Tuesday, March 13, 2018

Android P's security updates, why they matter

Android P, the long-awaited upgrade to Android Oreo, has finally launched the Android P Developer Preview. The security updates in the new version are welcomed with data privacy concerns increasing by the day. 

The most significant and avidly requested security upgrade has been to stop apps from spying on Android users. Even on public networks, the new Google operating system (OS) aims to provide more privacy and give stronger protection against unsecured traffic. 

Android, in general, has five key security features including security at the operating system level through the Linux kernel, a mandatory application sandbox, secure inter-process communication, and application signing. It also specifies application defined and user granted permissions. 

Android P has streamlined its updates in a way that makes the existing infrastructure less permeable to vulnerabilities.

No more spying apps

On January 19, the commit by Android Open Source Project (AOSP) had already stated that if any background application tried to activate your camera or microphone on Android P, it would receive an error code instead.

This guards against malware such as GhostCntrl, that has been known to lurk in the background while slyly recording conversations and images. It also prevents applications from abusing any of the permissions given by the user. 

It basically disables apps from accessing any of the sensors, and if the app genuinely does need access, it has to create a foreground process. This will enable Android P to notify the user with a persistent notification when an app is using the camera or the microphone of the device.

The one exception to this feature is the GPS sensor. It has its own standalone toggle so users already have control over app permissions and when to switch it on. 

Safer data backup

When a user wants to restore data onto a device, they will have to enter a unique passcode to gain access. Without that code, the encrypted backup won’t accessible to anyone, including Google.

The unique passcode can be anything from the users PIN, passcode, or pattern. Backups have always been encrypted but now Google has added client-side encryption, which makes the process exclusive to the user’s device making it harder to hack. 

App data traffic encryption and network security

Android P will enforce HTTPS encrypted connections by default for all app traffic. It’s not an absolute requirement, but if an app does not want to use HTTPS, they’ll have to actively opt out.

Google’s basically built on what they had already done for Android Oreo that is, the ‘cleartext’ protocol, which was optional then but is now, a default feature that’s fully active on Android P. 

One side of the issue is traffic encryption and the other is accessing a network, to begin with. Each time an Android device connects to the net, it does so by reiterating its MAC address. This opens up the possibility of malware or hackers tracking that particular MAC address as the user connects to different networks and moves about. 

Google aims to overcome this by allowing the option of generating random MAC address, which will change every time you connect to a new network or re-connect to an old one. Singular sessions will have a constant MAC address, but overall, every session will show your device as having a different ID. Thus, the possibility of being tracked or stalked reduces to a great extent.

Unique identifier protection

Every Android device comes with a unique ID known as the ‘build.serial identifier’. This serial number is different for every device. Even if a user resets their phone or sells it to someone else, the serial number will not change. 

Before Android P, apps could access that number and store it within their own database. On Android O, Google limited that ability. And now, with Android P, that access is completely taken away until and unless the user specifically gives permission to the app. 

Standardised user interface (UI) for fingerprint access

Using fingerprints to access your phone is a very powerful feature but so far, the process was neither consistent nor clear. Every app had their own interface and own method of unlocking. Android P streamlines this issue by having a standard UI for fingerprint access, regardless of whether it’s for the system or for an app.

Older application programming interfaces (APIs) warning

Every OS update on Android comes with its own set of new APIs, which are basically interfaces used by developers to access app data and tap into features within the app. Newer APIs normally come with better security and privacy, so when a particular app doesn’t avail that opportunity, it can potentially put a user at more risk than is required. 

Android P overcomes this loophole by alerting the user when an application is running on an older API than what is available on the OS. Thus, any new app updates will be required to use newer APIs. 

According to Google, this upgrades security and keeps the user informed about their vulnerability if they’re using apps that haven’t been updated, without taking those apps out of the equation altogether. 

At the end of the day, it’s all about informed consent.



from blogger-2 http://ift.tt/2IkYrbg
via IFTTT

No comments:

Post a Comment