Tag Archives: Android Q

Google Trying to Compete With Apple in Android Security

I think it would be hard to argue with the statement that when it comes to mobile (phone) security, Apple has it all over Google.

For the most part, other than for the Google branded phones, that is because they have to work through the handset manufacturers and wireless carriers.

Apparently, not any more.

For new phones running Android Q, currently in beta, Google will directly install updates for 14 modules of the Android OS – Without the user even having to reboot.  This is moving Android (very slowly) in the direction of a micro kernel operating system like Minix 3.0 (full disclosure – my brother’s team wrote Minix 3.0).

The 14 modules are:

ANGLE
APK
Captive portal login
Conscrypt
DNS resolver
Documents UI
ExtServices
Media codecs
Media framework components
Network permission configuration
Networking components
Permission controller
Time zone data
Module metadata

If one of these modules is updated, they stop the service, update it and restart it.  Transparently to the user.  And dealing out both the handset manufacturer and the carrier.

But only for phones that come with Android Q out of the box – not those that get it via an upgrade (probably due the the license agreement between Google and the handset vendor).

Handset manufacturers CAN opt out of this, called project Mainline, but why would they?

Android Q comes with 50 security enhancement in addition to this including TLS V3, MAC address randomization, increased control over location data and better user control over what apps have what permissions.

For users, they should be looking for phones that ship with Android Q out of the box and where handset manufacturers are supporting project Mainline.

For users, whether Q comes out of the box or via an upgrade, you still get the new security features.  If you are a security conscious Android user, you should definitely look for Q on your next phone.

Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

Android Q (Version 10) To Have A Number of New Security Features

NOTE:  This is a bit of a rant on my part, but I will get to the good stuff further down.  Sorry, but I think the subject is important.

While the fact that Google is finally trying to counter Apple’s various ad campaigns such as their CES ad below

and their March Madness ad campaign”if privacy matters in your Life, it should matter to the phone your life is on”  is a good thing, it does not really solve the problem.

Android P or Pie, version 9,  was released in March of last year.  Here is the most recent distribution of Android OSes on active phones.

Android Pie is represented by the light blue bars on the top in the last three bars and is a tiny percentage of the market.

As of January, 2% of phones are still running Android 4,  almost 5% are running Android 5, 10% are running Android 6, 21% are running Android 7, 54% are running Android 8 and only 5% are running Android 9 – roughly.

Android 4.4, the last version of Android 4, was released in 2013; Android 5 in 2014, Android 6 in 2015, Android 7 in 2016 and Android 8 in 2017.

All versions of the Android OS before version 7 are no longer supported and will never have security holes fixed.  That means around 20% of the Android phones out there are unsupported and when Android 10 is released this summer, that number will rise as Android 7 support gets discontinued.

While companies have been (sort of) good about getting rid of unsupported Windows OSes (like Windows XP), they have been much less active in stomping out unsupported phone OSes.

As employees move more and more to using their mobile devices as a true computing device, this is becoming a bigger security challenge for all companies – one that most companies have been ignoring.  THE SINGLE BIGGEST UPCOMING THREAT TO COMPANY DATA IS OLD, UNPATCHED MOBILE DEVICES.  This is especially true in regulated industries where very sensitive financial, health and national security data is accessed.

Apple has been very good about upgrading their phones to the current iOS version, supporting iPhones from the current iPhone 10 all the way back to the iPhone 5S and pretty much shoving the new releases down their user’s collective throats, whether users are happy about the results or not (older iPhones typically run slower with the newer releases).  But, at least, those phones are as secure as Apple knows how to make them.

But for Android phones, there are WELL over 1,000 MANUFACTURERS of Android phones and likely WAY over 10,000 phone models in use.

Add to this Android’s fractured release distribution model.  Users, other than Pixel users, do not get their software updates from Google like Apple users get theirs from Apple.   Rather they have to wait for Google to release fixes, their phone vendors to tweak them and their phone carrier to actually push them down.

Many phone vendors don’t ever release patches and that does not seem to be much of decision making consideration on the part of users (and really shouldn’t have to be).

The Fortune 100 and the carriers could change this pretty quickly (like we are not going to sell your phone and we are not going to buy your phone unless you release monthly patches). but that has not happened yet.

Google is trying hard to improve this.  Last year they made two changes.  First, they layered the operating system so that they can make (security) changes below a certain layer without affecting Android apps that carriers get paid to install on your phone and second, they began to require phone manufacturers to release patches a few times a year for two years.

While this is an improvement, many people (most people?) keep phones for more than two years and don’t buy those phones on the date they were released, so while this is a start, it is not a solution.

Companies need to understand that this is a risk and decide what their company policies are going to be regarding allowing users to access company data using phones that are vulnerable and unpatched.  For companies that are subject to regulations such as HIPAA or NIST SP 800-171, this is a violation of the regulation and could possibly get the company fined.

OK, enough ranting.

What is coming in Android Q (Version 10)?

The Android Q beta will drop this month and the best guess is that it will be released in August.  Some of the new security features include:

  • The Android OS will stop tracking contacts “affinity” (who is talking to whom on your phone – yes they have been doing that forever), so that will no longer be available to apps
  • Phones will transmit a RANDOM MAC address (the address of the network card) to reduce sites’ ability to track based on MAC address.
  • Only some apps will be able to obtain the device’s serial number and IMEI (electronic serial number).
  • Users will get more control over location permissions.  Now you will be able to say that an app can only access your location when it is the active application on your screen.  This comes after it was released that some apps, running in the background, transmit your location data to the app maker over a thousand times a day.
  • Only the active app can access data stored in the clipboard.
  • Some network device state information will now be restricted.
  • Apps will need to have access to a special FINE location API (for WiFi and Bluetooth).  This is how grocery stores, for example, know that you are in the cereal aisle and can send you ads for cereal and not pantyhose.
  • Each app will be given a sandbox regarding access to the disk on “external” storage (USB storage).  Currently, if you give an app access to USB storage, they can access any data on the device.  If apps are well behaved, this is not a problem, but ….
  • There are new restrictions on apps starting in the background without telling you.
  • There are several changes to the permissions model – apps will need to be given specific permissions in order to detect, for example, a user’s movement.

One thing Apple has figured out how to do, is to get users to spend a thousand dollars on a new phone every year or two (An iPhone XS Max with 512 gig of storage costs almost $1,500!!!).  Not sure how they do this, but they have.  Android users are much more sensible.

Until users understand that their devices (and more importantly their data) are at risk because they are not being patched, this is unlikely to change.

Information for this post came from Helpnet Security.

Facebooktwitterredditlinkedinmailby feather