Google is improving Android N security with three major changes -- and experts are generally bullish on the updates,...
except where Android has always lagged behind in the speed of patching.
The next major version of Google's mobile operating system (OS), Android N, was shown off at Google I/O, Google's annual developer conference, with three featured security improvements: file-level encryption, media server hardening and seamless updates. But experts had unanswered questions on the efficacy of the improvements.
Hardening of the media server was one Android N security improvement that won praise from experts, and it is expected to eliminate vulnerabilities such as Stagefright that leverage the access media files have to the Android system.
Tod Beardsley, security research manager at Rapid7, based in Boston, said the best change to the Android media server was in the permissions model.
"Splitting up the permissions model for the various media server components is a great move; after all, refactoring large, monolithic code bases into smaller, independently updatable chunks tends to mean faster turnaround and availability for patches as vulnerabilities are discovered," Beardsley said. "Recall when Google split off the WebView component from the main operating system; you no longer had to wait for an Android update just to get a patch to WebView and instead could get them through the Play Store. This was a huge win for Android, and I expect that the privilege separation for media functions to have a similarly positive effect."
Patrick Hevesi, research director of security and risk management for Gartner, agreed, but tempered his statements.
"Hardening and having [the media server] run in least privilege is a best practice for security development," Hevesi said. "It should help fix the known issues, but attackers are constantly finding new vulnerabilities. It is a good step in the right direction; it will make it more difficult for the hackers."
File-level encryption is expected to give more granular control over what data is encrypted and should also provide a boost to performance, compared with the block-level encryption currently used by Android. However, Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said there would still be holes in Android N security with this feature.
"The downside is that some areas of the file system -- i.e., the swap partition -- could include unencrypted copies of the encrypted files and an attacker could easily read these," Arsene said.
Beardsley said file-level encryption leaves more potential for individual components to break security.
"It may be a sensible compromise on the all-or-none nature of block-level encryption. On the other [hand], I'm worried that without disk encryption, Google has weakened Android's security posture," Beardsley said. "If the intent is for users to rely completely on file encryption, and if some handsets opt out of disk encryption, I'm worried that there's potential for individual apps to mess up their encryption scheme and accidentally leak important, sensitive data unexpectedly. With file-level encryption, I need to trust that every component is individually doing the right thing with regard to encryption."
The Android N security feature that Google is calling seamless updates is the most controversial, because Google hasn't offered details on if it will affect patching. The new Android N seamless updates will work similarly to updates in Chrome OS, which means each device will have two system partitions -- one for the old system image and one for the updated image -- and the OS will switch to the updated image automatically on a reboot.
Functionally, this means no user interaction is needed to install a patch or system update, other than rebooting the device. Google has confirmed the feature will not be available on current Android devices that need to be upgraded to Android N, because it would be too risky for end users to create the dual-system partitions needed, so only devices that ship with Android N will support the new feature.
However, Google has not commented on whether this change will address how Android updates and patches make it from Google to end users, a process which is slowed down by manufacturer customization and carrier testing.
Beardsley noted that even if seamless updates have an effect on the Android ecosystem, the change may not be visible for years to come.
"Consider the Marshmallow release was in beta a year ago and hit general availability in October, and so far, [it] only enjoys a 7.5% penetration (according to Google's developer dashboard). Lollipop was released 18 months ago and just now edged out KitKat's install base to win a plurality of 36% installation among active Android devices," Beardsley said. "Unless and until those millions and millions of legacy Android devices get up to date, I don't see this seamless update feature -- as welcome as it is -- to make a serious impact in the existing install base in the near future."
Hevesi said the change could lead to headaches for IT staff.
"This will eliminate the need for the user to do something to keep it up to date, which will help, but could also cause IT issues. IT wants to do testing with the latest OSes and updates to ensure that their corporate image and [line-of-business] applications will work, so they do not like this forcing mentality," Hevesi said. "But on the vulnerability management and security side, having the latest and greatest with the security updates is critical. It will be interesting to see how well they push the phone carriers to allow the direct to consumer updates to happen."
Arsene said this Android N security feature could be considered more of a user experience upgrade than a true security update.
"Considering the old update process involved some device downtime while it was booting and optimizing apps, the new seamless update should make the entire experience a lot more bearable, with minimum impact on usability. After a simple device reboot, they could start using their phones again," Arsene said. "However, despite the fact that updates will be installed a lot faster and more seamlessly, there's still the matter of Google quickly patching vulnerabilities. Quickly plugging vulnerabilities is just as important as having a quick pipeline for delivering them, [or] else nothing really changes in terms of security."
Learn how Android app permissions work in Marshmallow.
Understand the features and challenges in Android for Work.