Posted by Xiaowen Xin, Android Security Team
Over the course of the summer, we previewed a variety of security enhancements in
Android 7.0 Nougat: an increased focus on security with our vulnerability
rewards program, a new Direct
Boot mode, re-architected mediaserver and hardened
media stack, apps that are protected from accidental
regressions to cleartext traffic, an update to the way Android handles trusted
certificate authorities, strict enforcement of verified
boot with error correction, and updates
to the Linux kernel to reduce the attack surface and increase memory
protection. Phew!
Now that Nougat has begun to roll out, we wanted to recap these updates in a
single overview and highlight a few new improvements.
Direct Boot and encryption
In previous versions of Android, users with encrypted devices would have to
enter their PIN/pattern/password by default during the boot process to decrypt
their storage area and finish booting. With Android 7.0 Nougat, we’ve updated
the underlying encryption scheme and streamlined the boot process to speed up
rebooting your phone. Now your phone’s main features, like the phone app and
your alarm clock, are ready right away before you even type your PIN, so people
can call you and your alarm clock can wake you up. We call this feature Direct
Boot.
Under the hood, file-based encryption enables this improved user experience.
With this new encryption scheme, the system storage area, as well as each user
profile storage area, are all encrypted separately. Unlike with full-disk
encryption, where all data was encrypted as a single unit, per-profile-based
encryption enables the system to reboot normally into a functional state using
just device keys. Essential apps can opt-in to run in a limited state after
reboot, and when you enter your lock screen credential, these apps then get
access your user data to provide full functionality.
File-based encryption better isolates and protects individual users and profiles
on a device by encrypting data at a finer granularity. Each profile is encrypted
using a unique key that can only be unlocked by your PIN or password, so that
your data can only be decrypted by you.
Encryption support is getting stronger across the Android ecosystem as well.
Starting with Marshmallow, all capable devices were required to support
encryption. Many devices, like Nexus 5X and 6P also use unique keys that are
accessible only with trusted hardware, such as the ARM TrustZone. Now with 7.0
Nougat, all new capable Android devices must also have this kind of hardware
support for key storage and provide brute force protection while verifying your
lock screen credential before these keys can be used. This way, all of your data
can only be decrypted on that exact device and only by you.
The media stack and platform hardening
In Android Nougat, we’ve both hardened and re-architected
mediaserver, one of the main system services that processes untrusted input.
First, by incorporating integer overflow sanitization, part of Clang’s UndefinedBehaviorSanitizer,
we prevent an entire class of vulnerabilities, which comprise the majority of
reported libstagefright bugs. As soon as an integer overflow is detected, we
shut down the process so an attack is stopped. Second, we’ve modularized the
media stack to put different components into individual sandboxes and tightened
the privileges of each sandbox to have the minimum privileges required to
perform its job. With this containment technique, a compromise in many parts of
the stack grants the attacker access to significantly fewer permissions and
significantly reduced exposed kernel attack surface.
In addition to hardening the mediaserver, we’ve added a large list of
protections for the platform, including:
-
Verified Boot: Verified Boot is now strictly enforced to
prevent compromised devices from booting; it supports error
correction to improve reliability against non-malicious data corruption.
-
SELinux: Updated SELinux configuration and increased
Seccomp coverage further locks down the application sandbox and reduces attack
surface.
-
Library load order randomization and improved ASLR:
Increased randomness makes some code-reuse attacks less reliable.
-
Kernel
hardening: Added additional memory protection for newer kernels by
marking
portions of kernel memory as read-only, restricting
kernel access to userspace addresses, and further reducing the existing
attack surface.
-
APK
signature scheme v2: Introduced a whole-file signature scheme that
improves verification
speed and strengthens integrity guarantees.
App security improvements
Android Nougat is the safest and easiest version of Android for application
developers to use.
- Apps that want to share data with other apps now must explicitly opt-in by
offering their files through a Content
Provider, like FileProvider.
The application private directory (usually /data/data/) is now set to
Linux permission 0700 for apps targeting API Level 24+.
- To make it easier for apps to control access to their secure network
traffic, user-installed certificate authorities and those installed through
Device Admin APIs are no
longer trusted by default for apps targeting API Level 24+. Additionally,
all new Android devices must ship with the same
trusted CA store.
- With Network
Security Config, developers can more easily configure network security
policy through a declarative configuration file. This includes blocking
cleartext traffic, configuring the set of trusted CAs and certificates, and
setting up a separate debug configuration.
We’ve also continued to refine app permissions and capabilities to protect you
from potentially harmful apps.
- To improve device privacy, we have further restricted and removed access to
persistent device identifiers such as MAC addresses.
- User interface overlays can no longer be displayed on top of permissions
dialogs. This “clickjacking” technique was used by some apps to attempt to gain
permissions improperly.
- We’ve reduced the power of device admin applications so they can no longer
change your lockscreen if you have a lockscreen set, and device admin will no
longer be notified of impending disable via onDisableRequested().
These were tactics used by some ransomware to gain control of a
device.
System Updates
Lastly, we’ve made significant enhancements to the OTA update system to keep
your device up-to-date much more easily with the latest system software and
security patches. We’ve made the install time for OTAs faster, and the OTA size
smaller for security updates. You no longer have to wait for the optimizing apps
step, which was one of the slowest parts of the update process, because the new
JIT compiler has been optimized
to make installs and updates lightning fast.
The update experience is even faster for new Android devices running Nougat with
updated firmware. Like they do with Chromebooks, updates are applied in the
background while the device continues to run normally. These updates are applied
to a different system partition, and when you reboot, it will seamlessly switch
to that new partition running the new system software version.
We’re constantly working to improve Android security and Android Nougat brings
significant security improvements across all fronts. As always, we appreciate
feedback on our work and welcome suggestions for how we can improve Android.
Contact us at .