Google, like most technology companies in this climate, is fighting for the security and privacy of its users’ data on several fronts. With a mobile application ecosystem that invites trouble and government demands for user content and information continuing to rise, Google decided with Android 5.0, also known as Lollipop, to try to turn the tables in its favor.
The latest version of the mobile OS has amped up its deployment of Security Enhanced Linux (SE Android) in order to bring security policy enforcement to the kernel level, and has also switched device encryption on by default.
The result—yes current Android users are still reliant on carriers and handset makers pushing the upgrade downstream—would mean fewer permissions granted by default for third-party applications and device data encrypted from Day 1.
“You can authorize apps with high-level permissions and deep down they’re being granted a lot more access than necessary. With SE Android, Google is expanding and getting more fine-grained controls and containment,” said Zach Lanier, senior security researcher with Duo Labs, the research division of Duo Security. “With SE Android, you’re much closer to having a real sandbox.”
SE Linux has been in Android since version 4.4, but now all application enforcement is being pulled into the OS kernel. Google lead security engineer for Android Adrian Ludwig said this makes security auditing and monitoring easier on the device.
“With Android 5.0, SELinux Enforcing mode is required for all applications on all devices,” Ludwig said. “Multiple vulnerabilities have been prevented since we first introduced SELinux last year; by strengthening it even more, Android becomes a top choice for enterprise customers that have really strict security standards, such as the government.”
Attackers building malicious applications to spread spyware or banking malware, for example, rely on users to click through permissions requests during setup, in such cases giving malicious apps access to contacts, email, SMS, and the Internet from a device. In September, the UK’s Information Commissioner’s Office released a study of 1,200 applications including most of the top 50 downloaded apps. Most apps, the results revealed, do not clearly explain to users what information is collected and worse, ask for excessive permissions, including access to the device camera and microphone.
Ludwig stresses too that Google wants users to use a screen lock, not only to protect device data in the event a phone is lost or stolen, but also if it is confiscated by law enforcement. Google has added a SmartLock feature to Lollipop that it hopes will sway users who are too stubborn to choose a PIN or reluctant to have to enter it dozens of times a day. SmartLock, instead, can unlock a device in a variety of ways, including through the use of a Bluetooth pairing, Near Field Communication, or facial recognition.
With Lollipop, Android devices will be encrypted from the first time they’re powered on, unlike in previous versions where it was incumbent upon the user to fish about the security settings to enable encryption and protect the device with a PIN. Ludwig heralds the fact too that the encryption key never leaves the device, meaning Google has nothing to turn over to the government or law enforcement in an investigation.
“Whether or not this is actually an effective security measure depends on how it’s implemented and used in practice,” cautions Dan Rosenberg, a senior security researcher with Azimuth Security. “If the decryption of user data is tied to a simple 4-digit lock-screen PIN, for example, then this is merely a mild deterrent, but a stronger key mechanism would make this more useful in protecting data.”
Lanier said it merits watching how this plays out in the enterprise for Android deployments. Underlying hardware acceleration features makes for a smoother and faster experience.
“These are definitely some good moves,” Lanier said. “It’s still a little concerning that even though Google is doing encryption by default that users might have a false sense that it’s encrypted and they will not have to set a PIN. If a law enforcement officer walks away with the device and there’s no PIN, there goes your stuff. It’s good that Adrian Ludwig is stepping up publicly and telling users you need to set a PIN.