Tag: Adrian Ludwig

Security updates in Android N

~ hucktech ~ Leave a comment

Lucian Armasu has a story in Toms Hardware about Android N security changes, summarizing a presentation from Adrian Ludwig of Android at the recent Google I/O event. The story has a link to the Google I/O video, as well. Outline of Lucian’s story:

Hardware-Backed Keystore (Now Mandatory)
Fingerprint And Smart Lock Authentication
Secure Networking
Storage Encryption
Strictly Enforced Verified Boot
Checking Device Health
Sandboxing
Other System Restrictions & Improvements

“[…] Ludwig said that a major security feature of Android these days is the hardware-backed ‘keystore’, which is available in the vast majority of Android devices thanks to various implementations of ARM’s TrustZone. Although TrustZone has been mainly implemented by chip makers and OEMs to enable stricter DRM protection, Google started making it available to application developers in the past few years. […]”

“[…] If in Android M the phone would warn the user only that the boot was modified by unknown code, in version N the device will not boot if the boot process has been maliciously modified. Google also introduced bit-level error correction in the verified boot feature, which can erase changes that would, for instance, keep a device rooted after it’s been rooted. […]”

Full story:
http://www.tomshardware.com/news/google-android-n-security-improvements,31846.html

Android Security: Q3 Quarterly Update

~ hucktech ~ Leave a comment

Adrian Ludwig of Google posted a message to the android-security-discuss mailing list with a quarterly summary of security events. I’m not going to bother excerpting this!, I’m just going to post the entire message body:

TL;DR I’m going to start sending out a quarterly summary of things the major events going on in Android Security. Wow, did I pick a doozey of a quarter to start doing this.

Below, I’ve compiled my top 10 android security events and activities from the Q3, 2015.  The last 3 months have been amazing — any one of these might have been the most important item for Android Security during most quarters. But all of this really did happen in just the last three months.

1. Monthly updates – Announced Nexus support policy with monthly security updates for Nexus <http://officialandroid.blogspot.com/2015/08/an-update-to-nexus-devices.html&gt;. Pushed Samsung <http://www.androidcentral.com/samsung-plans-offer-new-security-updates-every-month-its-android-devices&gt; and LG <http://www.engadget.com/2015/08/07/lg-stagefright-monthly-security-updates/&gt; to make similar announcement (albeit still not realized).  Shipped three updates <https://developers.google.com/android/nexus/images&gt; to Nexus, GPE, Android One and published the corresponding security bulletins <https://groups.google.com/forum/#!forum/android-security-updates&gt;.We also expanded to Kirkland team and began to grow the team to handle our increasing incident response needs <http://go/android-vulns-dashboard&gt;.

2. Unprecedented partner engagement in security – Executive meetings on security with all major US carriers and top 5 OEMs. Worked with APE / TAM / BD to build program for Ecosystem-wide Monthly Security updates <http://go/manic-monday-pitch&gt;, rolled out our security program to all carriers, OEMs, and began to track rollouts <https://dashboards.corp.google.com/#/google::_45984543_fda2_458b_9a8a_3fe0c1130981> of security patches to devices. Here are highlights from a recent program review <https://docs.google.com/presentation/d/1c6xYbGkcIlHD-RPsv00U4vTMrzl4_CuOd-eJrU6Lf4M/edit#slide=id.g702e6832b_0_0&gt;.

3. Stagefright. Stagefright Code Yellow <http://go/stagefright-cy-track&gt;. Media Server Bugs and Hackathon <https://docs.google.com/document/d/1icuQabxBlBBfjjP967YMLliIdSSm798BO20xdYA8q9Y/edit#heading=h.enzv5yxtjeu3&gt;. Also, thanks to aarya@ of Chrome Security for driving that continued expansion of fuzzing efforts <https://docs.google.com/a/google.com/presentation/d/1docwgWwqZL0wEO5R0U5oRyMdnUhg9a3HMhmb-e5vyTM/edit?usp=drive_web&gt;.

4. Android M Security Enhancements <https://docs.google.com/presentation/d/1JfRZ5P-HmuaKJvN3SgZmXWhfoC3sirr8OVtDXPRBQZk/edit#slide=id.gaf51a6178_1_132>- I can’t believe this is #4. We shipped Verified Boot. Monthly Patch String. SeLinux IOCTL filtering. UsesClearTextTraffic. SELinux User separation. The broader Android team also shipped a major overhaul of permissions, fingerprint API, adoption of SD cards, protection for USB connections, and more.

5. Results from Android Security Regards Program <https://www.google.com/about/appsecurity/android-rewards/&gt; – Android Security Rewards launched on June 16 <https://googleonlinesecurity.blogspot.com/2015/06/announcing-security-rewards-for-android.html&gt; and by October 1, we’ve paid out over $100,000 for over 60 issues.

6. Massive Increase in Public Outreach — aludwig @ Blackhat (slides <https://docs.google.com/presentation/d/1U35ilLs3ca8AHNYXKZgl14VjS5Q-RSx3GNVQqCGQWkQ/edit&gt;, press), jeffv@ about ioctl filter <https://docs.google.com/a/google.com/presentation/d/1_meUW-MtHdCQC2YuWnrtJ7W6WXh7CTxfHz_N0TksRY4/edit?usp=drive_web&gt; at Linux Security Summit, paullawrence@ and mhalcrow@ about encryption <https://docs.google.com/a/google.com/presentation/d/1xD2Vs5hHkY8GZB4Y72QAxsPf5sraAAQmse_3IAS2UA4/edit?usp=drive_web&gt; at Linux Security Summit, nnk@ Android Security Symposium  in Vienna(slides <https://docs.google.com/a/google.com/presentation/d/1-BWUaMldBoTzd0Vx9BnjWFP69E3xF1Hk-52s2dFcioo/edit?usp=drive_web&gt;), sporst@ on Russian Malware cleanup at Virus Bulletin (slides <https://docs.google.com/presentation/d/1CrqdAm7WKAXsMja1VHVXEVGbg1vUzvoyhC5qCrqiqsY/edit&gt;, video, press <http://qz.com/514720/google-just-revealed-its-android-security-team-detected-and-defeated-a-steep-rise-in-mobile-banking-fraud-in-russia/&gt;), cbrubaker@ on NoGotofail at University of Utah (slides <https://docs.google.com/a/google.com/presentation/d/12uJxPosU_dI-X4XUQZO2BwPXWl406ny-pGWN3xFC3JI/edit?usp=sharing&gt;), smel@ spoke at Johns Hopkins (slides<https://docs.google.com/presentation/d/1dJWxs7GNUTSABYu08Yt-2eQXDaWBnTFA3DYIDGM1WDk/edit#slide=id.gca06805cf_17_22&gt;)

7. Operational Focus on Malware in Play – Monthly reviews of top PHA installs (July <https://docs.google.com/a/google.com/document/d/1vwTMvOwL4I08GrB9dyLC7ex9fg2ydeqLEg3UBh3XuT4/edit?usp=sharing&gt;, August <https://docs.google.com/document/d/197_ELrS8zhZhGxglF2aSaQq2P_0YBdDhkrlgDG5m_x4/edit&gt;, September <https://docs.google.com/document/d/1lcKEIc3JySPryR2YhlNmNdgquitfQWF9qO-aIaHUCRc/edit?ts=5612e47f&gt;) have helped drive our goal of less than 1 million installs being a PHA. (currently, the number is ~500 per million <http://go/phastats&gt;)

8. Scale up of SafetyNet Attestation (including launch of Android Pay). See recent Program Review <https://docs.google.com/presentation/d/1SHeAt7bQX_OAoe99lwfn5IP9SSKyed7WJOWM-_B9v18/edit&gt; for more details.

9. Greenhat <http://go/greenhat&gt; – 2 day, google-wide summit with the best of Android Security.  All the content  and recordings have been stored here <https://drive.google.com/a/google.com/folderview?id=0B47yL4yVz8b3flhxSkRiemUyQ1dHRDFZblloYm9hZ3doWmJOQzFDTHAwa1RFekdRVExEVXM&usp=sharing&gt;.

10. Last, but not least: Stinknet <http://go/stinknet&gt;. Publicly known as Ghost Push <http://venturebeat.com/2015/09/18/cheetah-mobile-ghost-push-android-virus-infects-600k-users-a-day-with-unwanted-apps/&gt;, (mostly) outside of Google Play we’re currently battling the largest coordinated rooting malware attack we’ve seen against Android. (We’re slowly winnning <http://go/stink&gt;, but this will likely be a highlight again next quarter.)

Anyhow, those are just a few of the big things we’ve been up to recently.

http://groups.google.com/group/android-security-discuss.

Google revises Nexus update policy

~ hucktech ~ Leave a comment

Last week, Adrian Ludwig (Lead Engineer for Android Security) and Venkat Rapaka (Director of Nexus Product Management) posted a blog entry on the Official Android blog, announcing a change to the Nexus update policy:

“Nexus devices have always been among the first Android devices to receive platform and security updates. From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.”

Nexus aside, I hope other carriers also have clear policies about updates.

Read the full announcement here:
http://officialandroid.blogspot.com/2015/08/an-update-to-nexus-devices.html?m=1