Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
Android 8.0 Oreo is stuffed full of exciting features, right from Instant Apps to Notification Channels. While most users are pretty excited about these new features, there’s a full range of little-known, under-the-hood security enhancements in Google’s newest operating system.
Security features might not get you as excited as other headline features, but they are equally important. Security terminologies can be quite confusing for the average non-tech person, so here’s our attempt to simplify the security features in Android 8.0 Oreo.
Security Enhancements Baked Into Software
Here are some security features baked right into the operating system, and they come with every Android 8.0 Oreo device out-of-the-box.
1. Sideloading Apps Is Now Granular and Safer
Unlike iOS, Android has been pretty “open” about letting users sideload apps on their device. Sideloading apps let you gain access to all kinds of apps, but installing apps from unverified sources can prove to be a huge security risk.
In Android 8.0 Oreo, there’s a big change in how you sideload apps. Instead of a global setting that allows installation of apps from anywhere, Oreo requires you to toggle this setting on a per-app basis. For instance, you can allow manual installation of APKs from the Amazon Appstore, but block installation of APKs downloaded from Google Chrome.
This fine-grained behavior lets you be very specific about the sources you can install apps from, thus preventing you from installing apps from shady sources.
Also, Google Play Protect can check unknown apps for security threats.
2. Android Verified Boot 2.0 Prevents Tampering
Android Verified Boot is a security feature built into Android since 4.4 KitKat. Clever Android malware with root permissions can hide and mask themselves, making them undetectable to security apps. This feature prevents a device from booting up if the software is tampered with.
But a hacker could potentially downgrade the device to an older version, thus bypassing this feature.
To combat this, Oreo comes with Android verified Boot 2.0, which supports Rollback Protection. It is designed to prevent a device from booting if downgraded to an older or more vulnerable version.
This is accomplished by storing the operating system version inside a special hardware. Currently, the Pixel 2 and Pixel 2 XL come with this protection. Google strongly recommends all device manufacturers incorporate this feature in the future.
3. Project Treble Enables Better Sandboxing
Project Treble was primarily designed to help device manufacturers quickly roll-out new versions of Android. Behind the scenes, it’s a major redesign of the Android framework — separating device-specific code from the operating system framework.
Along with faster updates, it also plays a key role when it comes to security.
Because of the re-designed modular framework and better sandboxing, exploits in one part have fewer chances of affecting other parts of the system.
The Hardware Abstraction Layer (HAL) provides an interface between system hardware and software. Traditionally, it included direct access to kernel drivers, which resulted in HALs having extra permissions and access to hardware which wasn’t absolutely required.
In Oreo, each HAL runs in its own sandbox. This translates to less-abused app permissions and hardware drivers.
Security Enhancements That Protect You on Networks
Here are some security enhancements in Oreo that help you stay safe while browsing the internet.
4. Deprecated Insecure Version of SSL
SSL/TLS are network protocols used to provide secure communications over the internet. In 2014, Google researchers discovered a security vulnerability in SSL v3.0.
With Oreo, Android has stopped supporting this old and insecure version of SSL.
Oreo also drops support for TLS version fallback, which was a compatibility workaround to connect to servers that have an improper implementation of TLS. Google says that the workaround was removed because it weakened security. For the end users, this implies stronger security when communicating on the internet.
Oreo also brings a couple of security changes to the WebView element. For the uninitiated, you can think of WebView as a browser bundled inside an app.
First, the components of WebView have been split into a separate process, which helps in handling untrusted content safely with sandboxing. It now also supports Safe Browsing, which warns you of fraudulent and deceptive sites.
5. Stay Protected on Public Wi-Fi
It’s no secret that there are inherent risks associated when you connect to a public unsecured Wi-Fi. Its open nature could potentially let hackers steal your personal information.
Thankfully, the WiFi Assistant feature in Oreo can help you connect to a high-quality Wi-Fi network and secure it with a VPN back to Google. However, this feature seems to be exclusive to Project Fi and Nexus/Pixel users as of now.
Security Enhancements Related to Hardware
Alongside the software improvements, Google has gone a step further to introduce some cool hardware-related security features in Oreo.
6. Support for Tamper-Resistant Hardware
Android Oreo enables support for a dedicated hardware security module that protects your lock screen passcode against physical attacks. The Pixel 2 is the first phone to come with such a security module.
The tamper-resistant hardware has its own dedicated RAM and other components, so it can fully control its own execution. Google says that it can also detect and defend against outside attempts to physically tamper with it. The tamper-resistant hardware complements the software-based security mechanism and delivers enterprise-grade security.
7. Support for Physical Security Keys
If you’ve enabled two-factor authentication (which you definitely should), you might agree that entering unique codes as the second form of authentication can be quite a hassle. In that case, physical U2F security keys can act as a second form of authentication, removing the hassle of manually entering the codes.
Fortunately, Android Oreo brings support for physical security keys that you can connect to your phone using Bluetooth or NFC.
Currently, developers are required to build this feature into their apps, so it might take a while until you can start seeing them in action.
Other Tiny Security Improvements
Besides the above highlight features, here are a few other tiny security-related tweaks made in Android Oreo.
8. Kernel Lockdown
Android Oreo limits access to the kernel with the help of a new seccomp filter. Using this, Google says that it can shut down unused system calls, thus reducing kernel attacks. For the end-users, this means that the kernel is less likely to be exploited by malicious apps.
9. Dismissive System Alert Overlays
Typically, Android allows apps to create popups on top of other Android apps. Developers have utilized this feature to build some innovative concepts like picture-in-picture mode inside apps.
But some hackers have also exploited this feature to display pop-ups asking for ransom or even tricking users into giving away their credentials.
In Oreo, there’s a persistent notification whenever there’s a System Alert Overlay. It also lets you easily dismiss the notification and remove this overlay.
Android 8.0 Oreo Fixes Security Woes
Google seems to have left no stone unturned in 8.0 Oreo when it comes to security. However, it has quite a few catch-ups to do with iOS in regards to security. But with all these security enhancements and the ever-increasing Android Security Rewards payout, it certainly seems like Google is strongly committed to making Android more secure.
Even though you can try Oreo’s headline features on older Android devices, these security improvements cannot be replicated, which makes it a compelling upgrade. It’s a no-brainer to upgrade to Android 8.0 Oreo right now if your device supports it.
What do you think of the security enhancements in Android Oreo? Do you think Android will ever be on par with iOS when it comes to security? Share your thoughts with us in the comments below.