Android Oreo: What’s new on the security front
On Monday, Google released the long-awaited Android 8.0 Oreo in an unveiling that coincided with the total solar eclipse visible in much of the US.
The newest version of the OS contains many new features and behavior changes, as well as many security improvements and security-related changes.
Android Oreo security improvements
With Android 8.0 Oreo, the platform no longer supports SSLv3 (it was about time), does not fall back to earlier TLS protocol versions and retry establishing a HTTPS connection if a server that incorrectly implements TLS protocol-version negotiation, and apps’ Web content is now handled in a separate, isolated process from the containing apps’ process.
It was already known that the newest addition to the Android OS line will prevent apps to draw on top of system UI, in an attempt to foil screen-hijacking malware.
A new restrictive permission called TYPE_APPLICATION_OVERLAY will block pop-up windows from being positioned above any critical system windows, such as the status bar and IMEs, allowing users to access settings and block the app from displaying alert windows.
Oreo also features Google Play Protect, a security suite for Android devices that scans and verifies apps users want to download from Google Play, monitors apps users have downloaded from a third-party app store (looking for any change in behavior), periodically scans the device for potentially malicious apps, and more. The suite constantly updates itself, and is on by default.
Finally, the Allow unknown source setting is no longer offered to facilitate the installation of apps from outside of Google Play and other preloaded stores.
“A common strategy employed by PHA (Potentially Harmful Apps) authors is to deliver their apps via a hostile downloader. For example, a gaming app might not contain malicious code but instead might notify the user to install a PHA that masquerades as an important security update. Users who have enabled the installation of apps from unknown sources leave themselves vulnerable to this deceptive behavior,” Google explained.
Apps from unknown sources
In Oreo, a new permission – Install unknown app – is added to make it safer to install apps from unknown sources.
“This permission is tied to the app that prompts the install— just like other runtime permissions—and ensures that the user grants permission to use the install source before it can prompt the user to install an app. When used on a device running Android O and higher, hostile downloaders cannot trick the user into installing an app without having first been given the go-ahead.”
Users can see to which apps they have given permission to install unknown apps through the Settings app, where they can also revoke it at any time.