| page.title=Security Enhancements in Android 6.0 |
| @jd:body |
| |
| <p>Every Android release includes dozens of security enhancements to protect |
| users. Here are some of the major security enhancements available in Android |
| 6.0:</p> |
| <ul> |
| <li><strong>Runtime Permissions</strong>. Applications request permissions at |
| runtime instead of being granted at App |
| install time. Users can toggle permissions on and off for both M and pre-M |
| applications.</li> |
| <li><strong>Verified Boot</strong>. A set of cryptographic checks of system |
| software are conducted prior to |
| execution to ensure the phone is healthy from the bootloader all the way up to |
| the operating system.</li> |
| <li><strong>Hardware-Isolated Security</strong>. New Hardware Abstraction |
| Layer (HAL) used by Fingerprint API, Lockscreen, |
| Device Encryption, and Client Certificates to protect keys against kernel |
| compromise and/or local physical attacks</li> |
| <li><strong>Fingerprints</strong>. Devices can now be unlocked with just a |
| touch. Developers can also take |
| advantage of new APIs to use fingerprints to lock and unlock encryption keys.</li> |
| <li><strong>SD Card Adoption</strong>. Removable media can be |
| <em>adopted</em> to a device and expand available storage for |
| app local data, photos, videos, etc., but still be protected by block-level |
| encryption.</li> |
| <li><strong>Clear Text Traffic</strong>. Developers can use a new StrictMode |
| to make sure their application doesn't use |
| cleartext.</li> |
| <li><strong>System Hardening</strong>. Hardening of the system via policies |
| enforced by SELinux. This offers better |
| isolation between users, IOCTL filtering, reduce threat of exposed services, |
| further tightening of SELinux domains, and extremely limited /proc access.</li> |
| <li><strong>USB Access Control:</strong> Users must confirm to allow USB |
| access to files, storage, or other |
| functionality on the phone. Default is now <em>charge only</em> with access |
| to storage requiring explicit approval from the user.</li> |
| </ul> |