The New Security Features in Android Pie and Why I‘m Excited About Them

As a full-stack developer who has worked extensively with Android since the early days, I‘ve seen the platform evolve in countless ways. With each major release, Android introduces interface changes, performance improvements, and new features aimed at enhancing the user experience. But some of the most crucial changes are the ones happening behind the scenes, invisible to the average user. I‘m talking about the security enhancements.

In a world where our smartphones contain our most intimate data – messages, photos, location history, financial info – and where new mobile threats seem to emerge daily, security is more critical than ever. Securing the world‘s most popular mobile operating system is a massive undertaking, and it‘s one that requires continuous iteration and improvement.

That‘s why I always eagerly await the release notes for each new version of Android, scouring the "security" section to see how Google plans to harden the OS against vulnerabilities and exploits. Invariably, there are items that make me worry a little less about my phone and my data.

Android 9 Pie, released in August 2018, is no exception. While most of the media focus was on the new gesture navigation and AI-powered adaptive features, for me the real stars of the show were the myriad security enhancements. Pie represents one of the most significant leaps forward for Android security in recent years.

Background Access Restrictions

One of the biggest privacy concerns on smartphones is apps secretly recording users via the microphone or camera. There have been numerous cases of Android apps doing this without the user‘s knowledge. For example, in 2018 researchers found that over 250 apps on the Play Store were covertly using the mic to listen for ultrasonic beacons for ad tracking purposes.

Android Pie cracks down on this sneaky behavior by prohibiting apps from accessing the microphone or camera when running in the background. If an app needs mic/camera access, it must be actively running in the foreground, visible to the user. The only exception is if the app has been granted special permission for always-on VoIP call functionality.

Here‘s how it works under the hood: each app runs in its own process with its own unique user ID. When an app is moved to the background, Android Pie removes its ability to record from the mic by revoking the record_audio permission from its UID. Likewise, it disables camera access by turning off the camera permission. When the app returns to the foreground, these permissions are granted again.

This is a strong defense against unscrupulous apps surveilling users without their awareness. Of course, apps can still access the mic and camera when actively in use, but that requires direct user interaction, making covert recording infeasible.

Lockdown Mode

Biometric authentication methods like fingerprint unlock and facial recognition have become ubiquitous in recent years. They offer a faster, more convenient alternative to typing in a PIN or passcode dozens of times a day. However, they also introduce some security concerns.

Law enforcement can compel you to unlock your phone with your fingerprint in many jurisdictions, bypassing important 5th amendment protections. Facial recognition systems can potentially be fooled by a photograph or mask of the user. And biometrics can be collected surreptitiously – think of all the times you‘ve touched a glass surface in public or had your picture taken.

Android Pie‘s new Lockdown mode offers an additional safeguard against these threats. When activated, it immediately locks the device and disables all biometric and Smart Lock unlocking methods until the next time a PIN, pattern, or password is entered. This forces the more secure unlocking methods in situations where you may be concerned about your phone being taken and unlocked against your will.

To enable Lockdown mode, go to Security settings and turn on the "Show lockdown option" toggle. Then a new "Lockdown" button will appear in the power menu when you hold the power button. Tapping it locks the device and disables biometric/trust agent unlocking until you enter your passcode again.

As a developer, I appreciate that this feature doesn‘t require any special integration – it‘s a core Android capability that applies across the OS. And as a user, I‘m glad to have the option for those times when I need an extra layer of security, like crossing a border or attending a protest. It‘s not something I use daily, but I‘m glad it‘s there when I need it.

Stronger Network Security

Mobile apps exchange a tremendous amount of data with servers, and protecting that data in transit is crucial. You wouldn‘t send your login credentials or private messages over an unencrypted HTTP connection on the web; the same should be true in apps.

However, many Android apps still use plain HTTP for some or all of their network traffic. This leaves that data exposed to snooping and modification by any attacker on the same network. According to statistics from HttpArchive, as of February 2019, 27% of Android apps still don‘t use HTTPS by default. That‘s over a quarter of all apps leaving user data vulnerable!

Android Pie takes a big step towards changing that by enabling HTTPS for all apps by default. When an app targets API level 28 (the Pie release) and above, Android‘s default network security configuration blocks all cleartext (non-HTTPS) traffic. Developers must explicitly configure their apps to allow HTTP connections if needed for legacy reasons.

This means that unless an app has deliberately opted out, all of its network transmissions will be encrypted with TLS, protecting them from prying eyes. This is enforced on all apps, regardless of target API level, when running on a device with Pie or later.

As a developer, I was happy to update my apps‘ network calls to use HTTPS exclusively when targeting Pie. In addition to ensuring data privacy, HTTPS also protects against content injection attacks and garbled data resulting from interfering proxies. It‘s just good practice, and Android Pie makes it the path of least resistance.

Stronger Authentication for Backups

Android‘s backup system allows users to restore their app data and settings when switching to a new device. This is incredibly convenient, but it also poses some security risks if not implemented properly.

In older versions of Android, restoring a device from a backup only required authenticating with a fingerprint or facial recognition. This meant that if someone got a hold of your unlocked phone, they could factory reset it and restore your data and apps without knowing your backup password. Yikes!

Android Pie closes this loophole by requiring the user‘s device PIN, pattern, or password in order to restore a backup. Without that, the backup data is inaccessible. This means even if an attacker has physical access to your phone, they can‘t get to your data without knowing your unlock code.

Here‘s how the process works now:

1. User enables backup on their device and sets a backup password
2. Backup data is encrypted with a key derived from the backup password and sent to Google Drive
3. To restore the backup on a new device, user must enter their backup password
4. If the password is correct, the backup data is downloaded, decrypted, and restored
5. The restored device is now protected with the user‘s PIN, pattern, or password

This additional authentication factor provides a crucial layer of protection for sensitive app data in backups. And while it does add an extra step to the device setup process, I believe most users will appreciate the added security. I know I do.

Call Recording Indicator

Many jurisdictions have laws against recording phone calls without the consent of both parties. But on Android, apps have long been able to record calls without any indication to either end of the call.

This has led to a proliferation of call recording apps on the Play Store, some of which have been installed millions of times. While these apps may have legitimate uses, they also enable unscrupulous users to record calls without the other party‘s knowledge.

Android Pie takes a stand against unconsented call recording by requiring apps to play a tone at regular intervals when recording a call. This tone is clearly audible to both parties, making it obvious the call is being recorded.

Here are the specifics of how it works:

• When an app starts recording a call, it must play a .7 second tone
• The tone must be repeated every 15 seconds while recording continues
• The tone plays through the device earpiece and the outgoing audio channel, so both parties can hear it
• The tone‘s volume must be at least as loud as the call audio
• Custom tones are not allowed; it must be the standard 1400 hz sine wave tone

This effectively makes surreptitious call recording impossible, at least without rooting the device. Users will always be aware if a call is being recorded by the presence of the tone.

As a developer who values privacy, I appreciate this change, even if it means I have to rethink how I would implement call recording in an app. The user experience must be designed around the presence of the tone, and it must be made clear to users that their calls will be audibly "watermarked" if recorded. It‘s a constraint, but one I‘m happy to work with for the sake of user privacy.

Other Pie Security Tidbits

In addition to the headlining features above, Android Pie also includes a number of smaller security enhancements worth mentioning:

• DNS over TLS: Android Pie supports encrypting DNS queries with TLS, preventing network snooping of domain lookups. This is configured by the device admin or DNS provider app.

• Control Flow Integrity: CFI is a security technique that disallows changes to the original control flow graph of a compiled binary. Android Pie expands CFI to cover more of the Android native code surface and establishes a minimum policy for all device manufacturers, making exploitation of memory corruption vulnerabilities more difficult.

• Unified Biometric Authentication Prompt: Pie introduces a standard system-level dialog for biometric authentication across different sensors and methods (e.g. fingerprint, face, iris). This provides a more consistent and secure authentication UX for users.

• Stronger APK Signature Scheme: Android Pie updates the APK signature scheme to v3, which enforces a minimum of 3072-bit RSA and 256-bit ECC keys. This improves the strength of app signing keys, making them harder to forge.

While small individually, these changes add up to a more robust Android security model overall. Each one closes a potential avenue for exploitation or makes common developer mistakes less likely to result in vulnerabilities.

Looking Ahead

Will the security enhancements in Android Pie render the OS bulletproof against all threats? Of course not. No software is perfectly secure.

Security researchers will continue to find bugs, some of which will put users at risk. Malware authors will still try to sneak their wares into the Play Store or sideload them onto devices. Users will still fall for phishing attacks and unknowingly grant permissions to malicious apps.

But what Android Pie‘s security improvements represent is a significant step forward in protecting users from some of today‘s biggest mobile threats. By shutting down background access to sensors, locking down data at rest and in transit, making users aware of call recording, and enforcing authentication for sensitive actions, Pie makes it much harder for bad actors to silently steal private information.

Perhaps more importantly, these enhancements show that Google is taking a proactive, multi-layered approach to Android security. With each major release, exploiting the OS becomes more difficult and keeping user data confidential becomes easier. Security is never "done", but we can at least have some assurance that it‘s moving in the right direction.

As an app developer, I‘m excited to target Pie‘s new APIs and take advantage of the stronger default security configurations. Protecting user data has to be a foremost concern for anyone developing mobile apps, not just a nice-to-have with a minimum compliance checkbox.

And as a user, I‘m looking forward to seeing how app developers adapt to Android Pie‘s constraints around background sensor access and call recording. I foresee some grumbling in the short term, but I‘m confident it will result in a more privacy-respecting app ecosystem and greater transparency around how apps are accessing and using my information.

Of course, there‘s always more work to be done. Just as Android Pie is a step up from Oreo, Android Q (android version 10) will likely bring its own bundle of security goodies later this year. Here are some of the improvements I‘m hoping to see:

• Wider rollout of TLS 1.3 support for faster, more secure HTTPS connections
• Stronger encryption for devices with no cryptographic hardware acceleration via Google‘s new Adiantum cipher
• Mandatory two-factor authentication for Google accounts on Android devices
• Further restrictions on background location and sensor access for apps
• More user-facing information about which apps have accessed sensitive permissions and when

No doubt there will be items on this wish list that don‘t make it into Android Q, as well as plenty of welcome security surprises when the source code drops. But if Android Pie is any indication, the upcoming release will give users and developers even more reasons to feel good about the state of Android security.

In the meantime, I‘ll be happily using my Pie-enabled device, secure in the knowledge that Google has my back when it comes to protecting my data – at least until the next big bad wolf comes along.