With Android Oreo, Google has doubled down on security by making it safer to get apps, hardening the kernel or making Android easier to update. And in a new blog post this week, Google is taking a more in-depth look at the security goodness inside Oreo.
Google’s latest mobile operating system comes with support for features such as OEM Lock Hardware Abstraction Layer – which is a tool which gives manufacturers more flexibility on how to protect their own devices. Speaking of hardware, Google reminds us that the Pixel 2 and Pixel 2 XL take advantage of a specialized chipset that’s capable of verifying code in real time and resist both physical and remote data attacks and exploits. Google invites all manufacturers to take advantage of this feature on their new Oreo devices.
Android already supported Verified Boot – a security feature design to prevent devices booting up with software that has been tampered with. Well in Oreo, Google has upgraded it to Verified Boot 2.0 which includes new tools meant to enable faster updates by taking heavy advantage of Project Treble, as well as header and footer code across the board to make it easier to detect when something is amiss in boot and rollback protection.
What’s more, Project Treble now allows vendor HALs for individual device components to run sandboxed from the main core of the system, thus keeping the device safe from unwanted exploits. Platform and vendor-made code are separated to keep each component as controlled as possible.
On top of that, Oreo has been updated to include compliance with IETF RFC 7844 anonymity profile. Which means the net.hostname is now empty, and the device DHCP client no longer sends a hostname. Google has also built-in a new MAC address randomization tool in the code to make sure devices remain relatively anonymous while connected to a Wi-Fi.
Android Instant Apps now run in a restricted sandbox in order to limit certain permissions and capabilities such as reading the on-device app list or transmitting cleartext traffic. WebView has been split off from the rest of the web browsing code in Android, so Instant Apps can run safely. It includes Safe Browsing to protect against potentially dangerous sites.
To conclude, it’s worth mentioning that some of these features are already available for mobile users on Oreo, while some will be rolled out in the not too distant future.
For more info on Android Oreo’s updated security, check out the official Android Developers Blog.