| <html devsite> |
| <head> |
| <title>Security Enhancements in Android 8.0</title> |
| <meta name="project_path" value="/_project.yaml" /> |
| <meta name="book_path" value="/_book.yaml" /> |
| </head> |
| <body> |
| <!-- |
| Copyright 2017 The Android Open Source Project |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| |
| |
| <p>Every Android release includes dozens of security enhancements to protect |
| users. Here are some of the major security enhancements available in Android |
| 8.0:</p> |
| |
| <ul> |
| <li><strong>Encryption</strong>. Added support to evict key in work profile.</li> |
| <li><strong>Verified Boot</strong>. Added Android Verified Boot (AVB). Verified |
| Boot codebase supporting rollback protection for use in boot loaders added to |
| AOSP. Recommend bootloader support for rollback protection for the |
| HLOS. Recommend boot loaders can only be unlocked by user physically interacting |
| with the device.</li> |
| <li><strong>Lock screen</strong>. Added support for using tamper-resistant |
| hardware to verify lock screen credential.</li> |
| <li><strong>KeyStore</strong>. Required <a href="/security/keystore/attestation">key |
| attestation</a> for all devices that ship with Android 8.0+. Added <a |
| href="/security/keystore/attestation#id-attestation">ID |
| attestation</a> support to improve Zero Touch Enrollment.</li> |
| <li><strong>Sandboxing</strong>. More <a |
| href="https://android-developers.googleblog.com/2017/07/shut-hal-up.html">tightly |
| sandboxed</a> many components using Project Treble's standard interface between |
| framework and device-specific components. Applied <a |
| href="https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html">seccomp |
| filtering</a> to all untrusted apps to reduce the kernel's attack surface. <a |
| href="https://android-developers.googleblog.com/2017/06/whats-new-in-webview-security.html">WebView</a> |
| is now run in an isolated process with very limited access to the rest of the |
| system.</li> |
| <li><strong>Kernel hardening</strong>. Implemented <a |
| href="https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.html">hardened |
| usercopy</a>, PAN emulation, read-only after init, and KASLR.</li> |
| <li><strong>Userspace hardening</strong>. Implemented CFI for the media stack. |
| App overlays can no longer cover system-critical windows and users have a way to |
| dismiss them.</li> |
| <li><strong>Streaming OS update</strong>. Enabled <a |
| href="/devices/tech/ota/ab_updates#streaming-updates">updates</a> |
| on devices that are are low on disk space.</li> |
| <li><strong>Install unknown apps</strong>. Users must <a |
| href="https://developer.android.com/studio/publish/index.html#publishing-unknown">grant |
| permission</a> to install apps from a source that isn't a first-party app store.</li> |
| <li><strong>Privacy</strong>. Android ID (SSAID) has a different value for |
| each app and each user on the device. For web browser apps, Widevine Client ID |
| returns a different value for each app package name and web origin. |
| <code>net.hostname</code> is now empty and the dhcp client no longer sends a |
| hostname. <code>android.os.Build.SERIAL</code> has been replaced with the |
| <a href="https://developer.android.com/reference/android/os/Build.html#getSerial()"><code>Build.SERIAL</code> API</a> |
| which is protected behind a user-controlled permission. Improved MAC address |
| randomization in some chipsets.</li> |
| </ul> |
| |
| </body> |
| </html> |