19 January 2018
After Google released Android Oreo for Pixel and Nexus devices, the company has been working quite hard to improve the security of the operating system. Earlier this month the company released Android December security patch for the Nexus and Pixel devices with factory images and OTA. Yesterday, Google announced some improvements it has made in the security department since the past few months.
The already noted features include making the applications safer, dropping insecure network protocol, hardening the kernel, and making Android easier to update. However, Google has now confirmed that it is also expanding support for the hardware security. The company has added a reference implementation for Verified Boot running Project Treble. This is a special security feature that is designed to prevent devices from booting up with software that has been fiddled with.
The Android Verified Boot 2.0 (AVB) is a feature that allows the user for easier updates and adds more security to the device, one of which is rollback protection. The rollback protection feature prevents a device to boot if downgraded to an older OS version that could be vulnerable to an exploit. Google notes it as follows:
Rollback protection is designed to prevent a device to boot if downgraded to an older OS version, which could be vulnerable to an exploit. To do this, the devices save the OS version using either special hardware or by having the Trusted Execution Environment (TEE) sign the data. Pixel 2 and Pixel 2 XL come with this protection and we recommend all device manufacturers add this feature to their new devices.
The new OEM Lock Hardware Abstraction Layer (HAL) gives the device manufacturers more flexibility to protect a device even when it is locked, unlocked, or unlockable. Another feature called ‘The Android Instant Apps’ run in a restricted sandbox and limits permissions and capabilities such as reading on-device app list or transmitting cleartext traffic.