What is app security ?
Mobile app security is the extent of protection of mobile applications from malware and the activities of crackers and other criminals. The term can also refer to various technologies and production practices that minimize the risk of exploits to devices through their apps.
A mobile device has numerous components, all of them vulnerable to security weaknesses. The parts are made, distributed, and used by multiple players, each of whom plays a crucial role the security of a device. Each player should incorporate security measures into mobile devices as they are designed and built, and into mobile apps as they are conceived and written, but these tasks are not always adequately carried out. Common vulnerabilities for mobile devices include architectural flaws, device loss or theft, platform weakness, isolation and permission problems and application weakness.
Security in Oreo
Android Marshmallow and Nougat has enhanced hardware security on devices. But with Android Oreo, Google has provided a new reference implementation of its Verified Boot that is designed to prevent devices from booting up with software called as Android Verified Boot 2.0, runs with Project Treble to enable security updates like common footer format and rollback protection.
Google has claimed to have invested support in tamper-resistant hardware, including the development of a physical chip that can prevent software and hardware attacks on the new Pixel 2 family. It also resists physical penetration attacks.
Android Oreo also enables an enhanced isolation which removes direct hardware access from the default media frameworks. Similarly, Google has enabled Control Flow Integration (CFI) across all media components to disallow arbitrary changes to the original control flow graph to make it harder for attackers to perform malicious activities. Oreo version also has sec-comp filtering, hardened user copy, Privileged Access Never (PAN) emulation, and Kernel Address Space Layout Randomization (KASLR). Additionally, Google has isolated Web View by splitting the rendering engine into a separate process and running the same in an isolated sandbox to restrict external resources.
With Android Oreo (referred to as simply O), Google has elevated security, introducing important device hardening such as Project Treble, System Alerts, device permissions and Verified Boot.
Mobile security experts point to the introduction of Project Treble in O as a major security milestone for Google. Project Treble is Google’s revamp of the Android OS framework — separating the vendor implementation (device-specific, lower-level software written by third-party manufacturers) from the Android OS framework.
Project Treble aims to making updates faster,easier and cheaper for OEMs and components manufacturers to roll out to android devices. Treble is one of the largest changes done in android Oreo , but hardly noticeable as it runs behind the scenes.
The strategy of segmenting parts of the Android platform along with allowing more efficient component management and better vulnerability containment is another meaningful part of Project Treble. It is also a part of an ongoing strategy by Google in order to reduce Android’s attack surface. Lately, Google has approached security with different perspective , focusing on exploit solutions such as fstack-protector and ASLR, which prevents format string weaknesses.
In 2014, Google said, kernel bugs represented four percent of reported bugs compared with 39 percent today. In reference to this, Android O limits access to the kernel by use of a a sec comp filter. Sec comp (short for secure computing mode) is a security feature that filters system calls to the kernel using a configurable policy which gradually is reducing unused system calls.
Enhanced App Management and Permissions
With Oreo, Google is also reconsidering app permissions and scaling back what they are allowed to do.
One of the most common ways attackers try to exploit a device is by building malware into an application. Despite the fact Google does a lot of verification on its Play Store to ensure no malware is present in applications, users can side-load an application from a third-party app store.
Google said it will also reinforce security on its System Alert window functionality. The System Alert feature allows developers to create apps that can pop-up or display windows on top of all other Android apps running on a handset.
Verified Boot System
Android has had a Verified Boot system since 2013 that checks a user’s software as it loaded the OS for vulnerabilities. For Oreo, Verified Boot goes a step further and prevents users or hackers from booting to older more vulnerable versions of the OS .
When it comes to security in software, the evolution never ends. From a bigger perspective, app security is a puzzle with numerous pieces moving around.