What's New In Android 15 Security

Transcript

1. Droidcon London 2024 What's new in Android Security? Scott Alexander-Bown

   Lloyds Banking Group @scottyab scottyab.com

2. Past Today

3. Is my app e ff ected? • All Apps •

   Targeting 14+ • Targeting 15+ • Targeting 15+ (not enforced)

4. Agenda • Recap of the key security changes from Android

   14 • What's new in Android 15 for all apps • Private Space • New Mitigation for Task Hijacking • Safer Intents • Further Foreground Service Restrictions • Privacy Sandbox Updates

5. Recap

6. New minimum installable target API level All apps • Apps

   with targetSdkVersion 22 or below cannot be installed • Must target 23 (aka Android 6 or M) • Installed apps are ok when upgrading to Android 14 • adb install - - bypass-low-target-sdk-block APK_FILE.apk ⚠ Spoiler: Further bumped in Android 15

7. Updated Non-SDK interface restrictions Targeting 14+ • A potential issue

   if accessing hidden methods/ fi elds (i.e Re fl ection) • Testing • Logcat on Debuggable apps • StrictMode.detectNonSdkApiUsage() • Veridex static analysis tool • Google Play console ⚠ Spoiler: Further bumped in Android 15 More info https://developer.android.com/guide/app-compatibility/restrictions-non-sdk-interfaces#test-for-non-sdk

8. Restrictions to implicit intents Targeting 14+ • Implicit intents are

   only delivered to exported components • includes internal intents

9. Restrictions to implicit intents Targeting 14+ • To keep the

   components not exported make the intent explicit by de fi ning the package. context.sendBroadcast( Intent(“com.myapp.INTERNAL_ACTION”).apply { `package` = context.packageName })

10. Runtime-registered broadcasts receivers Targeting 14+ • Must specify export behaviour

    ContextCompat.registerReceiver(context, / * receiver = */ MyReceiver(), / * filter = * / IntentFilter().apply{ addAction(“com.myapp.MY_ACTION”)}, / * flags = */ ContextCompat.RECEIVER_NOT_EXPORTED) ) • Exception: registering for only system broadcasts then the fl ag isn’t needed

11. Vulnerability mitigation Targeting 14+ • Safer dynamic code loading •

    All dynamically-loaded fi les must be marked as read-only • Recommended to delete and redownload existing fi les • Zip fi le fi x to prevent path traversal vulnerability • ZipException if zip fi le entry names contain ".." or start with “/". • Can opt out with dalvik.system.ZipPathValidator.clearCallback()

12. What’s new?

13. New minimum installable target API level All apps • Apps

    with targetSdkVersion 23 or below cannot be installed • Must target 24+ (aka Android 7 or N) • Installed apps are ok when upgrading to Android 15 • adb install -- bypass-low-target-sdk-block APK_FILE.apk

14. Updated Non-SDK interface restrictions Targeting 15+ • A potential issue

    if accessing hidden methods/ fi elds (i.e Re fl ection) • Testing • Logcat on Debuggable apps • StrictMode.detectNonSdkApiUsage() • Veridex static analysis tool • Google Play console More info https://developer.android.com/guide/app-compatibility/restrictions-non-sdk-interfaces#test-for-non-sdk

15. Private Space

16. What is Private Space? All apps • Similar to Work

    Pro fi le (i.e di ff erent Linux user) • Only supported for main user (not secondary/guest/managed) • Can use same or di ff erent pin code to open private space • Cannot move existing app/data - install only More info https://developer.android.com/about/versions/15/behavior-changes-all#private-space-changes

17. Installing apps into Private Space All Apps • adb shell

    dumpsys user | grep "Private space" • UserInfo{10:Private space:1010} serialNo=123 isPrimary=false parentId=0 • adb install -- user 10 my_app_to_install_to_private_space.apk Credit René Mayrhofer https://www.mayrhofer.eu.org/post/android-private-space-apps/
18. None

19. Restrictions for apps in Private Space (always) ❌ Receive content

    over Bluetooth from private space apps • Can send content over Bluetooth ❌ Add Widgets / Shortcuts • When sharing content or Photopicker if private space is unlocked, you’ll fi nd a “Private” tab on sharing apps • Bypass virtual private network (VPN) All apps
20. None
21. None
22. None

23. Given: Your app is running in private space When: The

    user locks the private space Then: all apps in the private space are stopped

24. Restrictions for apps in Private Space (locked) ❌ Foreground services

    ❌ Background activities ❌ Show noti fi cations ❌ Access to sensors All apps

25. More info https://gist.github.com/scottyab/865a98618a781bc40fc4eabb06ceedab

26. Task H ij acking mitigation

27. Vulnerable patterns • Pop up ads - e ff ectively

    a DoS as you can be forces to watch/click ad before allow to exit. • Full/partial tap jacking • Same task modal or full screen phishing (impersonate recently used app)

28. Taskjacking mitigation Targeting 15+ • Block apps that don't match

    the top UID on the stack from launching activities • Opt out whole app • <application android:allowCrossUidActivitySwitchFromBelow="false" > • Speci fi c shared activities • Activity.setAllowCrossUidActivitySwitchFromBelow(true)

29. Safer Intents

30. Intents must have actions Targeting 15+ (not enforced) // From

    external app val intent = Intent().apply { setClassName("com.scottyab.whatsnew", "com.scottyab.whatsnew.PublicActivity") } val intent = Intent("com.scottyab.app.PUBLIC_ACTION").apply { setClassName("com.scottyab.whatsnew", "com.scottyab.whatsnew.PublicActivity") } startActivity(intent)

31. Match target intent- fi lters Targeting 15+ (not enforced) //

    From external app val intent = Intent(“com.scottyab.PRIVATE_ACTION").apply { setClassName("com.scottyab.whatsnew", "com.scottyab.PublicReciever") } context.sendBroadcast(intent)

32. Vulnerable pattern class PublicReceiver : BroadcastReceiver() { private val handler

    = BroadcastMessageHandler() / / DI inject override fun onReceive(context: Context?, intent: Intent?) { handler.handle(action = action, intent = intent) } class BroadcastMessageHandler { fun handle(action: String, intent: Intent) { when(action) { ACTION_PUBLIC_BROADCAST - > executePublicThing() ACTION_PRIVATE_BROADCAST - > executePrivateThing() ⚠ Don’t copy/paste this ⚠

33. Defensive BroadcastReceiver Targeting 15+ (not enforced) class ScottReceiver : BroadcastReceiver()

    { private val handler = BroadcastMessageHandler() // DI inject override fun onReceive(context: Context?, intent: Intent?) { if (intent ? . action == MY_ACTION) { handler.handle(action = intent ?. action, intent = intent) } else { Timber.d("Unsupported action: $intent ?. action") } const val MY_ACTION = "com.scottyab.SCOTT_ACTION"

34. Safer Intents Targeting 15+ (not enforced) StrictMode.setVmPolicy(VmPolicy.Builder() .detectUnsafeIntentLaunch() .build() )

35. Foreground Service Restrictions

36. BOOT_COMPLETED broadcast receivers Targeting 15+ • Are no longer allowed

    to launch Foreground services for the following service types: • dataSync • camera • mediaPlayback • phoneCall • mediaProjection • microphone (since Android 14)

37. Narrower exemptions for app’s with SYSTEM_ALERT_WINDOW Targeting 15+ • SYSTEM_ALERT_WINDOW

    permission = launch a foreground service even if in the background. • Now must also have a visible overlay window • View.getWindowVisibility() • View.onWindowVisibilityChanged() • Otherwise ForegroundServiceStartNotAllowedException

38. Updated: Jetpack androidx.credentials All Apps + androidx.credentials:1.5.0-alpha01+ ⚠ View only

    ATM :(

39. Privacy Sandbox Beta

40. What is Privacy Sandbox? • Keep ad based apps viable

    but protect user privacy. • Web and Android • Alternative to Cookies and Advertising Id

41. Typical setup • Shared Process • Shared Memory • Shared

    Permissions Your App Your App SDK SDK

42. Privacy Sandbox Privacy Sandbox: Decoupled/Segregated Your App SDK B (Interface)

    SDK B SDK A (Interface) SDK A

43. What’s new? • Not production ready yet • Requires adb

    to enable/con fi g • Updates to the existing 3 core APIs • Topics API (interested/topics from the device) • Fledge remarketing custom audiences • Measuring ads
44. None

45. Key take aways

46. Key take aways • Target Android 7 or above otherwise

    you cannot be installed on Android 15 • Automate checking for non-SDK interface changes • Private space • Allows users to install another instance of your app on same device • Not suitable for any app that needs to run in the background • App’s cannot opt-out • More restrictions for Implicit Intents prefer being Explicit 😉

47. Thanks! Droidcon London 2024 What's new in Android Security? Scott

    Alexander-Bown Lloyds Banking Group @scottyab scottyab.com