Android’s recently released Oreo update
packs in plenty of features, including a battery life boost and a notifications rethink. But Oreo’s most important improvements will happen behind the scenes, with a host of security updates designed to evolve with ever-expanding digital threats. From halting ransomware to blocking malicious apps and easing Android’s longstanding fragmentation woes, Oreo tackles some big problems. For the security developers who work behind the scenes, though, it’s just one more step on a journey that never really ends.
With over two billion monthly active devices, the majority of them not on the latest—or even recent—version, Android presents a popular target for hackers. Stopping them takes more than a yearly release. It takes the kind of longview, holistic effort that Google has employed for years.
“It’s funny how much the world focuses on the launch of a specific product. In the security world that approach doesn’t really work,” says Adrian Ludwig, the director of Android Security. “Sometimes a change we made three years ago becomes relevant this year, or a change we’re making now becomes relevant four years from now. It’s iterative, we make changes with every release. Visibility and quick response go hand in hand with the ability to make longer-term changes and bake them into the platform.”
Android Security’s long view may be an asset, but the group doesn’t waste the chance to capitalize on the more tangible benefits of Android’s marketshare and Google’s reach. Virtually all the new defense features in Android Oreo stem from or were informed by analysis to spot trends in threat data, Google Play activity, and user behavior.
“There hasn’t been a huge widespread bug that affects every single version of Android recently, but there are still a lot of critical vulnerabilities that are affecting the core Android framework and platform,” says Andrew Blaich, a security researcher who specializes in Android at the mobile security firm Lookout. “But with the Oreo security updates they’re at least minimizing the impact because there is an update mechanism in place. And Google is able to react quicker to a lot of [security incidents] now, which is a good thing.”
Just how much more secure will Oreo make your phone? That depends in part on if and when you’ll get the update. But assuming you do, it’s quite a haul.
Take Google Play Protect, part of Android Security’s detection and reaction infrastructure, which scans devices for suspicious app activity. With 50 billion apps scanned per day, precision counts.
Android Oreo: You’ll Want It, Even If You Can’t Get It
Good News: Android’s Huge Security Problem Is Getting Less Huge
Say Goodbye to the Blob. Google’s New Emoji Have Arrived
Android O, Google’s Next OS, Is Coming to Save Your Phone’s Battery
The app scanning that goes into Play Protect has existed behind the scenes under other names for years, but Android Security surfaced the mechanism for customers this year and, and has used it to do a new type of visibility research. Android data scientist Megan Ruthven and others have developed techniques for detecting distribution of extremely targeted malware, the type that might be narrowly distributed to high-value marks. So far, Ruthven’s research has turned up 3,000 unique samples of malware, each with an average of just 130 users affected. This ability to detect such a faint signal helps protect each individual user, while also allowing Android Security to spot nascent threats early. “Google Play Protect has such a high penetration rate over all Android devices that we are able to find these specific, targeted spywares,” Ruthven says.
Android’s scanners don’t catch everything, though, and researchers still regularly find malicious software that has made it past Google’s protections to land in the Play Store. In August alone, third-party analysts discovered hundreds of compromised financial apps
, and even apps that spread malware to build Android botnets
and power DDoS attacks.
Despite those recent fumbles, the dangers of downloading apps from third-party app stores
far exceed those posed by mainstream apps in Google Play. So Android Security implemented small but significant changes in Oreo, aimed at regularly reminding users about what types of apps they’re downloading. For example, in previous versions of Android a user could enable downloads from outside of Google Play through a setting called “Unknown Sources.” Beginning with Oreo, users now receive a prompt to confirm that they want to download any “Unknown Source” app before doing so, as a more salient reminder to proceed with caution.
“It’s a unique challenge to really balance this desire to provide openness and powerful capabilities to users while at the same time protecting users,” says Xiaowen Xin, a product manager for Android platform security. “It’s something we struggle with every day and something we work hard on every day.”
Android Security also takes a broad view. When tracking emerging attacks, the team doesn’t just rely on Android-specific data, but also surveys the general web to trace malware families and monitor malicious infrastructure. “There is a common misconception that we in Android Security look only at apps that are submitted into Google Play,” says Android malware analyst Elena Kovakina. “But in reality we have a pretty robust way of getting apps from diverse sources.” Google Play Protect and other detection services gather industry data, and the team even develops relationships with third-parties, like banks, that experience a diverse array of attempted cyberattacks.
In the case of mobile ransomware, a small but growing type of attack, Android already had some defense advantages because it silos every app into a “sandbox,” rather than letting them all run together in an open environment. As a result, Android can contain malicious activity more effectively than a more open platform like Windows.
While tracking 30 families of Android ransomware, the team discovered versions that exploited flaws to block users from accessing their phone at the lockscreen, through visual overlays, and by encrypting some data. Oreo adds reinforcements to Android’s sandboxing to plug many of these holes. The team also says that to this point it has still never seen ransomware that can render an Android device completely unusable.
“On Android we said from the very beginning that something where one application can destroy the entire environment around itself is just not acceptable,” Ludwig says. “And then what’s happened iteratively with each of the major releases is we’ve found out about little areas where applications could be disruptive and we’ve become better at detecting them.”
The ongoing challenge to Android security, regardless of what new features Google introduces, remains its fragmented market. Because Android is open, equipment manufacturers and carriers often tailor it to their devices. Those deviations from stock Android can slow the update process considerably. Today, 86 percent of Android device owners use versions that are at least two years old. In contrast, because of Apple’s more controlled ecosystem and update pipeline, 87 percent of iOS devices had adopted the latest release, iOS 10, by the end of July.
“Attackers are still able to get a lot of mileage out of all those old vulnerabilities that are still there in so many devices,” Lookout’s Blaich says. “Especially depending on where they’re attacking across the world they can get a lot of usability out of known vulnerabilities.”
‘It’s a unique challenge to really balance this desire to provide openness and powerful capabilities to users, while at the same time protecting users.’ —Xiaowen Xin, Android Security
Android Security has already worked to bring a number of big device makers on to a monthly update schedule, which has helped improve fragmentation a bit. The effort has a number of limitations, though; only a few dozen models
end up getting regular updates. So Oreo is working to address the tension head-on with a new feature called Project Treble. The goal? Make Android easier to update regardless of device and carrier, by segmenting Android’s code into portions that interact with vendor-specific attributes and portions that deal with the more general, platform-agnostic operating system. Ideally, that makes it possible to push software updates to the core Android component of every device without dealing with vendor-specific incompatibilities. Manufacturers could also ship updates for their tailored portions of the code.
Separating general Android functionality from manufacturer-specific code has tangible security benefits a well. “Updatability is a big part of it, but Treble is also really good for helping us sandbox different parts of the operating system,” Xin says. “There’s now this contrast between the [pure Android] pieces and the device-dependent pieces. If you have an exploit in one side, it is now much harder for that to then exploit the other.”
Project Treble won’t solve Android’s adoption rate issues instantly, or even within the next year. But as it comes to more devices, it could bring about a monumental security shift without dismantling Android’s central identity as an open-source platform.
Hack and Mouse
Though many security features are conceptually broad to protect against a variety of both present and future unknown threats, Android Security developers note that they have some additional foresight into where attackers will focus simply because they know where they have already bolstered their defenses and made attacks impractical.
“Where we choose to invest pushes the attackers around,” Ludwig says. “It’s not strictly cyclical, but what we’ve seen on Android is we invested a lot in the remote attack surface that’s the most exposed, like the Chrome Browser, and that has gotten to be quite strong. And then we invested at the area that was most exposed to applications, and that got to the point where it’s quite strong. So now you actually have to have a fairly privileged application on the device to be able to take advantage of any kernel-level issues.”
In practice, here’s how that plays out: In 2014 only about four percent of Android bugs targeted the kernel (the central coordinator of an operating system). By 2016 the number was up to 44 percent, because security enhancements had cut off easier routes for attackers. “Now it’s actually really hard to compromise Android, and people started to look for the next thing to target and that turned out to be the kernel,” Xin says. “If you’re able to compromise the kernel you get access to everything—you can exploit the rest of the system. So we did a lot of work to harden the various aspects of the kernel.”
The Android Security team can’t be sure of what attacks will spike in the future, and Oreo will give them a leg up regardless. But whatever is up next, the team won’t be waiting until the big 2018 Android release to combat it.