Double Stuffed Security in Android Oreo
Posted by Gian G Spicuzza, Android Security Team
Android Oreo is stuffed with security enhancements. In recent months,
we covered how we improved the security of the Android platform and its
applications: from making
it is safer to get applications by dropping unsecured
network protocols providing more users
control of identifiers hardening
Android easier to update all the way to doubling
Android Security Rewards payments . Now that Oreo is out, we’re going
Take a look at all the goodnesses inside.
Extensive support for hardware security
Android already supports Verified Boot ,
which is designed to prevent devices from booting with software that has been
altered. In Android Oreo, we added a benchmark implementation for Verified
Start with the project
Treble called Android Verified Boot 2.0 (AVB). AVB has a couple of cool
features to make updates easier and more secure, such as a common footer format
and rollback protection. Anti-rollback protection is designed to prevent a device from
boot if it is downgraded to an older version of the operating system, which could be vulnerable to a
feat. To do this, the devices back up the operating system version by using either special
or by asking the Trusted Execution Environment (TEE) to sign the data.
Pixel 2 and Pixel 2 XL come with this protection and we recommend any device
manufacturers add this feature to their new devices.
Oreo also includes the new OEM
Lock Hardware Abstraction Layer (HAL) that gives device manufacturers more
flexibility as to how they protect if a device is locked, unlocked, or
unlocked. For example, the new Pixel phones use this HAL to transmit commands to
the boot loader. The bootloader analyzes these commands the next time the device
boots and determines if the changes to the locks, which are stored safely in
Replay Protected Memory Block (RPMB), should arrive. If your device is stolen,
these protections are designed to prevent your device from being reset and
keep your data safe. This new HAL even supports moving the lock state to
Speaking of hardware, we have invested support in tamper-proof material, such as
module found in every Pixel 2 and Pixel 2 XL. This physical chip prevents
many software and hardware attacks and is also resistant to physical penetration
attacks. The security module prevents from deriving the encryption key without
device access code and limit the rate of unlocking attempts, which
unreasonable attacks due to time constraints.
While the new Pixel cameras have the special security module, all new devices GMS come with Android Oreo
are needed to implement the key
certificate . This provides a mechanism for strongly
IDs such as hardware identifiers.
We have also added new features for enterprise-managed devices. In the work profiles,
encryption keys are now ejected from RAM when the profile is disabled or when your
The company administrator remotely locks the profile. This helps secure business data to
Hardening of the platform and process isolation
As part of the project
Treble the Android framework has been re-architected to facilitate updates and
less expensive for device manufacturers. This separation of the platform and
The vendor code has also been designed to improve security. Following the principle of
least privilege these HAL operate in their own
sandbox and only have access to the drivers and permissions that are
Continue with the media
stack hardening in Android Nougat, the most direct hardware access has been
removed media frames in Oreo resulting in better isolation.
In addition, we have enabled Control Flow Integrity (CFI) on all media
Components. Most vulnerabilities are now exploited by subverting the normal
control the flow of an application, instead of modifying them to arbitrarily perform
malicious activities with all the privileges of the exploited application. IFC
is a robust security mechanism that prohibits arbitrary changes to the original
control flow graph of a compiled binary, which makes it much more difficult to
carry out such attacks.
In addition to these changes in architecture and CFI, Android Oreo comes with
party of the other improvements of the safety of the tasty platform:
filtering : makes some unused system calls unavailable for applications so that
they can not be exploited by potentially dangerous applications.
usercopy : A recent survey
of security bugs on Android
revealed that verification of invalid or missing boundaries was observed in approximately 45% of cases.
kernel vulnerabilities. We have backported a limit checking feature to Android
grains of 3.18 and above, which makes exploitation more difficult while helping
developers spot problems and fix bugs in their code.
Privileged Access Never Emulation (PAN) : also backported to
3.18 kernels and more, this feature forbids the kernel to access the user
space directly and ensures that developers use the hardened functions to access
Randomization of the kernel address space (KASLR) :
Although Android has supported the randomization of the user space space layout
(ASLR) for years, we have backed up KASLR to help mitigate vulnerabilities on
Android 4.4 and later kernels. KASLR works by randomizing the place where
the kernel code is loaded at each startup, which makes probabilistic code reuse attacks and
therefore more difficult to perform, especially at a distance.
Security of application and modification of the device identifier
Instant applications run in a restricted sandbox that limits permissions and
features such as reading the application list on the device or transmitting plaintext
circulation. Although presented during the Android version Oreo, instant applications
supports devices running Android Lollipop and
In order to handle unreliable content more surely, we have isolated
WebView by dividing the rendering engine into a separate process and
Run it in an isolated sandbox that limits its resources. WebView too
Support Safe Browsing to Protect
against potentially dangerous sites.
Finally, we made significant
modifies device IDs to give users more control, including:
Moving static Android ID and Widevine values to
application-specific value, which limits the use of non-rebootable devices
In accordance with IETF RFC 7844
anonymity profile, net.hostname is now empty and the DHCP client is not
more sends a host name.
For applications that require a device identifier, we have built a Build.getSerial ()
API and protected behind an authorization.
Alongside security researchers1, we designed a robust MAC address
randomization for Wi-Fi scanning traffic in various chip firmware.
Android Oreo brings all these improvements, and much more . As always, we
appreciate the comments and welcome suggestions on how we can improve Android.
Contact us at email@example.com.
1: Glenn Wilkinson and the Sensepost team, UK, Célestin Matte, Mathieu Cunche:
University of Lyon, INSA-Lyon, CITI Laboratory, Inria Privatics, Mathy Vanhoef, KU