63 lines
2.9 KiB
HTML
63 lines
2.9 KiB
HTML
<html devsite>
|
|
<head>
|
|
<title>Security Enhancements in Android 7.0</title>
|
|
<meta name="project_path" value="/_project.yaml" />
|
|
<meta name="book_path" value="/_book.yaml" />
|
|
</head>
|
|
<body>
|
|
<!--
|
|
Copyright 2017 The Android Open Source Project
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
|
|
|
|
|
|
<p>Every Android release includes dozens of security enhancements to protect
|
|
users. Here are some of the major security enhancements available in Android
|
|
7.0:</p>
|
|
|
|
<ul>
|
|
<li><strong>File-based encryption</strong>. Encrypting at the file level,
|
|
instead of encrypting the entire storage area as a single unit, better
|
|
isolates and protects individual users and profiles (such as personal and
|
|
work) on a device.</li>
|
|
<li><strong>Direct Boot</strong>. Enabled by file-based encryption, Direct
|
|
Boot allows certain apps such as alarm clock and accessibility features to
|
|
run when device is powered on but not unlocked.</li>
|
|
<li><strong>Verified Boot</strong>. Verified Boot is now strictly enforced to
|
|
prevent compromised devices from booting; it supports error correction to
|
|
improve reliability against non-malicious data corruption.</li>
|
|
<li><strong>SELinux</strong>. Updated SELinux configuration and increased
|
|
seccomp coverage further locks down the application sandbox and reduces attack
|
|
surface.</li>
|
|
<li><strong>Library load-order randomization and improved ASLR</strong>.
|
|
Increased randomness makes some code-reuse attacks less reliable.</li>
|
|
<li><strong>Kernel hardening</strong>. Added additional memory protection for
|
|
newer kernels by marking portions of kernel memory as read-only, restricting
|
|
kernel access to userspace addresses and further reducing the existing attack
|
|
surface.</li>
|
|
<li><strong>APK signature scheme v2</strong>. Introduced a whole-file signature
|
|
scheme that improves verification speed and strengthens integrity guarantees.</li>
|
|
<li><strong>Trusted CA store</strong>. To make it easier for apps to control
|
|
access to their secure network traffic, user-installed certificate authorities
|
|
and those installed through Device Admin APIs are no longer trusted by default
|
|
for apps targeting API Level 24+. Additionally, all new Android devices must
|
|
ship with the same trusted CA store.</li>
|
|
<li><strong>Network Security Config</strong>. Configure network security and TLS
|
|
through a declarative configuration file.</li>
|
|
</ul>
|
|
|
|
|
|
</body>
|
|
</html>
|