Google said its next-generation mobile operating system, Android Q, revamps the way it delivers direct over-the-air updates and will bolster individual app privacy controls.
Google detailed Android Q (10.0) at the Google I/O 2019 developer conference on Tuesday. There it touted almost 50 changes to the upcoming OS focused on security and privacy. The biggest of these changes is the way all Android handsets, no matter the device manufacturer, will receive security updates. Google said it is adding over a dozen new components that will receive over-the-air updates via the Google Play Store.
“With Android Q, we’ll update important OS components in the background, similar to the way we update apps,” according to Stephanie Cuthbertson, director of product management for Android. “This means that you can get the latest security fixes, privacy enhancements and consistency improvements as soon as they’re available, without having to reboot your phone.”
Security updates have often been a pain point for Android devices – because the operating system is utilized by so many device manufacturers, it takes time for various manufacturers to push out updates. Those updates are delivered over the air, but have been limited to monthly updates. That’s about to change with Google’s efforts to streamline the patching process by creating new update-friendly modules in its OS capable of receiving direct over-the-air patches whenever needed.
The direct updates will focus on particular parts of a phone, Cuthbertson said, as opposed to updating the entire phone directly. According to an exclusive report in The Verge, as part of this initiative, dubbed “Project Mainline,” Google will create 14 different modules capable of updating – such as its DNS resolver and time zone data (see a full list of the modules to the left).
These particular aspects of the phone will receive patches directly, as soon as updates are available.
However, full Android security updates – for the entire device, not just the technology addressed by the 14 modules – will continue to be pushed out through Google’s monthly Android Security updates.
“We want you to get these [Security updates] faster, and that’s why in Q we’re making a set of OS modules update-able directly over the air,” Cuthbertson said during the Google I/O keynote.
Android Q will also feature a new section at the top of its settings called “Privacy.”
This tab will give phone users control over privacy features on their phones, including their activity data, location history and ad settings. That means that users can review how much data is being shared – and when – across all apps.
“We feel all innovation must happen within a frame of security and privacy,” said Cuthbertson at Google I/O. “You should always be in control of what you share and who you share it with.”
For example, in terms of location, Android Q devices will now give users reminders when their apps access their location when they are not being used. Users will also gain more control over how they share location data with apps, said Cuthbertson.
Android Q also brings another previously-announced data privacy feature – the ability to control location sharing within apps while they are being used (as opposed to sharing location all the time or never).
“Previously, a user had a single control to allow or deny an app access to device location, which covered location usage by the app both while it was in use and while it wasn’t,” said Jen Chai, product manager at Android, in a March posting on the new feature. “Starting in Android Q, users have a new option to give an app access to location only when the app is being used; in other words, when the app is in the foreground.”
The privacy controls come on the heels of a Google privacy scandal last year after a researcher found that the Google services prevalent on Android phones – including Google Maps – store location data, despite device users opting out.
More Security Features
In addition to these features, Google said that it has launched several other security features, including improved biometric authentication dialogs – which would only require users to use facial recognition as authentication once when they sign in on their phone – and transport layer security (TLS) 1.3 support.
Google also announced the general availability of the built-in Android security key, FIDO, on phones running Android 7.0+. That means that users can forego using passwords and instead use their fingerprint or a PIN to log into browsers or apps on their devices.
“We consider security keys based on FIDO standards, including Titan Security Key and Android phone’s built-in security key, to be the strongest, most phishing-resistant methods of 2FA,” according to Christiaan Brand, product manager of Google Cloud. “FIDO leverages public key cryptography to verify a user’s identity and URL of the login page, so that an attacker can’t access users’ accounts even if users are tricked into providing their username and password.”