• Double Stuffed Security in Android Oreo
  • Gian G Spicuzza
  • The Nuggets translation Project
  • Permanent link to this article: github.com/xitu/gold-m…
  • Translator: A fat snail
  • Modifier: Corresponding, SumiMakito

Double security measures like Oreo, all in Android Oreo

Posted by Gian G Spicuzza of the Android Security team

Android Oreo includes a number of security updates. For months, we’ve talked about how to make the Android platform and apps more secure, from providing more secure access to apps, removing insecure network protocols, providing more user controls, hardening the kernel to make Android easier to update, to doubling the cost of the Android Security Rewards program. Now that Oreo is officially here, let’s review some of the improvements.

Expanded hardware security support

Android already supports Verified Boot, which is designed to prevent device startup if software is tampered with. In Android Oreo, the Verified Boot mode we run together with Project Treble is called Android Verified Boot 2.0(AVB). AVB has some features that make updates easier and safer, such as common partition tails (structures at the end of file system partitions in AVB) and rollback protection. Rollback protection protects devices whose OPERATING systems are degraded from being attacked after being degraded to an earlier version. To do this, the device either stores system version information through dedicated hardware or signs the data using a Trusted Execution Environment (TEE). The Pixel 2 and Pixel 2 XL come with this protection, and we recommend that all device manufacturers add this feature to their new devices.

Oreo also includes a new OEM Lock hardware abstraction layer (HAL) that gives device manufacturers more flexibility to protect devices whether they are locked, unlocked, or unlockable. For example, the new Pixel device passes commands to the bootloader through hardware abstraction layer commands. The boot loader analyzes these commands at the next boot up and checks whether the information about lock changes safely stored in the Replay Protected Memory Block (RPMB) is valid. These protections are designed to protect your device from being reset if your device is stolen, thereby keeping your data safe. The new Hardware Abstraction Layer (HAL) even supports moving locks to dedicated hardware.

Speaking of hardware, we added anti-counterfeiting hardware support, such as security modules built into every Piexl 2 and Piexl 2 XL device. The physical chip can protect against many hardware and software attacks, as well as physical penetration attacks. Security modules prevent deriving device passwords and limit the frequency of unlocking attempts, making many attacks ineffective due to time constraints.

The new Pixel devices come with a special security module, and all Google Mobile Services (GMS) devices running Android Oreo also require key verification. This provides a strong validation mechanism for identifiers, such as hardware identifiers.

We have also added new capabilities for enterprise management devices. The encryption key is removed from memory (RAM) when a profile or corporate administrator locks a profile remotely. This helps keep corporate data secure.

Platform hardening and process isolation

As part of Project Treble, we also refactored the Android framework to make it easier and cheaper for device vendors to update. The separation of platform and vendor code is also intended to improve security, and these hardware abstraction layers (HALs) run in their own sandbox, open only to authorized driver devices, according to the principle of least privilege.

Following the media stack reinforcement in Android Nougat, we removed many of the modules in the Android Oreeo media framework that directly access the hardware, creating a better isolation environment. In addition, we also enabled Control Flow Integrity (CFI) protection in all media components. This defect can take advantage of this privilege to perform malicious activities by disrupting the normal control flow of the application. CFI’s robust security verification mechanism, which does not allow arbitrary changes to the control flow chart of the original compiled binaries, also makes such attacks difficult to execute.

In addition to these architectural changes and CFI, Android Oreo brings other platform security-related improvements:

  • Seccomp (Secure Computing Mode) filtering: Some system-layer calls are no longer open to applications, reducing the potential damage to applications.
  • Hardened user copy: A recent Survey of Android security vulnerabilities found that failed or borderless checks accounted for about 45% of kernel vulnerabilities. In Android kernel 3.18 and above, we added a patch for boundary checking to make it more difficult to exploit this vulnerability, as well as to help developers find and fix problems in their code.
  • Simulation of Privileged Access Never(PAN) : At the same time, patches were added for kernels above 3.18. This function prohibited kernels from directly accessing user space, and ensured that developers could Access user space in the enhanced way.
  • Kernel Address Space Layout Randomization (KASLR) : Although Android has supported address space layout randomization (ASLR) for many years, we have provided a kernel Address space Layout Randomization (KASLR) patch for Android kernel 4.4 and above to reduce the risk. Kernel address space layout randomization (KASLR) randomly assigns addresses each time a device loads kernel code on startup, making code reuse attacks, especially remote attacks, more difficult to execute.

Application security and device labeling changes

Android instant running apps run in a restricted sandbox, thus limiting some permissions and functions, such as accessing the app list on the device or passing data in plaintext. Although it was only released from Android Oreo, the real-time app runs on Android Lollipop and above.

To make it safer to process untrusted content, we isolate the WebView by putting the rendering engine in another process and running it in a separate resource-constrained sandbox. In addition, WebView supports secure browsing to protect users from potentially dangerous sites.

Finally, we made significant changes to the device logo to give users more control, including:

  • Static Android ids and Widevines change to app-based values, which helps limit the use of non-resettable identifiers on the device.
  • In accordance with theIETF RFC 7844Now,net.hostnameWill be empty and the DHCP client will no longer send hostname.
  • For applications that require a device identifier, we have added oneBuild.getSerial() APIIt is protected by permissions.
  • Working with security researchers, we have added a robust randomization of MAC addresses to wi-fi scanning in various chipset firmware.

Android Oreo brings a lot more than these improvements. As always, if you have any Android feedback or suggestions for improvements. Please send email to [email protected].


1:Glenn Wilkinson and team at SensePost UK, Celestin Matte, Mathieu Cunche: University of Lyon, Ecole Nationale de Lyon, CITI Laboratory, Mathy Vanhoef, KU Leuven


The Nuggets Translation Project is a community that translates quality Internet technical articles from English sharing articles on nuggets. The content covers Android, iOS, front-end, back-end, blockchain, products, design, artificial intelligence and other fields. If you want to see more high-quality translation, please continue to pay attention to the Translation plan of Digging Gold, the official Weibo, Zhihu column.