Android 7.0: Security benefits that truly matter

Updated August 13, 2016, with information about the final Android Nougat features and APIs.

There are a lot of code changes coming in Android N. Some of them we can see — like the new notifications — and others we can't (but are still a big deal). We see the same thing with every update. There are refinements and changes in the interface, but under the hood adjustments and changes are made to make Android run better, and safer.

Google has improved security in Android Nougat in a handful of different areas. Some are designed to harden Android itself, while others are tools for developers to use so it stays that way when we install apps. Let's take a look at the changes themselves.

Seamless updates

Google already does "seamless updates" on Chrome OS, and it works really well. Things will be very similar in Android.

Seamless updates will use two separate system partitions. One of them is the system you're running as you use your phone every day. When it's time for an update, the other system partition gets altered and updated, and the next time you reboot you're automatically switched over. The next time there is an update, the other system partition gets changed and you switch back.

That means things can be done while you're working or playing, and when it is finished all you need to do is reboot normally. You'd be surprised (I was when I heard it) but a pretty large chunk of people don't update their phone because it takes a while. They might have done it once, then sat there waiting, and decided to not do it again. It's easy to dismiss the notification. But by changing the procedure, making updates easier, and eliminating the horrible wait time while seeing the "updating apps" dialog, more people will do it.

Network Security Configuration

Network Security Configuration lets app developers create and use a custom configuration file for network security settings instead of requesting system-level changes.The configuration file can be changed without modifying the app itself and can be set to use a custom Certification Authority instead of the device default, and can also be set to ignore any or all of the CAs trusted by the system. This is important for connecting to a host that has a self-signed CA (for things like enterprise apps) or for an app that should only trust a specific CA.

In addition, the configuration can be set to opt-out of any plain text network traffic and force encrypted communication using the HTTPS protocol. If you're a network admin or develop network apps, you know how important these changes are. The rest of us can be happy that we can have more secure network traffic in apps that are easier to develop.

Media Server hardening

Remember Stagefright? While it was blown out of proportion by much of the media, there was a real issue hidden behind the hyperbole. Playing a media file and it having the ability to force you to reboot or to lose all audio is a nasty issue, and the fact that (in theory) this could be used to secretly gain root permissions is even scarier. Google takes it very seriously and we see patches to the media server library every month to try and stay ahead of the bugs and security concerns that come with it.

In Android N, the media server gets a big overhaul. Google has broken up the media server into smaller components that can be updated outside of a full system update — just like they did with the WebView component. This means when they have a new patch you can grab the update from Google Play instead of waiting six months or more for the people who made your phone decide to send the patch out to you.

They have also changed the permission model for the media server, no longer giving it full system permissions. Running with low privileges makes it even harder for anyone to crack into the system if they do get into the media server. This is a major change, and will make hacking an Android phone (the bad kind of hacking) even harder than it used to be.

Key Attestation

Key Attestation will allow developers to make sure the keys they may be using in their apps are valid and stored in the phone's hardware-backed keystore and not in software. When the attestation tool is given a generated alias for a key (the actual key should never be shared) it then generates a certificate chain that can be used to verify the key. Developers can verify both the key as well as the verified boot state to make sure everything is valid.

Phones that ship with Android N and use Google services will have a certificate that's issued by Google as the root (or primary) authority while other phones that have been upgraded will need a certificate issued by the company who made them.

Not all phones that can run Android N have a trusted hardware environment to store encryption keys, and in those cases, software-level key attestation is used instead. The verified boot state can still be checked to make sure the system software hasn't been tampered with. Yes, this means a developer can check for root. That's a good thing provided no undue penalty is applied to users who have rooted their phone.

File-level encryption

Previously, Android used block-level encryption to make the whole partition or storage device encrypted all at once. This was a very secure encryption method, and keeping the actual tokens out of the storage and in hardware pretty much meant the only way in was with the right password or PIN. With Android N, things have been changed to file-level encryption.

Direct Boot is designed to work with file-level encryption in order to deliver both conveinence and security.

When your encrypted Android device boots up (or reboots in your pocket), the device is encrypted and locked down. Only certain applications can run, and this is called direct-boot mode. It means you can still get phone calls or have an alarm go off (or even see some message notifications), but to do anything more you'll need to unlock and decrypt the device. Once unlocked, N uses file-level encryption to allow us (the user) and applications to have a bit more control over how data is locked up.

There are two advantages at play here — FDE (block-layer full-disk encryption) makes low-end devices run pretty poorly. It took Google a few tries on the Nexus 6 to get it right, and any device with lower than 50 MB/s read and write flash storage hardware still struggles. The second (and more important) advantage is the use of file-level encryption for Authenticated Encryption with Associated Data (AEAD). AEAD means that data is harder for an unauthorized user or application to access. For people interested in AEAD, here is a really good read from U.C. Davis professor Phillip Rogaway (.pdf file).

This multi-tiered approach to encryption will allow companies who make very budget-priced Androids to offer encryption without performance degradation.

Direct Boot

File-level encryption will also work better with the Direct boot feature. Direct Boot brings a new mode that developers can leverage so that their app can run as soon as the system is powered instead of waiting for a user to unlock the phone or decrypt it.

This is done with in tandem with a new Device Storage area and the apps that use Direct Boot won't have any interaction with the normal credential-protected file system and any individually encrypted files or directories.

Scoped Directory Access

Scoped Directory Access is a way for an app to get permission to access a specific directory on the external storage (external storage is a partition outside of the system and includes both your phone's storage and an SD card or other attached storage device) without asking for permission for the whole volume or using a pop-up window to ask for folder permissions.

Safely accessing stored data is important. An application that only needs access to the Music or Photos storage folder shouldn't be seeing anything else, and writing code to use the existing Storage Access Framework to narrow things down has proven to be something many developers refuse to do. the new Scoped Directory Access API will make things easier for developers to build apps that are safe and protect your data.

These crucial security features are a big part of Android N. While some phones (especially those that don't ship with Nougat) may not use them all, each one helps protect our data when used properly. Android has matured, and the attention to detail Google is showing with 7.0 may not be as flashy as new emojis or a new color scheme, but it is much more important.

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

76 Comments

I really hope "N" doesn't end up being Nutella... Posted via DROID Turbo (2014)
That would certainly shed some mainstream light on the Nexus phones! Posted via the Android Central App
My vote is for "Nerds". Posted from my Nexus 7 2013 via the Android Central App
This. It's been "Nerds" since before Kit Kat was substituted for Key Lime Pie.
I hope that file level encryption doesn't affect performance like with 5.0.x. Should we worry about that again or does being at the file level change that? I just fear for my N6 again Posted via the Android Central App
File-level encryption is a huge boost in performance from block-level encryption. It can be less secure if not done properly, but I think Google's two-layer approach with direct-boot is a good way to implement it.
Sweet! Thank you kindly Posted via the Android Central App
Still.... Expect brickfest 2017 (android holocost) to be a "thing" when N is released. Just sounds like waaay to many moving parts on google's end for devices not to get "confused" and crap themselves.
The problem with encryption in 5.x (and up) was that the hardware available at the time didn't properly support hardware-accelerated encryption. On Intel's x86 chips, hardware-accelerated AES encryption is literally 8x faster than doing it in software, meaning the CPU has to work a lot harder to do the same work without hardware-acceleration. In the real world, this means that even if you have really fast storage, a Snapdragon 801 can't really use that speed because the CPU can't encrypt/decrypt fast enough. Newer processors don't have this limitation.
the file level encryption must be the reason the Nexus 5x flies with the latest beta update. i had a hard time believing it was only a memory management update making that big of a difference. Posted via the Android Central App
Could be. I'll agree that the 5x on the latest beta is one of the fastest builds it's ever had, and makes for a great performing phone. AT $199 (with a Fi activation that you can not renew after 1 month) it's the best deal in mobile.
"with a Fi activation that you can not renew after 1 month" That's sentence made my brain hurt. Had to read it three times.
Heh. I grew up in the deep south in a household where the primary languages were hillbilly and German. Sometimes I make sense, others ...
Hey Jerry, since Google is separating the partition. Why can't they do that for updates? One for the core OS and another for carriers to add their bloat and OEM is add their skins. Posted via the Android Central App
I grew up in Iowa and it made perfect sense as soon as I read it as though it were a normal, spoken sentence. Trying to read it like one of those fancy people from the city is what threw me off.
I agree it's the best deal in mobile and I had to pull the trigger on it. Fi coverage has been so good in my work building, I've kept it as a work line.
For those testing N, how much storage space is chewed-up by the system partition used for the seamless updates? Having effectively two copies of the OS would seem to eat into storage available for apps and data.
None of that's finalized (or it's something Google isn't letting the folks doing it talk about just yet). Once I have the full details, we'll take a deep look into how it works and how much space its going to use.
Didn't Google say that no current Nexus phones will get the feature because it would require users to full wipe their phones?
They did say that.
But I don't think we know quite yet if they mean that they won't release OTA's or they won't release factory images at all.
Can you imagine the outcry if they forced this onto users who have 16GB devices?
Was wondering about storage as well. I would assume it would take up the same amount of room as the OS. What are we at right now, 1 GB? So maybe theoretically the total partition size might be 2.5GB to allow for variances? Posted via the Android Central App
"Will any of this have any meaningful impact?" We'll just have to wait until 2021 to find out! Android N should have at least 15% market penetration by then.
Why is there no "delete" option for comments? NVM. It's a rhetorical question.
Technically it's very easy to implement, some lines of code. But AC want your comment to stay :) Posted via the Android Central App
There is only an edit option for up to 15 minutes after you first post (after that it gets locked).
Updates and encryption need to be opt-in and/or provide a native way to control whether they're implemented or not. Reason being, I don't want ANYTHING automatically updating on my Android device (just like my Windows PC) unless I've configured it to do so (opted in) or have explicitly approved it (ex. manually running Windows Update and choosing from the list of updates what to install or not). We're given this option with app updates so why not build it into OS updates as well? Same thing goes for file encryption, should be opt-in based on need (again just like my Windows PC which is not using encryption). Bottom line, it's my device and I should have control/say whether or not it gets an update or needs file encryption. Force them on me otherwise and I'm left with no other choice but to find another platform that gives me what I want.
So you rather have the most unsecure device out the box just like your windows pc? I'm more worried about the bloat that my nexus phone comes with. I don't need sheets, slides, docs, chrine, fit, and that other nonsense. Encryption should be mandatory these days with the way the US govt and police force illegally spy on its citizens.
The bloat on your Nexus phone? You must have never owned a non-Nexus phone? You don't want the Gapps? Thank God you own a Nexus phone so can just install a custom ROM.
How does wanting control over updates make me less secure? Oh because you're making an assumption that I won't install them or that updates alone keep your device secure. If that's what you believe, enjoy the false sense of security. As to encryption, it's predicated on someone (even law enforcement) getting physical access to my device. Not gonna happen, especially my PC that's in my home, or my phone that's treated like an appendage. Not that either actually have anything on them worth encrypting (I'm smarter than that). Thus why I feel it should be MY decision and mine alone. I don't need/trust Google or anyone else for that matter to look out for my best interests. I can and prefer to do that myself! I take full responsibility for it.
Dude, Windows 10 Home doesn't even allow you opt out of updates out of the box anymore. It's the way of the world now of consumer computer/mobile products. Yes, you own the device but you bought one that is locked down. The solution is easy... Buy a Nexus device and load a custom ROM.
So I should just accept it? NO! Not gonna happen. Besides there are ways even for Windows 10 Home users to stop automatic updates. But myself, being in the IT field I only use Pro or Enterprise Windows products (even at home) which provide more options to control OS updates. Point being, Windows (even version 10) still give users control over OS updates, Google should do the same with Android!
Cool, I work in the IT field myself and use Windows Pro also but that's not relevant to this conversation now is it? My point is Android is a consumer mobile OS just like Windows 10 Home is a consumer OS for PCs. That means automatic updates because most consumers want that feature because they don't want to bother with managing that themselves. Did i say you need to accept that? No... Buy Windows Pro, stay on on Windows 7, or switch to Linux on the PC. Android, I gave you one solution which was a Nexus phone with a custom ROM. That should be trivial for someone like you who works in the IT field.
+1 Posted via the Android Central App
You just have to set your connection to metered and windows 10 won't update automatically.
Thanks but my desktop PC doesn't have a wireless card. I don't really want to turn Windows updates off but to be able to manually apply updates and choose which ones to install.
I agree. Especially when the way Google does encryption impacts performance. I use my phone as a toy. I have it protected by a password. If someone steals it and somehow gets into it there isn't anything on it that is that sensitive anyway. I mean I wouldn't want my email exposed but I would change that password immediately. It isn't like I store tax returns or anything sensitive on my phone...who would? What are people actually using encryption to protect? Encryption is just not something I need and definitely isn't something I am willing to sacrifice performance for.
I agree Google should allow one to turn encryption off but at least on the new Nexus phones with the SD820/821 the encryption performance hit will be negligible.
Correct me if I'm wrong but doesn't the seamless update thing still have to go through the carriers first?
It should be mentioned that seamless updates is not going to be for our old phones. Posted via Serenity
I vaguely remember reading or hearing somewhere (either AC podcast or All About Android) that the partitioning won't be coming to existing Nexus devices as the repartitioning would (obviously) wipe the device. Whilst the majority of people reading this article are enthusiasts who will probably understand that I figured it worth mentioning. Also I've not seen anything to say if I flash a stock image from Google whether it will repartition to use the new system. Has anyone looked at this with the beta? Obviously things can change before release but I'm curious, but don't have the time myself at present to check it out. Posted via the Android Central App
When I talked to the Android security team about this, I was told "never say never". I'm waiting for more information before I say anything about anything :P
Hey Jerry! Great write up. I am also more security minded so I really appreciate it when you take on these topics. Curious, what do you think the likelihood is that Samsung would prepare the new Note for having the two system partitions for seamless updates? Posted via the Android Central App
Direct boot mode sounds like a workaround for law enforcement to illegally access your device. Also, I'm sure the nsa doesn't mind these Metadata leaks and I doubt Google would patch it considering how they bend over for the US govt.
Obvious troll is obvious.
Well I wish the Nexus would have better DAC chips and micro SD support. Posted via the Android Central App
#nexusmasterrace Posted via my glorious Nexus 6P
There seems to be the potential for file based encryption to be used as an anti cheat measure for games. Posted via my Nexus 5X or Pixel C
Didn't Google once say that seamless updates are likely not coming to phones that aren't running Android N out-of-the-box due to the partitions and them being wiped? Mmmmm, Android Smores....
Hopefully Google will require seamless updates for security fixes.
No way. Manufactures will not like the idea of doubling the necessary storage space for updates when people already whine about lack of storage.
Well no one will be getting seamless updates as confirmed by Google as there are no current handsets that can handle it not even the 5x or 6p can handle the complete new seamless system. We have had a version of it since lollipop where systems updates perform in the back ground so you cant still use your phone. LG always get updates to the users fast very fast compared to Samsung or HTC. I get my updates as soon as there launched with my lg.
The best security is "YOU". Now I know a lot of you are all in with Google or whatever tech it is you are using. Do yourselves a huge favor and don't forget how to take care of your online security. It's your responsibility to secure your online business. I even recommend people practice going dark from time to time. Posted via the Android Central App
Yup Posted via the Android Central App
Out of curiosity, how much do you spend annually on tin foil hats?
Of course. Anybody concerned with online security or privacy is a tinfoil hat lunatic. Posted via the Android Central App
I'll tell you what. I'm going to do you a favor. I'm going to give you an opportunity for you to put your money where your mouth is. Are you one of those people who say "I don't have anything to hide"? Well if you are one of those people why don't you post your passwords right here in the comments section that way we can look at your stuff. That is only if you are one of those fools who say "I don't have anything to hide". Posted via the Android Central App
Dropbox login tomw2011@gmail.com
Password: 1qaz@WSX3edc$RFV I was even nice enough to put in all in a folder for you :)
Right Posted via the Android Central App
Loooool....
So BlackBerry can't claim it's the most secure then. Posted via the Android Central App
So does that mean seamless updates has a 2 whole systems on the phone? that sounds like it would take a huge chunk of your memory, which would be really annoying if you only had 16GB, even with 32GB...
Correct, kinda. Things are split between the system partition and the userdata partition (among other partitions). The OS itself lives in the system partition, whereas all your data is in the userdata partition. Only the system partition containing the OS is duplicated, so it's not a complete mirror image of everything on your phone.
It's only a feature on new phones, aka this year's upcoming Nexus, the LG V20, etc (I don't know if this is an opt in/out or mandatory feature for new phones, can't remember). Any current phones won't have this, because Google doesn't want to deal with rearranging partitions and crap on phones that already have stuff on them. And considering 60TB SSDs are a thing now, 64GB better become pretty standard storage space pretty soon.
But yeah, does take up a lot of room, so I imagine this will first be seen on flagship devices that have at least 32GB minium storage.
This the EXACT thing I was thinking but came to check if anyone else brought this up yet. Sure enough you did. If this means the 23 GB free on on a 32 GB phone (9 GB for system) now becomes only 14 GB free (18 GB for system) I will be really not happy with seamless updates. I'd rather updates stay the same instead of loosing an extra 8-10 GB of space. Does Jerry or anyone on AndroidCentral team know if the seamless updates will result in double the lost space from the system partition. (100% increase) Or something less than 100%. If it's just 10-20% increase for system then that won't be so bad. Posted via the Android Central App
I actually don't update my phone right away because I have no choice but to use WiFi to download the update. Posted via the Android Central App
Since the Note 7 won't have this update, when can we expect it?
Probably in a few months, depending on your carrier.
A few months is very optimistic. It took Samsung what, 5 months to get marshmallow onto their then current flagships? Posted via the Android Central App
Until Google stops cheaping out on their devices by not offering hardware encryption I will disable it every time. That is one thing Apple actually does right.
The Nexus 6P and 5X have a hardware based TEE. https://www.reddit.com/r/IAmA/comments/3mzrl9/hi_im_hiroshi_lockheimer_here_at_google_with_the/cvjkz9z All phones that use Nexus Imprint have to have one. https://support.google.com/nexus/answer/6300638 The Nexus 6P uses hardware to run and process AES encryption algorithms (as well as SHA1 and SHA2 algorithms), but not the old way with a separate AES block in the SoC. The ARMv8a spec provides a new instruction set for hardware in the CPU itself that's specifically designed for encryption. The v8.1-a spec makes the inclusion of this hardware mandatory. This is faster than a self-contained ASIC for running AES algorithms. Technically, this is hardware-accelerated software controlled and/or limited. I think this is one of the differences between the Snapdragon 810 and the Snapdragon 810 v2.1. I'll go out on a limb and say the improvements made here aren't going to be noticeable to the user. This method may be more powerful and more efficient than a separate ASIC for AES computation like the people making the chips say, but this was done to minimize the need for extra firmware and provide an out of the box solution. In other words, easier and cheaper for the people who make CPUs. This isn't a Google thing, either. It's an ARM thing and any company making a phone using an ARM V8a or ARM V8.1a spec CPU can do the same. In fact, the Note 4 could have used this method, but they built the Exynos 5433 so that it only ran in AArch32 mode because Android and Tizen were not 64-bit ready. Qualcomm (not sure about others) still will provide a SoC with a dedicated AES block, and Apple still uses one — I'm guessing so that they can maintain software compatibility with older models that don't have an ARMv8a CPU. They'll eventually drop support for one unless a customer wants a custom design. tl;dr — A phone with a CPU that supports the ARMv8 arch. doesn't need a separate AES block because it can be built into the CPU. When phones ship with an ARMv8.1-a spec CPU this hardware has to be built in. But nobody has to use it and separate AES blocks are still supported.
My Xperia just got a software update, which included the May security patch (previously I was on March) So congrats on that, Sony :-/ Posted via the Android Central App
They'll keep doing that as long as you keep buying them :)
Thankfully they haven't made one worth buying in a while, so there's little danger of that in the near future. Posted via the Android Central App
This was a really good article - very informative. Thank you, Jerry!

Show more comments