Since last year, with the revelation of Stagefright impacting a large number of users, Google has placed security in their Android operating system at a higher priority. As it becomes used by billions, it needs to be robust enough to keep the user and their data safe. Moving forward, a number of fixes have been applied to Google to keep it secure. Some of these changes are explained in Google’s Security Blog.
Stagefright primarily affected Android’s media server, the built-in system for processing images, videos, and audio. Security researchers have found a number of bugs in its implementation and this has been a big focus in both their monthly security patches and it has been completely rewritten in Nougat.
Instead of having a single process for all media, it has been broken out into different subprocesses which have stricter confines to prevent a rogue piece of media from having too much control. Additionally, security features like integer overflow detection allow the platform to end a process as soon as a possible attack is found.
Lower in the operating system there have been more security restrictions placed around the Linux userspace such as read-only kernel memory and an updated configuration for SELinux.
There are possible flaws which may exist for app developers. One example is apps will no longer have visible files in its private directory unless it is explicitly enabled. This prevents a rogue app from interfering with a normal app and changing files. Also, some apps previously used overlays on top of permission dialogs in order to get the user to allow a permission without them knowing. This has now been prevented.
New Nougat devices will be shipping with an A/B system to make updates seamless. It’ll work a lot like Chrome. The update is downloaded and installed in the background on one partition. When you restart, the updated partition is launched while the first partition now applies the update. It completely hides away the update process. Making it seamless means more people get the update sooner and it’s more secure.
If your Nougat device does not support that, you will still see performance improvements. Android is moving back to a JIT (just in time) compiler. This means that the app’s Java code will be translated into machine code on the fly as you use it. In Lollipop and Marshmallow, apps were compiled during the installation process. While it made execution faster, it meant a longer wait right after download. It was even worse right after an update since all of the app compilations had to be replaced for a new operating system. You could easily be stuck for hours waiting for your apps to “optimize”.
There’s a lot of new features to look forward to in Android Nougat, and although security may not be on the top of your list, it is good to see Google’s continued work in this area.