Android 7 Security Improvements

Android 7, aka Android Nougat or Android N, includes improvements in security, which we discuss here.  Some of the updates came from vulnerabilities discovered in the Bounty Bug program.  A good portion of them would only affect encrypted devices and new phones.

Direct Boot and Hardware Cert Verification

Encrypted devices now boot up faster to basic functions.  When a device with encryption enabled boots up, the user can receive calls and the alarm clock works. Those and other apps Android deemed essential start before the user has entered their encrypted device passcode.  So if a user turns the phone on and puts the phone in their pocket it will be able to receive a call.

Android 7 supports hardware boot verification.  That means the device uses certificates burned into chips to verify that the OS has not been tampered with.  This key attestation uses a certificate issued by Google on phones shipped with Android 7.   It would not work on phones built prior to that.

Key Attestation

Key attestation uses the certificate chain of authority to check that certificates on the device have been signed by the root certificates built into the hardware. Such key attestation was possible before on the Nexus 5X and 6P using the ARM TrustZone.  Now new Android devices are required to support this feature.

When hardware keys are not present the device uses software based keys, as before.  Those are generated by the device when the user sets up their device the first time.  Android uses the IMEI and other information unique to the physical device to generate these keys so that such data cannot be copied to other storage and read.

Speedier and Less Intrusive Updates

Android updates are less intrusive and run faster too.  The software updates load into a separate partition then auto-installs, but only if phone supports that. So that too would only work on newer phones.

Android has also made OTA (over the air) security updates smaller and thus quicker to download. Those are distributed by Android to device manufacturers.

Hardened Linux Kernel

Android apps run in a Java virtual machine running on top of Linux. Thus as the Linux kernel is updated by The Linux Foundation Android is Android updates its Linux.  But not at the same exact schedule.  

Android has improved the OS to protect against overflows.  Buffer overflows are a hacking technique where hackers corrupt the memory in a program to gain access to memory, thus allowing it to control the device.  Android’s approach now with version 7 is to simply shut down such processes.  The have done this to fix problems with the MediaServer, mentioned below.

Android Linux also uses parts of SELinux, the Linux distribution sponsored by the American NSA.  That does not fall under The Linux Foundation.  Android has included SELinux updates that run processes in containers. Containers do not have root permission. Thus they can inflict less damage on a device were a hacker to take control.

Android has also improved memory address randomization.  This locates processes and libraries (executable files) in random memory locations to make it harder for hackers to load this when they do buffer overflow attacks.

Apps must specifically now give permission to share their data with other apps.  For example, the gallery must share its folder with photo editing software.  There is an opt-in mechanism in place now to grant those permissions.

File Based Encryption

Prior versions of Android used block level encryption.  Files are stored in physical units called blocks.  A block contains data from more than one file.   So encrypting a block means multiple files are encrypted.  With Android 7 individual files are encrypted.  The user cannot change any of these settings and it is transparent to him or her.  Android says encrypted devices should now run faster, says Android.  Plus this makes the aforementioned Direct Boot possible.

Hardened MediaServer

Reacting to media reports of the Stagefright attack vulnerability, Android has hardened the MediaServer.  Perhaps anticipating future attacks, they have also made it so the MediaServer can be updated by itself without having to wait for all of Android to update.  The user gets updates from Google Play. And MediaServer now does does not have root permissions thus limiting what a hacker might damage.  It now runs inside a container called a sandbox.

Custom Security Configuration for Apps

App developers can write a customer security config for their apps.  This would allow, for example, requiring a VPN or HTTP connection in order for an app to run.  So businesses can make sure their employees are connected to one of those when they run their apps.

The feature lets an app use a designated certificate file rather than the system one.  That would make maintaining corporate apps easier as the user would not have to know how to install a root certificate from.

The custom security file too can require the app to prompt for a passcode, thus enhancing security further for business apps.