Adapted from Android Developers Blog
Android Oreo is packed full of security enhancements. Over the past months, a lot has been said about what has been done in this area on the platform Android and in its applications: from the ability to install applications more securely, rejection of unreliable network protocols, providing large-user control over identifiers, protecting the kernel, simplifying updates Android and doubling payments for Android Security Rewards. Now that Oreo has come out, it's time to take a look inside what has been achieved overall.
Advanced hardware security support
Android already supported Verified Boot, which was created specifically to prevent devices from booting with fake software. And in Android Oreo, a reference implementation for Verified Boot was added, working with Project Treble, it was named Android Verified Boot 2.0 (AVB). AVB has a couple of cool features to make it easier to get updates and make them more secure. These include, among other things, rollback protection. Rollback protection is designed to prevent the device from booting if the OS version is rolled back to an older version, which can make it vulnerable to threats. To make this possible, devices save the OS version using a Trusted Execution Environment (TEE) by signing the data. Pixel 2 and Pixel 2 XL have this protection, and other device manufacturers are encouraged to add this feature to their new devices.
Oreo also includes a new Hardware Abstraction Layer (HAL) OEM Lock, which gives device manufacturers more freedom to choose how to secure a device, whether it's locked, unlocked, or non-locked. For example, newer Pixel devices use this HAL to pass commands to the bootloader. The bootloader analyzes these commands the next time the device is booted and determines if changes to the lock should occur, which are stored securely in the RPMB (Replay Protected Memory Block). If your device is stolen, these measures are intended to help save your data and prevent your device from rebooting. This new HAL even supports lock transfer when changing hardware.
On the hardware side, Google is investing in support for tamper-resistant hardware, such as the security module found in any Pixel 2 and Pixel 2 XL. It is a physical chip that is capable of preventing many software and hardware attacks and is also resistant to physical intrusion. The security module prevents the receipt of the encryption code without a password for the device and limits the number of unlock attempts, which makes many hacking attempts impossible due to time constraints.
While Pixel devices have a special security module, all new devices with Google services and Android Oreo on board must pass the dongle certification. This provides a mechanism for tightly checking identifiers such as device and component IDs.
New features have been added for corporate devices. In work profiles, encryption keys are excluded from RAM if the profile is disabled or your company's administrator removes access to the profile. This allows you to keep your corporate data safe when inactive.
Increased platform security and process isolation
As part of Project Treble, the framework Android has been redesigned to make it easier to get updates and cost less for device manufacturers. This separation of platform code from modified manufacturer code has also been implemented to improve security. Following the principle of least privilege, these HALs run in their own environment and only have access to the absolutely necessary drivers and permissions.
As a follow-up to the media storage security work started in Android Nougat, Oreo removed most of the direct access to hardware from media frameworks, resulting in better isolation. Moreover, CFI (Control Flow Integrity) was implemented for all media components. Most of the vulnerabilities are now being implemented by disrupting the normal control flow of the application, which begins to exhibit malicious activity using all its privileges. CFI is a powerful security mechanism that prevents arbitrary changes to the original control flow graph of a compiled binary file, making it much more difficult to carry out such attacks.
In addition to these architecture and CFI changes, Android Oreo has a number of useful platform security enhancements:
- Seccomp filtering: makes a number of unused system calls inaccessible to applications so that they cannot be used by potentially malicious applications;
- Protected User Copy: A recent study of security vulnerabilities Android found that invalid or missing boundary checking occurred in about 45% of kernel vulnerabilities. Therefore, the bounds checking function was ported to kernels Android from 3.18 and higher, which makes it difficult to exploit vulnerabilities, and also helps developers identify problems and fix bugs in their code;
- PAN (Privileged Access Never) emulation: also ported to kernels 3.18 and higher, the function does not allow the kernel to access user space directly and ensures that developers will use protected functions to access it;
- Kernel Address Space Layout Randomization (KASLR): Since Android has supported address space layout randomization in user space for many years, KASLR has been ported to mitigate kernel vulnerabilities Android from 4.4 and up. The job of KASLR is to randomly relocate the kernel code on each boot, making code reuse attacks less likely and more difficult to carry out, especially remotely.
App Security and Device ID Changes
Instant Apps Android run in limited space that limits permissions and capabilities, such as reading the list of apps on a device or sending pure traffic. Introduced at the time of the Android Oreo release, Instant Apps support devices running Android Lollipop and above.
In order to work more securely with untrusted content, WebView has been isolated by splitting the rendering into separate processes and running them in separate spaces that limit the resources available to them. WebView also supports secure browsing to protect against potentially dangerous sites.
Finally, significant changes have been made to device IDs to give users more control, including the following.
Migrate static Android ID and Sidevine values to application values to restrict the use of device attributes and non-configurable identifiers.
In accordance with IETF RFC 7844 anonymity requirement, net.hostname is now empty and the DHCP client no longer sends the hostname.
For apps that require a device ID, a Build.getSerial () API was created that protects it beyond permissions.
Together with security experts from the University of Lyon and a number of other organizations, a robust MAC address randomization system has been developed to scan Wi-Fi traffic on a variety of hardware platforms.
The developers of Android Oreo promise to continue improving the security system in the future, including based on user feedback and suggestions.