycle (SDLC). Part of the SDLC is to push OEMs to release security patches more quickly, including adding security patch clauses to the Android OEM agreement.
The efforts of Google Play Protect to reduce potentially harmful apps (PHAs) both in the Play Store and those installed from third-party sources has been a success, Kleidermacher said. "The odds of loading a PHA from Google Play is the same as getting struck by lightning."
Identity and authentication
A main focus of Android P security appears to be identity and authentication. According to Kleidermacher, Android Protected Confirmation is an effort to "break through the trust ceiling" with mobile devices to enable stronger authentication for actions like managing medical devices, transferring large sums of money, and possibly even voting via mobile device.
"The key innovation here is Protected Confirmation is the first time in any major operating system API that we now have the ability to execute a high assurance transaction, a user transaction completely within secure hardware running in a Trusted Execution Environment -- or TEE -- that runs separate from the main operating system," Kleidermacher said.
Android Protected Confirmation will rely on a TEE: a separate microprocessor that alone is allowed access to certain parts of RAM and storage with sensitive data. Kleidermacher said, even if a device has been infected, "root level malware cannot corrupt the integrity of that transaction."
Because Android Protected Confirmation requires hardware integration, it will be optional in Android P, but Google has been working with Qualcomm to ensure TEEs are built into mobile chips.
Google showed off software currently in development that takes advantage of these Android P security features, including money transfers with the Royal Bank of Canada and products from Nok Nok Labs and Duo Security, which will provide "a higher level of assurance" for an enterprise identity authentication.
Kleidermacher confirmed to reporters after the session that the upcoming Pixel 3 will support Android Protected Confirmation, but he couldn't say what other hardware partners would include the feature "because it requires software work in addition to hardware support."
In addition, Kleidermacher said Google has been considering expanding its transparency report to make it easier for users and enterprises to know what devices have support for these advanced security features. Currently, the transparency report details the security patch level of various devices.
Data and device integrity
Xin said Android P security will also aim to provide stronger protection for security keys. The aim with this improvement could help make a phone a more secure hardware second factor item or make it so only your phone can make a transaction such as replacing a transit card or credit card. Android P will add a new Keystore called StrongBox, which will use tamper-resistant hardware with isolated CPU, RAM and storage. Like Android Protected Confirmation, StrongBox is hardware-dependent, so not all devices will support it.
Xin said new keyguard-bound keys will require an unlocked device to decrypt data, and will make it harder for an attacker to gain access to sensitive data. Beyond this, Android P will allow another prompt to reauthenticate a user even if the device has been unlocked with the BiometricPrompt API. This is a replacement of an old API -- FingerprintManager -- which was focused solely on fingerprints as biometric security. Xin said BiometricPrompt is great for authenticating in a native app, but Android P will also include WebAuthn and FIDO2 for using biometrics to authenticate on a website.
TLS will be default for data-in-transit in Android P, and Xin said any apps targeted at the Android P API level that do not support TLS will cause an exception in code.
"Using TLS should be a no-brainer for apps today because it protects the privacy of your users and it also protects your content from being modified in transit, whether it's injection of unwanted ads or injection of tracking identifiers or specially formatted data to exploit a weakness in your app," Xin said.
Xin added that Android P security will make life easier for developers who need to be FIPS-compliant. The method of securing SSL traffic on Android recently received CBAP certificates from NIST for many FIPS-approved algorithms.
"This means that developers targeting regulated industries now basically have automatic FIPS compliance built in," Xin said.
Xin added that Android P will be the first OS to have DNS over TLS built in by default. It will also include lock down mode, which will disable biometric login and prevent the lock screen from showing any notifications.
Key attestation has been updated as well. This allows confirmation that the device is running official firmware, along with what security patch level it has, with an accepted hash.
Xin said privacy is also an important area for Android P security. Regardless of the API level of the app, Android P will only allow access to device microphone, camera and other sensors to apps in the foreground. If your app is in the background and idle, you cannot access sensor data. If apps in the background want to access this data, it will need to create a persistent notification to let the user know what is happening.
Android P is scheduled for initial release in the summer. Due to Google's Project Treble efforts, more devices should get the update faster, but as is the case with Android OS updates, it is unclear when or if users will receive the update and its new features.