The latest version of the Android operating system, Lollipop, adds encryption by default, along with a variety of easy-to-use ways to lock and unlock the phone and a more secure foundation to help protect devices against current threats.
In a blog post published on Tuesday, Google described the features, which will begin shipping with the Lollipop operating system in new Android devices in the coming weeks. While some of the capabilities, such as encryption, are already included in the current Android OS, the new version will turn them on by default.
Many of the security features were born of Android’s open-source foundations and the fact that other researchers and companies can create and test new security features for the operating system, Adrian Ludwig, lead security engineer for Android at Google, said during a briefing on the security features.
“It is that openness and visibility that is really unique to Android among all the mobile operating systems and will make sure that we have security innovation and is a long-term advantage in terms of security,” he said. “With Lollipop, we have a chance to make improvements at the operating-system level and really advance the trusted platform.”
Google classifies its security efforts on Android into three groups, consisting of building a trusted platform, adding additional services to help secure devices, and supporting additional security for the open Android ecosystem. Most of the work in Lollipop focused on helping users lock down their devices from the most significant danger, the loss or theft of a device.
To that end, the company has turned on encryption by default, essentially placing any data on an Android smartphone or tablet into a digital safe that should be impossible to crack. The move, which has caused much consternation among law enforcement and intelligence agencies, means that users will no longer have to make the choice of whether to turn the feature on.
“The question is not whether the security feature exists, but how do we make sure it is available and as easy to use for as many users as possible,” Ludwig said. Current Android users could turn on encryption in a device’s settings, but would have to wait for any data to be encrypted, which could take minutes or hours.
The company has also created SmartLock, a way to automatically lock and unlock the phone using a variety of factors, such as facial recognition or the proximity of a specific device—such as an earpiece—using Bluetooth or near-field communications (NFC). Because many users do not set a passcode on their phones, Google hopes the SmartLock technology will convince people to use the easy-to-use locking mechanism and protect the device if it is lost or stolen.
“The goal is, if the user’s device is lost, they don’t have to worry about the sensitive data, that data will automatically be protected,” Ludwig said.
Google has also invested in using security enhancements for Linux project, known as SE Linux, to harden the foundations of the Android operating system. The added security allows the operating system to better isolate applications from each other and prevent a malicious application from accessing other software on the device.
“We have already seen examples of existing vulnerabilities that were blocked because of the adoption of SE Linux,” Ludwig said.
SE Linux not only provides better security, but also provides a better look into the security model on any particular device. Users can view the security model on a Lollipop device and gain a better idea of its security, he said.
As a way to guide its security efforts in the future, Google is also analyzing its user data to figure out what are the actual threats to Android devices, Ludwig said. While it is obvious that lost and stolen devices are the No. 1 threat, the company does not actually know which of the distant-second security issues it should worry about, Ludwig said.
“We do believe there are some small number of users affected by potentially harmful programs or malware; we do believe there is a small number of users who have network-level exploitation of their devices, such as man-in-the-middle attacks,” he said. “There are a variety of these different threats that are relatively low in volume, but we are trying to understand what the frequency is of these lower-volume threats.”