Google is hardening Android security at the firmware level


Posts: 1,322   +27
Staff member
Why it matters: Android is the world's most popular mobile operating system, but it's also the hardest to secure against a variety of cybersecurity threats that keep evolving. Google aims to improve on that front by introducing security features baked in at the firmware level, some of which will come with a performance hit.

Google says it's working on a new way to boost the security of its Android operating system by reinforcing it at the level closest to the actual hardware it's running on. The decision aligns with the general trend of securing less visible components of the software stack to add more protection layers against modern cyber threats.

All Android devices today are powered by multi-core processors called application processors, and they are accompanied by additional processors specialized for processing images, video, and security as well as cellular communications. Collectively, they are known as Systems-on-Chip or SoCs and are governed by firmware.

Malicious actors are increasingly targeting this part of the software stack by finding bugs and vulnerabilities which can be exploited over the air. This kind of attack surface is of particular concern to companies like Google that have to coordinate with a large number of OEM partners to distribute security fixes in a timely manner.

Google has a multi-pronged approach to hardening the security of the Android platform. First, it wants to introduce a protection mechanism in the form of compiler-based sanitizers which are able to catch memory safety issues early on in the software development process.

Second, it will work with hardware partners to add memory safety features at the firmware level. These are supposed to prevent any critical memory errors and include a mechanism that zeroes out memory pages before they can be allocated by an app. This ensures that random data left behind by a different app is truly gone.

Last, the company will incorporate a series of mitigations designed to make it harder for hackers to exploit unknown bugs. One side effect of these will be that performance will take a hit as not all parts of an SoC have the same resources. Google admits this will be a challenge moving forward but also emphasizes that optimizations can be done to achieve a good balance between performance and security.

Meanwhile, one of Google's biggest security issues remains the fragmentation of the Android ecosystem. The company has put a lot of effort into writing almost all new code for Android versions 12 and newer in memory-safe languages like Rust, but adoption by users has been relatively slow. It also doesn't help that malware creators are easily defeating Android security with stolen Platform certificates.

Masthead credit: Daniel Romero

Permalink to story.



Posts: 8,766   +8,315
It's not users that are slow at adopting Android 12, it's companies that are being slow, or have completely abandoned older phones, after one or two version updates.
Which, when reading between the lines of Google's take on this, means "All of you with devices running older versions of Android will not get this". :p


Posts: 1,589   +1,147
Which, when reading between the lines of Google's take on this, means "All of you with devices running older versions of Android will not get this". :p
You are probably right - just play store , Chrome updates etc - which are what's keeping those older phones mostly safe - My Pixel3 XL is old - but turning off BT , Wifi , not downloading stuff , serious low chrome use . treating it like cash - I have very little concerns being hacked - no side loading - only a few seriously big apps - watch permissions. My attack surface is reasonably low.

Google have to start somewhere in 5 years it will all wash through - HQ $200 phones with most bells & whistles - Google able to bypass phone makers to some extent.

The elephant in the room -to all the doom and gloom security folks - and Iphone/Mac users raving how safe they are - is that most scams are still social engineering
ie lots of illegal , or old Windows PCs out there , no anti-virus etc - many of these people do internet banking etc - Yet to see a story about millions of bank accounts being scammed at a time - Sure a lot of that will be the banks protection flagging suspicious activity , plus the need for clean bank accounts.

Even Indian scam centers with complete control of bank accounts with RATs ask victims to redraw cash

saying that people harvesting your identity is a problem - but they can harvest that info multiple ways

Guillermo Belli

Posts: 72   +99
I'm actually looking to revert to Android 11 (or more precisely, LineageOS 18) as Android 12 is just a mess, less usability, less freedom. Android 13 is just worse. With every release Android is getting more and more like iOS, a closed garden where you do only what the garden's owner says you can do.

ron baer

Posts: 64   +18
They are not hardening security. they are just locking out other actors from getting in on their game. wont be surprised to hear that the next Android OS to remove your privacy and scan/upload results to all photos via AI for things the tyrants do not approve of us commoners to have. Android is literally the most restrictive Linux OS in existence but hey, OWN NOTHING AND BE HAPPY right

Feng Lengshun

Posts: 57   +24
As soon as I got to the steps they're taking, my mind immediately goes "Rust?"

Yup, it's Rust. You can't really look at the mirror and say "memory-safety" three times without summoning Rust.