src/security/enhancements/enhancements70.jd - platform/docs/source.android.com - Git at Google

 page.title=Security Enhancements in Android 7.0
 @jd:body
 <!--
     Copyright 2016 The Android Open Source Project

     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
     You may obtain a copy of the License at

         http://www.apache.org/licenses/LICENSE-2.0

     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License.
 -->

 <p>Every Android release includes dozens of security enhancements to protect
 users. Here are some of the major security enhancements available in Android
 7.0:</p>

 <ul>
   <li><strong>File-based encryption</strong>. Encrypting at the file level,
   instead of encrypting the entire storage area as a single unit, better
   isolates and protects individual users and profiles (such as personal and
   work) on a device.</li>
   <li><strong>Direct Boot</strong>. Enabled by file-based encryption, Direct
   Boot allows certain apps such as alarm clock and accessibility features to
   run when device is powered on but not unlocked.</li>
   <li><strong>Verified Boot</strong>. Verified Boot is now strictly enforced to
   prevent compromised devices from booting; it supports error correction to
   improve reliability against non-malicious data corruption.</li>
   <li><strong>SELinux</strong>. Updated SELinux configuration and increased
   seccomp coverage further locks down the application sandbox and reduces attack
   surface.</li>
   <li><strong>Library load-order randomization and improved ASLR</strong>.
   Increased randomness makes some code-reuse attacks less reliable.</li>
   <li><strong>Kernel hardening</strong>. Added additional memory protection for
   newer kernels by marking portions of kernel memory as read-only, restricting
   kernel access to userspace addresses and further reducing the existing attack
   surface.</li>
   <li><strong>APK signature scheme v2</strong>. Introduced a whole-file signature
   scheme that improves verification speed and strengthens integrity guarantees.</li>
   <li><strong>Trusted CA store</strong>. To make it easier for apps to control
   access to their secure network traffic, user-installed certificate authorities
   and those installed through Device Admin APIs are no longer trusted by default
   for apps targeting API Level 24+. Additionally, all new Android devices must
   ship with the same trusted CA store.</li>
   <li><strong>Network Security Config</strong>. Configure network security and TLS
   through a declarative configuration file.</li>
 </ul>
	page.title=Security Enhancements in Android 7.0
	@jd:body
	<!--
	Copyright 2016 The Android Open Source Project

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<p>Every Android release includes dozens of security enhancements to protect
	users. Here are some of the major security enhancements available in Android
	7.0:</p>

	<ul>
	<li><strong>File-based encryption</strong>. Encrypting at the file level,
	instead of encrypting the entire storage area as a single unit, better
	isolates and protects individual users and profiles (such as personal and
	work) on a device.</li>
	<li><strong>Direct Boot</strong>. Enabled by file-based encryption, Direct
	Boot allows certain apps such as alarm clock and accessibility features to
	run when device is powered on but not unlocked.</li>
	<li><strong>Verified Boot</strong>. Verified Boot is now strictly enforced to
	prevent compromised devices from booting; it supports error correction to
	improve reliability against non-malicious data corruption.</li>
	<li><strong>SELinux</strong>. Updated SELinux configuration and increased
	seccomp coverage further locks down the application sandbox and reduces attack
	surface.</li>
	<li><strong>Library load-order randomization and improved ASLR</strong>.
	Increased randomness makes some code-reuse attacks less reliable.</li>
	<li><strong>Kernel hardening</strong>. Added additional memory protection for
	newer kernels by marking portions of kernel memory as read-only, restricting
	kernel access to userspace addresses and further reducing the existing attack
	surface.</li>
	<li><strong>APK signature scheme v2</strong>. Introduced a whole-file signature
	scheme that improves verification speed and strengthens integrity guarantees.</li>
	<li><strong>Trusted CA store</strong>. To make it easier for apps to control
	access to their secure network traffic, user-installed certificate authorities
	and those installed through Device Admin APIs are no longer trusted by default
	for apps targeting API Level 24+. Additionally, all new Android devices must
	ship with the same trusted CA store.</li>
	<li><strong>Network Security Config</strong>. Configure network security and TLS
	through a declarative configuration file.</li>
	</ul>