Lily Hay Newman
Google has long grappled with data privacy gaffes and internal instability, but through it all the company has consistently improved the security and privacy of Android. Given the operating system’s 2.5 billion users, that’s no small task. With the release of Android 10 in just a few weeks, the new iteration of data and privacy features is coming into even sharper focus.
The privacy and security tools new to Android 10—Google has finally ditched the dessert-themed names—aren’t the most outwardly flashy. The Android team has focused instead on labor-intensive technical changes and upgrades that will have an outsized effect. And the improvements touch numerous parts of the system, from how it deploys encryption to how settings are organized and applications are quarantined from each other.
“I don’t think security and privacy are a new theme just in Android 10,” says Charmaine D’Silva, an Android product manager who works on privacy. “But when we thought about planning for the release we definitely thought that we should focus more on the space as we get more mature as a product.”
What you’ll notice most: Android 10’s attempts to give you more control over your data. As an open source platform, Android can usually be implemented in whatever way manufacturers want, with few requirements about how the user interface looks or functions. But with Android 10, Google will mandate across all manufacturers that the Privacy and Location menus are in the same place in the Android Settings menu no matter what Android smartphone you’re on. This way, users of any Android 10 device can always find these options in the same digital location, instead of navigating through confusing, unfamiliar menus.
Android 10 introduces other requirements as well, like requiring that apps request permissions and re-check your choices more often for things like accessing your location. And Android 10 will similarly also introduce geofencing features where instead of just turning that type of location-tracking on or off, you can select an option where geofencing only works when an app is actively open on your screen.
Seeking to improve its stance on another controversial topic, Android 10 also incorporates new restrictions on an app’s ability to access unchangeable device identifiers, like device serial numbers or other industry IDs. Instead, Google will now require developers to use resettable identifiers to keep track of users. That way, if these digital fingerprints are ever compromised, or if you want to wipe your digital slate clean, there’s a mechanism to do that.
The topic is especially relevant thanks to increased awareness about user tracking for ad targeting, but the industry has been debating the threat of collecting permanent device identifiers for nearly a decade. Android has a changeable “Advertising ID” and Apple’s iOS offers a similar “Identifier for Advertisers.” Apple started requiring that advertisers use only the IDFA in 2013, and Google began mandating advertiser use of its AAID in 2014.
Now those measures are increasingly expanding outside of advertising. In Android 10, developers still have relatively persistent ID options—so you can’t, say, claim a promotion in an app, delete the app, re-install it, and instantly claim it again—but the goal is to strike more of a balance between a developer’s ability to keep track of users and a user’s ability to take back some control. “We wanted to allow users to reset them when they don’t want to be tracked,” Android’s D’Silva says.
Many changes in Android 10 highlight the tension between creating a platform to be as flexible and open as possible, while still upholding some security and privacy requirements. D’Silva emphasizes that the transition to resettable IDs involved extensive collaboration with manufacturers and developers. Similarly, Android 10 places new restrictions on apps’ ability to move from running in the background to asserting themselves in the foreground for users. In the case of, say, an alarm clock app, developers will still have the option to alert you that an alarm is going off, but will no longer be able to take over the whole screen if you’re doing something else. The goal is to reduce interruptions and, particularly, unexpected surprises. But for developers, such changes can feel like an erosion of Android’s open source roots.
“That’s a big balance we’re trying to strike, making sure that developers still have the freedom to innovate the way they want to while also protecting our users,” D’Silva says. “We go back and forth a lot on this. We may not always get it right, but we definitely keep both things in mind as we make decisions.”
Some of the most substantive changes, meanwhile, will take place even deeper under the hood. A prime example is how Android 10 will handle web encryption. It will enable the TLS 1.3 standard by default on all connections that support it. It’s not the kind of thing you’ll notice in the course of your web surfing, but the update ends support for old, weak cryptographic algorithms and makes the process of encrypting data in transit more secure, faster, and more efficient.
All new devices released with Android 10, including even internet-of-things gadgets without powerful processors, will also be required to implement disk encryption. The demand is feasible thanks to a custom encryption scheme called Adiantum, which Google developed earlier this year to bring stronger protection to the myriad Android devices on the market. Adiantum is still based on established and vetted encryption schemes, but it implements them in more efficient ways, so they can run on any device. Products that use older versions of Android are encouraged, but not required, to implement device encryption at this point.
“Adiantum for us is a really big change—you could say a five-year journey to move the whole ecosystem. And it will have a long tail,” says René Mayrhofer, head of Android platform security. “With Android releases you can’t just build from scratch. The ecosystem builds on older chipsets, old cores, and those just can’t get retrofitted with new hardware to support encryption.”
“You can’t just do it across the board. It’s an iterative process.”
Xiaowen Xin, Google
Android 10 also adds yet another new encryption requirement, to implement what’s called “file-based encryption” instead of the old scheme, known as “full-disk encryption.” Originally introduced in Android 7 Nougat, file-based encryption allows devices to boot directly to their lock screen without requiring an initial password. That means accessibility services and alarms can start working as soon as you power up. File-based encryption is also more secure for devices used by multiple people or with a “work profile”—which separates professional and personal apps and data—because the device doesn’t need to be decrypted to boot to the lock screen. Instead, it can decrypt only the data relevant to a specific, signed-in user, after the phone has had a chance to start. It’s another transition years in the making that will still take time to gain full device adoption.
Based on this recent work with data encryption, both on your device and in transit across the web, the Android team also released a new security library for coders to incorporate into their own apps through Google’s Jetpack development tools. The goal is to essentially spread the wealth and help developers get security right in their apps, even if they don’t have extensive expertise in the field.
These tools, combined with other improvements baked into Android 10, also strengthen protections in the “sandboxes” that silo apps to stop them from leaking data to each other or gaining system access they shouldn’t have. Android 10 is even designed to use some “tiny sandboxes” that individually cordon off system processes and app components that have interoperability issues or run potentially buggy legacy code.
“If we look at all the bugs that we receive through the bug bounty year after year, the vast majority of them are related to memory safety, or things like Bluetooth and the kernel,” the sensitive code at the core of an operating system, says Xiaowen Xin, the lead product manager for Android security features. “So we’re always hardening options that we add year over year, because you can’t just do it across the board. It’s an iterative process.”
Android’s security and privacy evolution, over more than 10 years, has fundamentally overhauled the operating system’s posture in countless positive ways. But a platform as capable and diverse as Android always has more weaknesses and exposures to work on.
“Google is for sure taking good security steps hardening Android,” says Nikolaos Chrysaidos, a mobile security and malware researcher at Avast Antivirus. “But where I think Android still lacks is on checking and limiting the overuse of suspicious ad development tools. And the Google Play Store still needs lots of improvements about checking for suspicious apps.”
Though security and privacy improvements in Android 10 are all about refinement rather than dramatic gestures, there’s something to be said for the importance of a rebuilding year—especially when you have 2.5 billion people counting on you to get it right.
More Great WIRED Stories