Android is the most widely used mobile operating system in the world, but it is also the most challenging to protect against evolving security threats. Google is working to improve Android’s security by implementing firmware-level security features, which may come with a performance cost.
Google is aiming to enhance the security of its Android operating system by reinforcing it at the hardware level. This aligns with the current trend of securing less visible components of the software stack to add more layers of protection against modern cyber threats.
All Android devices run on Systems-on-Chip (SoCs), which consists of multi-core processors, including application processors, specialized processors for images, video, security, and cellular communication, and are governed by firmware. Malicious actors are increasingly targeting this part of the software stack by finding vulnerabilities that can be exploited remotely, which is a significant concern for companies like Google, which coordinates with a large number of OEM partners to distribute security fixes quickly and efficiently.
Google has a multi-faceted approach to improving Android’s security. Firstly, it intends to introduce a protection mechanism in the form of compiler-based sanitizers that can detect memory safety issues early in the software development process.
Secondly, Google plans to collaborate with hardware partners to include memory safety features at the firmware level. These features will prevent any critical memory errors and include a mechanism that deletes memory pages before they can be allocated by an app. This ensures that random data left behind by a different app is entirely erased.
Lastly, the company will incorporate a series of mitigations designed to make it more challenging for hackers to exploit unknown bugs. One drawback of these mitigations is that they may reduce performance, as not all parts of an SoC have the same resources. Google acknowledges that striking a balance between performance and security will be a challenge moving forward but emphasizes that optimizations can be made.
The fragmentation of the Android ecosystem remains one of Google’s most significant security concerns. Although the company has made considerable efforts to write almost all new code for Android versions 12 and higher in memory-safe languages like Rust, user adoption has been relatively slow. Additionally, malware creators can easily bypass Android security measures using stolen Platform certificates.