Duration 32:20
16+
Play
Video

What's new in Android security

Dave Kleidermacher
VP Engineering, Head of Android Security & Privacy at Google
+ 1 speaker
  • Video
  • Table of contents
  • Video
2018 Google I/O
May 9, 2018, Mountain View, USA
2018 Google I/O
Video
What's new in Android security
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
21.81 K
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Dave Kleidermacher
VP Engineering, Head of Android Security & Privacy at Google
Xiaowen Xin
Product Manager at Google

David leads product security for Android, Google Play, and Chrome OS, including security-related research and development, secure development life cycle programs, and mobile threat management.

View the profile

Xiaowen is the product manager for security features within Android platform, Pixel, and Android Enterprise. She has almost fifteen years of experience in the tech industry, having worked on both Android and Chrome OS at Google, as well as at a number of startups and other major tech companies like Microsoft and EMC. Xiaowen earned a bachelor’s degree in computer science from MIT.

View the profile

About the talk

Attend this session to learn about security features in Android and how they affect your apps. It will cover new APIs and best practices for protecting the integrity of your app and the privacy of your data.

Share

Hello and welcome to the Android P edition of what's new in Android security. My name is Dave. I leave mobile security here in Google and in a few minutes, I'll head over to shout. When who is the lead security park manager for the Android platform? We have a lot of ground to cover. So we'll start with a brief State of the Union on Android security and then jumped into all the really cool things and working on in Android security over the past year and watching here at Android teeth including secure Hardware support advancements lockscreen authentication integrity and

privacy. So state-of-the-union, let's talk a little bit about what the Android security strategy looks like there. Really three main pillars first Google Play protect. This is the malware protection and mobile security services that run on over 2 billion Android devices today. The second pillar is platform engineering. These are the core operating system defenses that we build into Android to approve security the system such as selinux control flow Integrity protection, which we've been investing in a lot and pee and

encryption verified boot lots of other features. The third pillar is the security development lifecycle. These are all the programs that we put in place to ensure a consistent high quality level 4 security across the Android ecosystem includes things like testing infrastructures and also includes our security patching programs. We've been working really hard on that a couple of things we invest we've been trying to make Android just easier to patch. So Google we have a pretty steady track record for years. Now every single month delivering those patches

to the market. We want to make sure that all Android oems are delivering packages regularly their devices as well. Not just Google devices and so making Android more modular like project like treble really helped contribute to that. We've also worked on building security patching into our OEM agreement. Now this will really be a massive lead to a massive increase in the number of devices and users receiving regular security patches. So we're really sick. We're really excited about that. But there are a couple of also really important philosophical principles that underlie

everything we do when it comes to security. We believe in transparency and open it because that breeds confidence in a priest Trust. Conversely a closed platform secrecy that breeds distrust, but actually there's a really important security advantage to being open. Today's mobile devices are faced with really sophisticated attacks rest when you have billions of users. It's an attractive Target and so he deserves the strongest possible defense with a closed platform The Defenders are the employees of the one company that owns the platform but with

Android we have the thousands of googlers that wake up every morning thinking about how best to protect users in our platforms. We have the device manufacturers who have their own security team to work closely with Google on protecting Android and its users. We have the microprocessor manufacturers arm Intel Qualcomm broadcom and others also with their security teams helping to protect Android. We have the world wide open source Linux committed in contributing to Android security every day. We have the academic research community. Which simply prefer working out open

platforms? So this is a mass Force multiplier in protection and as operating system temperature, the power of open has really become evident to the point where today the protective capabilities of Android are now on par with any other mobile platform and I strongly believe that the power of open will accelerate those protective capabilities for our users going forward. The other really important. Sofia that underlies our strategy is measurability. We always look for objective independent measurements to help not only inform the work that we do to ensure

we're investing in the right direction, but also to measure progress and so what example you see here is the incidence of malware or potentially harmful application. We call PHA on devices the bottom curve are devices that load only from play and the top curve are devices that load from sources other than play and can see over time. It's been reducing across all users. So we are committed to protecting users regardless of where they get their applications from but this is do this. This Improvement is do too many things. It's it's locking down apis

are permissions overtime or constantly looking at that and it's investing in the malware detection engine itself. Today 60% of malware is detected through machine learning and that's been one area of big investment for us. Over the past year, we had a 50% reduction in PHA on play. And so we're really happy with the progress, but certainly were we're not content with where we stand today. Although I will say that the odds of loading apha from play is about the same as being struck by lightning. So it is a safe place to live on your mobile life, but we're going to

continue to invest tremendously this area. Another really important measurement is the overall ability of the operating system to protect itself against exploitation in any complex product. They're going to be bugs but there's no reason why bugs have to bleed to exploitation to harm users. It's only work really hard on building features and improvements that make Android much more difficult and expensive to exploit. How do you measure how well you're doing? Well, lots of people want to purchase exploits. There's a there's a market for that and as they get

as a way to get more difficult, of course the law of supply and demand the prices are going to go up and so we watch the pricing over time and there's a number of different markets. You can look at it unless hand side. You see the met the device manufacturers rewards programs. So the green bars are Google's rewards programs, which now are paying out the highest rewards in the industry. Another Market you can look at are the Elite packing contests like mobile phone to own and can see on the graph on the right the price of an ounce of the most recent

event. He wants to know the pricing for Android is on par with other platforms. And if you haven't seen the results and perform quite well in that in that event. Another Market is the grey market its independent researchers and brokers who will sell exploits to the highest bidder. This Market is a little bit harder to crack but we have connections to a lot of researchers out there that again anecdotally what we're seeing is the price of exploitation on Android is now as higher higher than any other platform. So this is really great. We're happy with the progress.

But we continue to invest in all these areas and now I switch gears and talk about some of the new emerging features in Android P starting with a feature called Android protected confirmation. So the problem here is if you in today's secure Mobility we use mobile devices for much more than we ever did before but there's still a ceiling we don't vote for prime minister or president from our phones. We don't program medical life critical medical devices like an insulin pump from our phones. We don't have our passports built into our phones. It is

our goal to break through that ceiling and Android protected confirmation in a bold step in that direction. I'll talk about a few use cases medical Financial in Enterprise. But the key Innovation here is detective confirmation is the first time in any major operating system API that we now have the ability to execute a high Assurance transaction a user transaction completely with insecure Hardware running in a trusted execution environment or t e e that runs separate from the main operating system. So how does it work?

So an application developer say you're a medical company that's developing a solution for people with diabetes and So you you're managing an insulin pump you want to inject to insulin units into your insulin pump and the application will be able to user to select to insulin units and then call the protection API to transmit that data to the secure Hardware area. We're a completely independent trusted user interface will execute the interface. You see here on the screen shows the two insulin units the username confirms it by pressing a button the input is guarded and

protected area. And then this entire transaction is signed using a cryptographic key that never leaves that secure area. This provides higher Insurance to the relying party weather for the insulin pump or financial service or Enterprise that the Integrity of this date. It was not corrupted. Even if you had root level now, we're not corrupt the Integrity of that transaction. Sew-in code is really easy to use the standard Android keystore API to create a public key. We have this new method to set the flag confirmation required. We create the

dialogue for the confirmation dialog using the confirmation dialog API control from the main Android OS to this trusted execution environment where the user will that interact with that special screen. really easy So we have a number of lunch Partners have been working really closely with us on this technology. They've been building prototypes that they intend to make product into a product in the future. Show Bigfoot medical is a firm that works on solutions for people with diabetes. Can you see hear an app that Bigfoot biomedical app the user

is looking at the glucose level and deciding I want to inject 1 and 1/2 insulin units. Uses the app to select that then calls the API to invoke the new user interface that you see their do you search confirms and then and only then will the insulin pump administer that dose? Indeed medical side. We have Royal Bank Canada RBC that is working to integrate protective confirmation into their application. I don't have a video for this one, but you can track left to right. His application is moving a person-to-person transfer. We see were going to send $1,500 to Ravi the

application in books that protect my confirmations API, which is in the middle. The user confirms 1500 SLE 1500 can't be changed to 15,000. The relying party on the other end has high confidence that indeed we intended to send Robbie $1,500 and a transaction goes through. Duo security is a firm that's working on strong Enterprise authentication. Imagine you're logging into your Chromebook into your G Suite application and it launches a second Factor authentication to your phone. You see the request come in on the left the application Duo Security application comes

up and ask for confirmation, but then there's this second level confirmation using defected confirmation API that provides again higher level of assurance. If for the Enterprise that it is the device and user and location that's expected for that Authentication. So there are a lot of other life Partners we worked closely with on this until a corporation is also integrating their application for control of diabetes products to me is doing proximal based authentication Knock-Knock labs in the Enterprise authentication space as well. I'd also like to throw

a shout out to Qualcomm. We can work it really closely with a clock on to integrate the protection confirmations API into the Next Generation Qualcomm chipsets because protective confirmations requires a deep integration at the hardware level. It is optional for p and so it requires a supported Android P device. We're breaking through that last ceiling of assurance and Mobility. So it's very exciting. What is a lot more to talk about and so I like to Now call up chat when to take us through the store?

Thanks, babe. Good morning, everyone and I'm really excited to be here to talk about a lot more of the security and privacy features that we built into Android P. So if they've mentioned skill Hardware, it's a huge Bug Barrier for us because they can provide defenses against attacks that software alone is simply not sufficient to handle and so protective confirmation hardware and another APR another feature. That would make a in Android P it love or just kill Hardware also to provide stronger protection for private keys. So

why do we need stronger protection for private Keys? What is a great example here? And if we're working closely with them on this PC feature and they're going to lunch with it later this year. Consider the security goal and the traditional Transit use case. They need to make sure that your Transit card and only your Transit card can be used to pay for your bus ride. So your credit card has your account information on a lot of secrets in there that represents your account. Now the trend of cars are typically made using a secure element inside of it. So it's very hard to break into it

extracts Secrets out of it and duplicate that card. So I don't pay Transit is not working to replace that Transit card with your phone. And so we need to make sure that we provide the same security guarantees, which is that your secrets cannot be extracted out of your phone and put onto another phone. So in order to pay for your bus ride, you must protect your phone. A different solution here is used for Hardware. Now Google pay Transit is one example of an in-person transaction payment another in all of these use cases. You want to make sure that your phone and only your

phone can't make that transaction. There are quite a few other examples where we we benefit from stronger protection for private keys. For example, if you have high value cloud data, if you have if you're an Enterprise, or if you are a financial institution, you want to make sure that all requests all data access is coming from a known phone a phone that you trust and iPhone is identified by a private key. But also if you have high value local data, let's or let's say your password manager. You're storing passwords locally on disc that you may want to

encrypt it again with a private key. That's well protected. How do we provide stronger protection of private Keys traditionally Sakura elements such as those buildings a smart card credit cards and security keys and credit cards are the gold standard for Hardware security the bill to exacting standards and certified by professional labs to be resistant to Hardware tampering. IPhones are now starting to incorporate that exhaust Hardware directly into the phone. So that your phone can we play store Transit card to play store credit card and we play store so I can talk to

security key. Is it with Android pay without exposing apis so that all applications on Android can take advantage of this type of tamper-resistant hardware on compatible devices? especially enabled grinder use cases specifically you were adding a new type of keystore called strong box. Strong boxes built using in tamper-resistant Hardware like a screw elements that has eiseley CPU Ram as Curious. George is pretty important because it makes it so that is resistant to Shared resource attacks

that we've heard about recently since recital talks like tiny attacks as well as physical attacks like a Latina Powerline. So when we look at the key store types are available on Android. There are now three types of keystore. The on older Android devices keystore was typically implemented using the Android operating system directly with Android nougat and above keystore was implemented using the t e The Trusted execution of our bed, and now with Android P or

providing a new key store called strongbox. That can run alongside of together with the existing key store in the TV show on box is resistant to the widest variety of attacks, and it's really well suited. If you have a use case that require strong protection for your private keys with Android pay Do you use dropbox is fairly straightforward when you create your keys or key set a new flag to request that the key be back by strongbox. If a device support strongbox, then everything succeeds and goes well, if a device does not support y'all dog still get a strongbox unavailable exception. So to

summarize John buses implemented using in tamper-resistant Hardware Lancaster elements elements are the gold standard for Hardware security and this is the first time that were offering a generic API to access this type of skill Hardware on 4K management. This feature is well as the protector confirmation API or really pushing the boundary for Sakura Hardware support on mobile. I'm really excited about the youth cases that does enables So perfect potato pie the keys is one thing to ask me to do. Another thing. Apps off need to do

is to make sure that the right user is present when you look at a typical Android device, especially one that's up-to-date and fully patched the most likely security incident that happened to that device is not malware, but rather getting lost or stolen and so a lock screen is very important for Android make sure you set a lock screen and also as an app developer make sure that you do gate sensitive access on your their presents on user Authentication. So an Android P. We added a few different features to help out developers through that

starting with keyguard bound keys. Keith Urban kids are key store keys that are well-suited for protecting very sensitive day that you that you store directly on the device like the name implies. He Car Bomb Keys have their functionality attached to the key guard, which is the lock screen on Android. And so these kids can be used to encrypt data at any time and can be used to decrypt data only when the device is unlocked. I saw the life cycle of these keys are types of a life cycle of a lock screen. For example, if you have very sensitive area Continental

Enterprise data or very private health and fitness data, you might want to encrypted with a keyboard on key before you started this so that if the device does get lost or stolen as long as there's a lock screen on that device. It's now a little bit harder for an attacker to access to sensitive data. Do you think he goes down key? It's also fairly straightforward. When you create your keys or key setup flag to require that the device be unlocked to you to use it for decryption. When you create your Cipher object, you can create it for

encryption at any time and that you can create a 40 corruption only when a device is unlocked. So fairly straightforward fairly simple. Know what if your device has been properly unlocked but you want to check for user authentication one more time. Let's say before a very sensitive action like a payment happens. This is where a biometric pop something is a replacement for fingerprint manager. Now, what about today are using fingerprint manager to re-authenticate the user using fingerprints one more time. No fingerprint manager had a few limitations one is it only works for

fingerprint? A lot of devices today are starting to support Too Faced. I was in other biometric modalities. And so we do support more than just being a friend we support several different modalities and it will automatically pick the right modality for that user in for that device. Another benefit of biometric ROMs is that it uses standard system UI which is really nice of a user experience perspective to show the user a standard DUI when they remaking a security irrelevant. Also, it says us abuela for future advances in sensor technology when you have for example in in display fingerprint

sensor, it's much easier for the OEM to customize this UI to tell you they're exactly where to put their finger and let's go before and after how to create by specific URI. We know that buy match Groupons is quite a bit different from fingerprint manager. And so to ease the pain of migration. We're also providing a support library and so apps will be able to call the one API that support library and that will use biometric prompt on Android P devices and fallback gracefully to fingerprint manager on older devices. Do use Biometrics

pumps create the Builder object and pass it the title and subtitle of these kinds of properties then call the authenticate method on the prompt to create the show the authentication in France. We do recommend that you passed in the crypto object because that's how you tie a successful authentication attempts to a subsequent cryptographic operation. All right. So 500 pump works really? Well when you're a user is trying to authenticate your native Android app. Now what if a user is actually going to a website in

Chrome, how do you authenticate them bear? This is where we're about 10 invited to come in. Call me later later this year and Q for Chrome on Android will support web often which means if the user is going to a website they can now use their lock screen order buy magic singles to authenticate to your website. And I think this is very useful because if you like to buy things on the web PayPal now actually have the demo running where you can use your fingerprints to authenticate to PayPal and use that to purchase your to make your purchase. So

that's a lot more convenient than typing in your password. Every time you go to PayPal to make a purchase on the web. So that's a summarize the several different methods that we talked about. It's a gate access based on Authentication. First whisky carb, Alan Keyes. You can't I add data access to the life cycle of a lock screen. If a user has already unlocked between you and you want to re-authenticate the user then you can use Biometrics to show system UI to prompt for a biometric and finally if a user is going to your website instead of your native app, you

can use web out then to authenticate user of fingerprints and Chrome on Android. Okay. Now that you've determined it's the right user. Let's switch gears one more time to talk about integrity. A lot of us really need to make sure that we really need to ensure the Integrity of their data as well as the Integrity of a device that they're running on. So, how do we do this? Android tea to help you protect the Integrity of your data in transit, we're going to require a tale as my default so far all new apps that Target the Papi level if the this is the most of

an exception if the opposite sides data in the clear You can tell that should be a no-brainer for apps today because it protects the privacy of your users and it also protects your content be modified in transit Weathersby whether it's injection of unwanted tracking identifiers or specially formatted data to exploit a weakness in your out. So you should always and quit now if you're connected to a legacy website that has not migrated the TLs yet, then you can still opt out of specific domains by updating your network security config. So do visit the website on the fly to

learn more about customizing TLS enforcement for your app. Now before you went out to change your code, we have one more piece of good news for a lot of care about such cryptographic compliance because it's really important and very regulated Industries in the government. So we're really happy that boy has a cell which is used to secure SSL traffic on Android recently received cavp certificates from nist for many if it's approved algorithms. And so this means that developers talking to regulated Industries now basically have automatic fits complaints

about that until we're very excited about that. Alright, so another Topic in the Integrity section that delivers off and care about is how do I make sure that the device itself has not been tampered with the device itself is still healthy and Android auto we introduced a feature called kiasa station and it's been updated Android P station allows you to get a signed statement directly from the hardware itself from strongbox from teehee about the state of the device and about the properties of your private keys. So for example Piazza sister

can tell you whether the device pass verified boots, whether it's one of your security patch, whether the your private keys are protected by t e or Sean boss. Another thing that he has a certain will return to you on compatible devices on Android p is the firmware hash that the device is running. So this is the digestive the operating system that you're running at this time. Think of this is transparency enable verified boot. What this means is that if you're running a firmware digest that's the same as that of a known good version that you're actually running a bit for bit identical

version of the operating system as I've known good version. So that's a really powerful say to know about what you're running and it's really important for a tightly controlled environment like Enterprises to know that the Auburn system that you're running is an exact copy of a known good version. For users of a safety Association APR the invitation of that will call the platform catherization Epi under the hood. So you will be able to take advantage of this without any changes to your car. If you want to get more information from the API that was returned by

safety that you can still call the consultation API directly. Now that's a question and not least privacy privacy is an important area to security. We actually talked about privacy quite a bit already when we talked about for example, the TLs by default feature come in and join. But there are a few other privacy features that there aren't Android P that we want to cover now. First visit probably one of my favorite features sensor access only in the foreground and Android P running on an Android device

regardless of your API level if your app is in the background and Idol, you will no longer be able to access the camera microphone or sensors. This Behavior now is slightly different based on exhaust characteristics of the APR that you're targeting. So for example, the mic with a microphone API, you won't be able to you will you will get silence when you who try to access microphone from the background and Idol with a camera API. It'll behave as if you were preempted by a higher priority, clients with sensors. It depends on whether the sensor returns state of continuously or buy a

call back. The bottom line is that if your office in the background and idle, you can no longer access user data from sensors now, if you need to access the camera microphone in the background foreground service with a persistent user visible notification So that gives you there's a lot more control and more transparency and see which apps have their access to their sensors at that time. The start of war round service create a persistent notification first and then call the start for awhile method and pass it in passing out notation.

All right, besides background access to sensors research a background that says the sensors we've also added a lot more user control over your data. So Android is the first major operating system to have DNS over TLS support built right in and so your DNS queries will be redirected to a trusted resolver of your choice. That means that third parties on the web can no longer monitor or manipulate your DNS traffic now if your if your default already supported then we will automatically encrypt your data. We did this in collaboration with alphabets jigsaw team

for working on many other initiatives in this area. And so we're really looking forward to any new developments here. Another cool feature that we added an Android p in the Privacy space is lockdown mode. The La Sal mountains useful, if you want a situation where you may temporarily lose access to your to advise let that you need to hand it over for inspection at a security checkpoint. So at that time you can put it your device into lockdown mode which is which is it now in a state where only your knowledge Factory your PIN pattern password can be used to unlock the device. And so your

fingerprint. Another Biometrics will be disabled. Your smart locks will be disabled inside notifications will no longer show on the lock screen. So you would know how much more higher much pie or psoriasis on the state of the lock screen on the security lock screen temporarily out of sight. So that was a quick overview of the features that are coming with Android P. There's a lot more that we didn't have time to cover it. So, please do give us your feedback at google.com schedule and send as email. Android.com. Thank you for coming and

have a great day.

Cackle comments for the website

Buy this talk

Access to the talk “What's new in Android security”
Available
In cart
Free
Free
Free
Free
Free
Free

Access to all the recordings of the event

Get access to all videos “2018 Google I/O”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “Software development”?

You might be interested in videos from this event

September 28, 2018
Moscow
16
159
app store, apps, development, google play, mobile, soft

Similar talks

Jenny Gove
Mobile Payments UX Lead at Google
+ 1 speaker
Brandon Herring
Software Engineer at Google
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Raj Ajrawat
Global Product Specialist Lead at Google
+ 3 speakers
James Bender
Product Manager at Google
+ 3 speakers
Amrit Sanjeev
Developer Advocate at Google
+ 3 speakers
Steve Suppe
Product Manager at Google
+ 3 speakers
Available
In cart
Free
Free
Free
Free
Free
Free
Fergus Hurley
Product Manager at Google
+ 2 speakers
Wojtek Kaliciński
Android Developer Advocate at Google
+ 2 speakers
Joel Newman
Android/Play Business Development Product Specialist at Google
+ 2 speakers
Available
In cart
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “What's new in Android security”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
558 conferences
22059 speakers
8245 hours of content