$30 off During Our Annual Pro Sale. View Details »

What's 'Q' in Android Security

What's 'Q' in Android Security

With the first decade now in the rearview mirror, Google launches us into the next decade of Android with Q. Consistent with the last few releases, Google is focusing ever more on privacy, updatablity and platform hardening.

Beyond the platform improvements, I’ll cover the breaking changes and what you’ll need to update to be compatible when running on, and/or targeting Q. This is particularly important if your app uses location, external storage or system alert windows.

We’ll also cover 2 exciting new encryption libraries from Google AndroidX Security and Adiantum, as well as security best practices that align with Android Q

Recording here -> https://www.youtube.com/watch?v=o7FisKhsLRM

Scott Alexander-Bown

November 02, 2019

More Decks by Scott Alexander-Bown

Other Decks in Technology


  1. What’s ‘Q’ in Android Security Scott Alexander-Bown @ScottyAB hi@scottyab.com

  2. @ScottyAB

  3. None
  4. None
  5. Updatablity Privacy Platform hardening @ScottyAB

  6. Updatablity Privacy Platform hardening @ScottyAB

  7. 8 devices 7 device makers 23 devices 13 device makers

    Project: Treble @ScottyAB
  8. Project: Mainline aka Google Play System updates • Updates/security patches

    faster • Delivered via Google Play • Components ◦ Media Framework Components ◦ Conscrypt Image from android-developers.googleblog.com @ScottyAB
  9. Updatablity Privacy Platform hardening @ScottyAB

  10. Location Storage Connectivity Device Ids and more @ScottyAB

  11. Access to Location in Background developer.android.com/training/location/receive-location-updates • Tri state dialog

    • System reminder about access to device location in the background • Graceful degradation i.e handle “deny and don't ask again”
  12. Background permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION" Must declare if targeting Q If targets

    P or lower system auto adds the permission during install developer.android.com/training/location/receive-location-updates @ScottyAB
  13. developer.android.com/about/versions/10/privacy/changes#app-access-device-location

  14. Location: Foreground Service developer.android.com/preview/privacy/device-location Remember to declare FOREGROUND_SERVICE permission if

    targeting P+ • New foreground Service Type @ScottyAB
  15. Location External Storage Connectivity Device Ids and more @ScottyAB

  16. What is the big change? • You get a filtered

    view into external storage • Use the MediaStore to access files from other apps
  17. Scoped storage on Q • With READ_EXTERNAL_STORAGE • Accessing other

    apps files only if there are in media collections ◦ Photos -> MediaStore.Images ◦ Videos -> MediaStore.Video ◦ Music -> MediaStore.Audio @ScottyAB
  18. Do you need external storage permissions?

  19. @ScottyAB

  20. Fixed it Warning: Scoped storage will be required in next

    year's major platform release for all apps, independent of target SDK level. @ScottyAB
  21. Scoped storage will be required in Android R for all

  22. Location Storage Connectivity restrictions Device Ids and more @ScottyAB

  23. • Cannot change the connection settings programmatically ◦ WifiManager.setWifiEnabled() ◦

    manual configuration of the list of Wi-Fi networks is now restricted to system apps* • Suggest WiFi networks ◦ WifiManager.addNetworkSuggestions(..) ◦ Listen for broadcast WifiManager.ACTION_WIFI_NETWORK_SUGGESTION_POST_CONNECTION @ScottyAB
  24. Settings Panel Intent(Settings.Panel.ACTION_INTERNET_CONNECTIVITY) Start Intent AndroidX wrapper (TBC) @ScottyAB

  25. Location Storage Connectivity Non resettable hardware IDs And more @ScottyAB

  26. ‍♀ Now require READ_PRIVILEGED_PHONE_STATE If your app targets Android Q

    -> SecurityException If your app targets API level 28 or below -> null or placeholder data (if hold READ_PHONE_STATE permission) Otherwise, a SecurityException occurs. Restricted access to Device serial and IMEI @ScottyAB
  27. Location Storage Connectivity Device Ids And a whole lot more...

  28. TLS 1.3 supported by default in Android Q Enhanced security

    40% faster with TLS 1.3 compared to TLS 1.2 Disable TLS 1.3 (only if you need to) ◦ SSLContext.getInstance("TLSv1.2") ◦ SSLSocket.setEnabledProtocols(..) @ScottyAB
  29. Oh, BTW val url = URL("https://scottyab.com") val httpsURLConnection = url.openConnection()

    as HttpsURLConnection httpsURLConnection.sslSocketFactory = null • HttpsURLConnection.setSSLSocketFactory(null) throws an IllegalArgumentException @ScottyAB
  30. Run embedded DEX code directly from APK • android:useEmbeddedDex=”true” in

    the <application> • Cannot use compressed DEX code ◦ Reduced performance ◦ Gradle: aaptOptions { noCompress 'dex' } @ScottyAB
  31. More non-SDK interface restrictions Are you using reflection or JNI?

    More restrictions in Q! (also some whitelisted) StrictMode.VmPolicy.Builder().detectNonSdkApiUsage() developer.android.com/preview/non-sdk-q @ScottyAB
  32. Misc Restrictions Background activity starts blocked Access to clipboard data

    ⚠ SYSTEM_ALERT_WINDOW on Android Q Go devices @ScottyAB
  33. Encryption libraries @ScottyAB

  34. Android X: Security • minSdk: 23 (M) • Safe and

    easy to use (based on Tink) • AES256 GCM • Implementations ◦ EncryptedFile ◦ EncryptedSharedPreferences developer.android.com/topic/security/data @ScottyAB
  35. "androidx.security:security-crypto:1.0.0-alpha02" https://gist.github.com/scottyab/5012ab75454a777a60ec433661aafa8b @ScottyAB Generate the Key/Alias

  36. "androidx.security:security-crypto:1.0.0-alpha02" https://gist.github.com/scottyab/5012ab75454a777a60ec433661aafa8b @ScottyAB Create

  37. Under the hood facebook.github.io/stetho/ @ScottyAB

  38. Migrating from regular shared prefs Do you need to migrate

    all prefs? ‍♂ What if decrypt fails? recover options? @ScottyAB
  39. Updatablity Privacy Platform hardening @ScottyAB

  40. android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html @ScottyAB

  41. Adiantum: Encryption for the Next Billion Users • For Devices

    without AES hardware support ◦ Android Go Devices ◦ Smartwatches ◦ TVs • File/Disk encryption • Now part of the Android platform @ScottyAB
  42. @ScottyAB

  43. Privacy Checklist developer.android.com/about/versions/10/privacy @ScottyAB

  44. developer.android.com/about/versions/10/privacy

  45. Thank ‘Q’ Scott Alexander-Bown @ScottyAB hi@scottyab.com If you dig mobile

    come to SW mobile meetup.
  46. References - android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html - developer.android.com/preview/privacy - source.android.com/security/enhancements