Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's 'Q' in Android Security

What's 'Q' in Android Security

With the first decade now in the rearview mirror, Google launches us into the next decade of Android with Q. Consistent with the last few releases, Google is focusing ever more on privacy, updatablity and platform hardening.

Beyond the platform improvements, I’ll cover the breaking changes and what you’ll need to update to be compatible when running on, and/or targeting Q. This is particularly important if your app uses location, external storage or system alert windows.

We’ll also cover 2 exciting new encryption libraries from Google AndroidX Security and Adiantum, as well as security best practices that align with Android Q

Recording here -> https://www.youtube.com/watch?v=o7FisKhsLRM

Scott Alexander-Bown

November 02, 2019

More Decks by Scott Alexander-Bown

Other Decks in Technology


  1. Project: Mainline aka Google Play System updates • Updates/security patches

    faster • Delivered via Google Play • Components ◦ Media Framework Components ◦ Conscrypt Image from android-developers.googleblog.com @ScottyAB
  2. Access to Location in Background developer.android.com/training/location/receive-location-updates • Tri state dialog

    • System reminder about access to device location in the background • Graceful degradation i.e handle “deny and don't ask again”
  3. Background permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION" Must declare if targeting Q If targets

    P or lower system auto adds the permission during install developer.android.com/training/location/receive-location-updates @ScottyAB
  4. What is the big change? • You get a filtered

    view into external storage • Use the MediaStore to access files from other apps
  5. Scoped storage on Q • With READ_EXTERNAL_STORAGE • Accessing other

    apps files only if there are in media collections ◦ Photos -> MediaStore.Images ◦ Videos -> MediaStore.Video ◦ Music -> MediaStore.Audio @ScottyAB
  6. Fixed it Warning: Scoped storage will be required in next

    year's major platform release for all apps, independent of target SDK level. @ScottyAB
  7. • Cannot change the connection settings programmatically ◦ WifiManager.setWifiEnabled() ◦

    manual configuration of the list of Wi-Fi networks is now restricted to system apps* • Suggest WiFi networks ◦ WifiManager.addNetworkSuggestions(..) ◦ Listen for broadcast WifiManager.ACTION_WIFI_NETWORK_SUGGESTION_POST_CONNECTION @ScottyAB
  8. ‍♀ Now require READ_PRIVILEGED_PHONE_STATE If your app targets Android Q

    -> SecurityException If your app targets API level 28 or below -> null or placeholder data (if hold READ_PHONE_STATE permission) Otherwise, a SecurityException occurs. Restricted access to Device serial and IMEI @ScottyAB
  9. TLS 1.3 supported by default in Android Q Enhanced security

    40% faster with TLS 1.3 compared to TLS 1.2 Disable TLS 1.3 (only if you need to) ◦ SSLContext.getInstance("TLSv1.2") ◦ SSLSocket.setEnabledProtocols(..) @ScottyAB
  10. Oh, BTW val url = URL("https://scottyab.com") val httpsURLConnection = url.openConnection()

    as HttpsURLConnection httpsURLConnection.sslSocketFactory = null • HttpsURLConnection.setSSLSocketFactory(null) throws an IllegalArgumentException @ScottyAB
  11. Run embedded DEX code directly from APK • android:useEmbeddedDex=”true” in

    the <application> • Cannot use compressed DEX code ◦ Reduced performance ◦ Gradle: aaptOptions { noCompress 'dex' } @ScottyAB
  12. More non-SDK interface restrictions Are you using reflection or JNI?

    More restrictions in Q! (also some whitelisted) StrictMode.VmPolicy.Builder().detectNonSdkApiUsage() developer.android.com/preview/non-sdk-q @ScottyAB
  13. Misc Restrictions Background activity starts blocked Access to clipboard data

    ⚠ SYSTEM_ALERT_WINDOW on Android Q Go devices @ScottyAB
  14. Android X: Security • minSdk: 23 (M) • Safe and

    easy to use (based on Tink) • AES256 GCM • Implementations ◦ EncryptedFile ◦ EncryptedSharedPreferences developer.android.com/topic/security/data @ScottyAB
  15. Migrating from regular shared prefs Do you need to migrate

    all prefs? ‍♂ What if decrypt fails? recover options? @ScottyAB
  16. Adiantum: Encryption for the Next Billion Users • For Devices

    without AES hardware support ◦ Android Go Devices ◦ Smartwatches ◦ TVs • File/Disk encryption • Now part of the Android platform @ScottyAB