$30 off During Our Annual Pro Sale. View Details »

What's New In Android 15 Security

What's New In Android 15 Security

Scott Alexander-Bown

November 16, 2024
Tweet

More Decks by Scott Alexander-Bown

Other Decks in Technology

Transcript

  1. Is my app e ff ected? • All Apps •

    Targeting 14+ • Targeting 15+ • Targeting 15+ (not enforced)
  2. Agenda • Recap of the key security changes from Android

    14 • What's new in Android 15 for all apps • Private Space • New Mitigation for Task Hijacking • Safer Intents • Further Foreground Service Restrictions • Privacy Sandbox Updates
  3. New minimum installable target API level All apps • Apps

    with targetSdkVersion 22 or below cannot be installed • Must target 23 (aka Android 6 or M) • Installed apps are ok when upgrading to Android 14 • adb install - - bypass-low-target-sdk-block APK_FILE.apk ⚠ Spoiler: Further bumped in Android 15
  4. Updated Non-SDK interface restrictions Targeting 14+ • A potential issue

    if accessing hidden methods/ fi elds (i.e Re fl ection) • Testing • Logcat on Debuggable apps • StrictMode.detectNonSdkApiUsage() • Veridex static analysis tool • Google Play console ⚠ Spoiler: Further bumped in Android 15 More info https://developer.android.com/guide/app-compatibility/restrictions-non-sdk-interfaces#test-for-non-sdk
  5. Restrictions to implicit intents Targeting 14+ • Implicit intents are

    only delivered to exported components • includes internal intents
  6. Restrictions to implicit intents Targeting 14+ • To keep the

    components not exported make the intent explicit by de fi ning the package. context.sendBroadcast( Intent(“com.myapp.INTERNAL_ACTION”).apply { `package` = context.packageName })
  7. Runtime-registered broadcasts receivers Targeting 14+ • Must specify export behaviour

    ContextCompat.registerReceiver(context, / * receiver = */ MyReceiver(), / * filter = * / IntentFilter().apply{ addAction(“com.myapp.MY_ACTION”)}, / * flags = */ ContextCompat.RECEIVER_NOT_EXPORTED) ) • Exception: registering for only system broadcasts then the fl ag isn’t needed
  8. Vulnerability mitigation Targeting 14+ • Safer dynamic code loading •

    All dynamically-loaded fi les must be marked as read-only • Recommended to delete and redownload existing fi les • Zip fi le fi x to prevent path traversal vulnerability • ZipException if zip fi le entry names contain ".." or start with “/". • Can opt out with dalvik.system.ZipPathValidator.clearCallback()
  9. New minimum installable target API level All apps • Apps

    with targetSdkVersion 23 or below cannot be installed • Must target 24+ (aka Android 7 or N) • Installed apps are ok when upgrading to Android 15 • adb install -- bypass-low-target-sdk-block APK_FILE.apk
  10. Updated Non-SDK interface restrictions Targeting 15+ • A potential issue

    if accessing hidden methods/ fi elds (i.e Re fl ection) • Testing • Logcat on Debuggable apps • StrictMode.detectNonSdkApiUsage() • Veridex static analysis tool • Google Play console More info https://developer.android.com/guide/app-compatibility/restrictions-non-sdk-interfaces#test-for-non-sdk
  11. What is Private Space? All apps • Similar to Work

    Pro fi le (i.e di ff erent Linux user) • Only supported for main user (not secondary/guest/managed) • Can use same or di ff erent pin code to open private space • Cannot move existing app/data - install only More info https://developer.android.com/about/versions/15/behavior-changes-all#private-space-changes
  12. Installing apps into Private Space All Apps • adb shell

    dumpsys user | grep "Private space" • UserInfo{10:Private space:1010} serialNo=123 isPrimary=false parentId=0 • adb install -- user 10 my_app_to_install_to_private_space.apk Credit René Mayrhofer https://www.mayrhofer.eu.org/post/android-private-space-apps/
  13. Restrictions for apps in Private Space (always) ❌ Receive content

    over Bluetooth from private space apps • Can send content over Bluetooth ❌ Add Widgets / Shortcuts • When sharing content or Photopicker if private space is unlocked, you’ll fi nd a “Private” tab on sharing apps • Bypass virtual private network (VPN) All apps
  14. Given: Your app is running in private space When: The

    user locks the private space Then: all apps in the private space are stopped
  15. Restrictions for apps in Private Space (locked) ❌ Foreground services

    ❌ Background activities ❌ Show noti fi cations ❌ Access to sensors All apps
  16. Vulnerable patterns • Pop up ads - e ff ectively

    a DoS as you can be forces to watch/click ad before allow to exit. • Full/partial tap jacking • Same task modal or full screen phishing (impersonate recently used app)
  17. Taskjacking mitigation Targeting 15+ • Block apps that don't match

    the top UID on the stack from launching activities • Opt out whole app • <application android:allowCrossUidActivitySwitchFromBelow="false" > • Speci fi c shared activities • Activity.setAllowCrossUidActivitySwitchFromBelow(true)
  18. Intents must have actions Targeting 15+ (not enforced) // From

    external app val intent = Intent().apply { setClassName("com.scottyab.whatsnew", "com.scottyab.whatsnew.PublicActivity") } val intent = Intent("com.scottyab.app.PUBLIC_ACTION").apply { setClassName("com.scottyab.whatsnew", "com.scottyab.whatsnew.PublicActivity") } startActivity(intent)
  19. Match target intent- fi lters Targeting 15+ (not enforced) //

    From external app val intent = Intent(“com.scottyab.PRIVATE_ACTION").apply { setClassName("com.scottyab.whatsnew", "com.scottyab.PublicReciever") } context.sendBroadcast(intent)
  20. Vulnerable pattern class PublicReceiver : BroadcastReceiver() { private val handler

    = BroadcastMessageHandler() / / DI inject override fun onReceive(context: Context?, intent: Intent?) { handler.handle(action = action, intent = intent) } class BroadcastMessageHandler { fun handle(action: String, intent: Intent) { when(action) { ACTION_PUBLIC_BROADCAST - > executePublicThing() ACTION_PRIVATE_BROADCAST - > executePrivateThing() ⚠ Don’t copy/paste this ⚠
  21. Defensive BroadcastReceiver Targeting 15+ (not enforced) class ScottReceiver : BroadcastReceiver()

    { private val handler = BroadcastMessageHandler() // DI inject override fun onReceive(context: Context?, intent: Intent?) { if (intent ? . action == MY_ACTION) { handler.handle(action = intent ?. action, intent = intent) } else { Timber.d("Unsupported action: $intent ?. action") } const val MY_ACTION = "com.scottyab.SCOTT_ACTION"
  22. BOOT_COMPLETED broadcast receivers Targeting 15+ • Are no longer allowed

    to launch Foreground services for the following service types: • dataSync • camera • mediaPlayback • phoneCall • mediaProjection • microphone (since Android 14)
  23. Narrower exemptions for app’s with SYSTEM_ALERT_WINDOW Targeting 15+ • SYSTEM_ALERT_WINDOW

    permission = launch a foreground service even if in the background. • Now must also have a visible overlay window • View.getWindowVisibility() • View.onWindowVisibilityChanged() • Otherwise ForegroundServiceStartNotAllowedException
  24. What is Privacy Sandbox? • Keep ad based apps viable

    but protect user privacy. • Web and Android • Alternative to Cookies and Advertising Id
  25. What’s new? • Not production ready yet • Requires adb

    to enable/con fi g • Updates to the existing 3 core APIs • Topics API (interested/topics from the device) • Fledge remarketing custom audiences • Measuring ads
  26. Key take aways • Target Android 7 or above otherwise

    you cannot be installed on Android 15 • Automate checking for non-SDK interface changes • Private space • Allows users to install another instance of your app on same device • Not suitable for any app that needs to run in the background • App’s cannot opt-out • More restrictions for Implicit Intents prefer being Explicit 😉
  27. Thanks! Droidcon London 2024 What's new in Android Security? Scott

    Alexander-Bown Lloyds Banking Group @scottyab scottyab.com