Security of latest os android oreo

KashyapDave By KashyapDave, 1st Jan 2018 | Follow this author | RSS Feed | Short URL http://nut.bz/3j3bjq09/
Posted in Wikinut>News>Technology

Android Oreo is stuffed full of security enhancements. Over the past few months, we've covered how we've improved the security of the Android platform and its applications: from making it safer to get apps, dropping insecure network protocols, providing more user control over identifiers, hardening the kernel, making Android easier to update, all the way to doubling the Android Security Rewards payouts. Now that Oreo is out the door, let's take a look at all the goodness inside.

Expanding support for hardware security

Android already supports Verified Boot, which is designed to prevent devices from booting up with software that has been tampered with. In Android Oreo, we added a reference implementation for Verified Boot running with Project Treble, called Android Verified Boot 2.0 (AVB). AVB has a couple of cool features to make updates easier and more secure, such as a common footer format and rollback protection. Rollback protection is designed to prevent a device to boot if downgraded to an older OS version, which could be vulnerable to an exploit. To do this, the devices save the OS version using either special hardware or by having the Trusted Execution Environment (TEE) sign the data. Pixel 2 and Pixel 2 XL come with this protection and we recommend all device manufacturers add this feature to their new devices.

Android Oreo also includes the new OEM Lock Hardware Abstraction Layer (HAL) that gives device manufacturers more flexibility for how they protect whether a device is locked, unlocked, or unlockable. For example, the new Pixel phones use this HAL to pass commands to the bootloader. The bootloader analyzes these commands the next time the device boots and determines if changes to the locks, which are securely stored in Replay Protected Memory Block (RPMB), should happen. If your device is stolen, these safeguards are designed to prevent your device from being reset and to keep your data secure. This new HAL even supports moving the lock state to dedicated hardware.

Speaking of hardware, we've invested support in tamper-resistant hardware, such as the security module found in every Pixel 2 and Pixel 2 XL. This physical chip prevents many software and hardware attacks and is also resistant to physical penetration attacks. The security module prevents deriving the encryption key without the device's passcode and limits the rate of unlock attempts, which makes many attacks infeasible due to time restrictions.

While the new Pixel devices have the special security module, all new GMS devices shipping with Android Oreo are required to implement key attestation. This provides a mechanism for strongly attesting IDs such as hardware identifiers.
Best App development
We added new features for enterprise-managed devices as well. In work profiles, encryption keys are now ejected from RAM when the profile is off or when your company's admin remotely locks the profile. This helps secure enterprise data at rest.

Platform hardening and process isolation

As part of Project Treble, the Android framework was re-architected to make updates easier and less costly for device manufacturers. This separation of platform and vendor-code was also designed to improve security. Following the principle of least privilege, these HALs run in their own sandbox and only have access to the drivers and permissions that are absolutely necessary.
Best tech development in Ahmedabad
Continuing with the media stack hardening in Android Nougat, most direct hardware access has been removed from the media frameworks in Oreo resulting in better isolation. Furthermore, we've enabled Control Flow Integrity (CFI) across all media components. Most vulnerabilities today are exploited by subverting the normal control flow of an application, instead changing them to perform arbitrary malicious activities with all the privileges of the exploited application. CFI is a robust security mechanism that disallows arbitrary changes to the original control flow graph of a compiled binary, making it significantly harder to perform such attacks.

In addition to these architecture changes and CFI, Android Oreo comes with a feast of other tasty platform security enhancements:

Seccomp filtering: makes some unused syscalls unavailable to apps so that they can't be exploited by potentially harmful apps.
Hardened usercopy: A recent survey of security bugs on Android revealed that invalid or missing bounds checking was seen in approximately 45% of kernel vulnerabilities. We've backported a bounds checking feature to Android kernels 3.18 and above, which makes exploitation harder while also helping developers spot issues and fix bugs in their code.
Privileged Access Never (PAN) emulation: Also backported to 3.18 kernels and above, this feature prohibits the kernel from accessing user space directly and ensures developers utilize the hardened functions to access user space.
Kernel Address Space Layout Randomization (KASLR): Although Android has supported userspace Address Space Layout Randomization (ASLR) for years, we've backported KASLR to help mitigate vulnerabilities on Android kernels 4.4 and newer. KASLR works by randomizing the location where kernel code is loaded on each boot, making code reuse attacks probabilistic and therefore more difficult to carry out, especially remotely.

App security and device identifier changes

Android Instant Apps run in a restricted sandbox which limits permissions and capabilities such as reading the on-device app list or transmitting cleartext traffic. Although introduced during the Android Oreo release, Instant Apps supports devices running Android Lollipop and later.

In order to handle untrusted content more safely, we've isolated WebView by splitting the rendering engine into a separate process and running it within an isolated sandbox that restricts its resources. WebView also supports Safe Browsing to protect against potentially dangerous sites.
Top App Development in India
Lastly, we've made significant changes to device identifiers to give users more control, including:

Moving the static Android ID and Widevine values to an app-specific value, which helps limit the use of device-scoped non-resettable IDs.
In accordance with IETF RFC 7844 anonymity profile, net.hostname is now empty and the DHCP client no longer sends a hostname.
For apps that require a device ID, we've built a Build.getSerial() API and protected it behind a permission.
Alongside security researchers1, we designed a robust MAC address randomization for Wi-Fi scan traffic in various chipsets firmware.

Android Oreo brings in all of these improvements, and many more. As always, we appreciate feedback and welcome suggestions for how we can improve Android.

Source

Tags

Android, Android App Development, Android Application, Android Apps, Android Games

Meet the author

author avatar KashyapDave
Hi, I’m Kashyap Dave
I am a Digital Marketing Manager & passionate designer.

Share this page

moderator Peter B. Giblett moderated this page.
If you have any complaints about this content, please let us know

Comments

author avatar COMPOSITE HACKS
3rd Jan 2018 (#)

★COMPOSITE HACKS★

If Truly you Are In Need Of A PROFESSIONAL LEGIT HACKER Who Will Get Your Job Done Efficiently With Swift Response, Congratulations, You Have Met the Right HACKERS.

★ WHO ARE COMPOSITE HACKS???
• We are a Team Of Professional HACKERS , a product of the coming together of Legit Hackers from the Dark-Web, (pentaguard,CyberBerkut, RedHack , Black Hat, White Hack ) we have been existing for over 12years, our system is a veryStrong and decentralized command structure that operates on ideas and directives.

★ JOB GUARANTEE:
 • Frankly speaking, I always give a 100% guarantee on any job we are been asked to do, because we have always been successful in Almost all our jobs for over 12years and our clients can testify to that .To hack any thing needs time though, but we can provide a swift response to your job depending on how fast and urgent you need it.Time also depends on what exactly you want to hack and how serious you are.Enough time with social engineering is required for hacking.So if you want to bind us in a short time, then just don't contact us because We can't hack within 30minutes,*sorry*.Basically, time depends on your luck.If its good luck, then it is possible to hack within 30minutes but, if it is in the other way round, it would take few hours.I have seen FAKE HACKERS claiming they can hack in 30min, 20min , but there is no REAL HACKER who can say this (AVOID THEM).
Please Note : we have only one contact email : compositehacks@gmail.com

We will be happy to have you join over 2000 satisfied clients around the world to use our services.

★ OUR HACKING CAPABILITIES:
There are so many Reasons why people need to hire a hacker, It might be to Hack a Websites to deface , retrieve information, edit information or give you admin access Some people might need us for Hacking any smart phone giving you access to all activities onthe phone like , text messages , call logs , Social media Apps and other informations.Some might need to Hack a Facebook , gmail, yahoomail, Instagram , twitter and every other social network Accounts, Some might need to Hack into Court's Database to Clear criminal records.However we can also Hack into school's websites (server) to change grades without any trace, Also Some Individuals might want to Track someone else's Location probably for investigation cases.
   All these Are what we can get Done withing few hours.

★ SOME OTHER SPECIAL SERVICES WE OFFER:
★ Hacking and sales of Programmed credit cards & CREDIT SCORE TOP-UP
★ Sales of untraceable phones (even the pentagon can not track our phones)
★ Sales of Tutorial packs for Beginner Ethical Hackers.

★ You can also contact us for other Cyber Attacks And Hijackings, we do almost All.

★Contact Us for Your Desired Service Via: compositehacks@gmail.com

You Can Also Check Out Our Blog for Helpful Tips:
https://compositehacks.blogspot.com

★We Treat Every Request With Utmost Confidentiality★

Reply to this comment

Add a comment
Username
Can't login?
Password