Significant security enhancements of recent major Android versions, starting with Android 5.0 Lollipop (API 21).
Security Enhancements - Android 5
- Starting August 2023, Google Play Services updates will only be received from this Android version see Google Play services discontinuing updates for KitKat (API levels 19 & 20) starting August 2023
- Full Disk Encryption (FDE) by default (manufacturers can still opt out), see Encryption and Security Enhancements in Android 5.0
- SELinux fully enforced, see Security Enhancements in Android 5.0
WebViewis a separate package, see Security Enhancements in Android 5.0 and The Updatable WebView on Android 5.0 Lollipop What Is It and Why Should You Care?
Security Enhancements in Android 6
- Keystore API significantly extended (symmetric cryptographic primitives, AES and HMAC support and access control system for hardware-backed keys) see Hardware-backed Keystore
- TEE is a requirement, see Hardware-backed Keystore and 7.3.10. Fingerprint Sensor section of Android 6.0 Compatibility Definition
- New API (
isInsideSecureHardware) for checking whether a KeyStore key is stored in secure hardware (e.g., Trusted Execution Environment (TEE) or Secure Element (SE)), see isInsideSecureHardware method of KeyInfo - Apps need to request permissions at runtime see Runtime Permissions section of Android 6.0 Changes and Request runtime permissions and Security Enhancements in Android 6.0
- More restrictive SELinux (IOCTL filtering, tightening of SELinux domains, etc.) see Security-Enhanced Linux in Android and Security Enhancements in Android 6.0
Security Enhancements - Android 7
- Separate User and System Certificate Trust Store, meaning Man-in-the-Middle attacks basically require root access from this point, see Changes to Trusted Certificate Authorities in Android Nougat
- Added Network Security Config support so apps can customize the behavior of their secure (HTTPS, TLS) connections in a simple declarative way, without code modification. It supports custom trust anchors (which Certificate Authorities (CA) the app trusts), debug-only overrides, cleartext traffic opt-out and certificate pinning (limiting which server keys are trusted), see Network Security Config section of Android 7.0 for Developers
- By default apps targeting Android 7.0 only trust system-provided certificates and no longer trust user-added Certificate Authorities (CA), even without custom Network Security Config, see Default Trusted Certificate Authority of Android 7.0 for Developers
- Update to Keymaster 2 with support for Key Attestation and version binding (preventing rolling back to an unsecure old version without losing keys), see Key Attestation section of Android 7.0 for Developers and Keymaster Functions and Verifying hardware-backed key pairs with Key Attestation and Key and ID Attestation
- File Based Encryption (FBE) introduced, but it's optional to implement by manufacturers, see Direct Boot section of Android 7.0 for Developers and Support Direct Boot mode and Encryption
- Updated SELinux configuration: further locking down application sandbox, breaking up mediaserver stack into smaller processes with reduced permissions (mitigation for Stagefright), see Security-Enhanced Linux in Android
Security Enhancements - Android 8
- JavaScript evaluation runs in a separate process in
WebViewso JavaScript code cannot access the app's memory so easily, see What’s new in WebView security and Security section of Android 8.0 Behavior Changes for All Apps WebViewrespects Network Security Config andcleartextTrafficPermittedflag (on older Android versions it loads HTTP sites even if clear text traffic should not be allowed by the config), see Security section of Android 8.0 Behavior Changes for Apps Targeting Android 8.0- Safe Browsing API added to
WebViewso users would be warned when trying to navigating to a potentially unsafe website (verified by Google Safe Browsing) if enabled, see WebView APIs section of Android 8.0 Features and APIs FLAG_SECUREWindowflag is supported more and disallows taking screenshots of the screen where this is set- Update to Keymaster 3 with rewritten Hardware Abstraction Layers (HALs) written in HAL Interface Definition Language (HIDL) and in C++ (as compared to Legacy HAL that was written in C) with ID attestation support, see Hardware-backed Keystore and Keymaster Functions and Key and ID Attestation
- Project Treble introduced (only devices released with this version support project Treble, the ones updated will not get it), separating lower-level vendor code from Android system framework and enabling easier security update delivery, see Here comes Treble: A modular base for Android and Treble Plus One Equals Four
- Updated SELinux to work with Treble. SELinux policy allows manufacturers and SOC vendors to update their parts of the policy independently from the platform and vice versa, see Security-Enhanced Linux in Android
- Further hardening media stack: mobild Hardware Abstraction Layers (HALs) from running in a shared process to running in their own sandboxed processes
- To allow installing apps from unknown sources (i.e. not from Google Play) apps need explicit permission granted by the user for the particular app in Android settings (and users can revoke such permission and manage it per-app at any time too), see User opt-in for unknown apps and sources section of Publish your app and Security section of Android 8.0 Behavior Changes for All Apps
Android 9 release notes - Security features
- Cleartext network traffic (HTTP) disabled by default, apps need to explicitly set
cleartextTrafficPermittedtotruein their Network Security Config it if they still want to use it (not recommended), see Network TLS enabled by default section of Behavior changes: apps targeting API level 28+ and Android: Cleartext HTTP traffic not permitted Android 9 - Update to Keymaster 4 with support for 3DES encryption and secure key import, see Hardware-backed Keystore and Keymaster Functions
- Replace many BouncyCastle implementations of cryptographic algorithms with Conscrypt ones, see Conscrypt implementations of parameters and algorithms section of Android 9 Behavior changes: all apps
- Added support for embedded Secure Element (SE), see Secure Element (SE) service section of Android 9 release notes and CTS test for Secure Element
- Disk Encryption (can be either Full Disk Encryption (FDE) or File Based Encryption (FBE)) is mandatory for all devices (shipping with this version)
- BiometricPrompt introduced standardizing the UI that is shown during biometric authentication and providing a better API to apps that is harder to misuse, the previous solution, FingerprintManager gets deprecated, see Show a biometric authentication dialog
Security Enhancements - Android 10
Android 10 release notes - Security features
- File access disabled by default in
WebView, see setAllowFileAccess method of WebSettings - TLS 1.3 become available and enabled by default, see TLS 1.3 enabled by default section of Android 10 Behavior changes: all apps
- Certificates signed with SHA-1 no longer trusted in TLS
- Background apps cannot launch other Activities (e.g. other apps), see Background apps launching section of Android 10 release notes and Background activity restrictions section of Security and Privacy Enhancements in Android 10
- File Based Encryption (FBE) is mandatory for devices that launch with this Android version (devices updated to it can still continue using Full Disk Encryption (FDE)), see Encryption
FLAG_SECUREflag is added for biometric or device credential (PIN, pattern or password) prompts, including both unlocking the device and BiometricPrompt in apps - this means you cannot take a screenshot of these screens and they also appear blacked out in screen shares, see source for com.android.systemui.biometrics.AuthContainerView on Android Code Search- Only the default Input Method Editor (IME) app can access Clipboard data from the background, see Limited access to clipboard data section of Privacy changes in Android 10 and Clipboard data section of Security and Privacy Enhancements in Android 10
- StrandHogg 2.0 exploit (CVE-2020-0096) no longer possible (a patch for the vulnerability is also backported to Android 8.0, 8.1 and 9.0 with the May 2020 security update - if the manufacturer released the update to a device), see StrandHogg Attack / Task Affinity Vulnerability and StrandHogg 2.0 Exploit Explained - Why Users and Android App Developers should care and Strandhogg Vulnerability
- Project Mainline introduced (only devices released with this version support project Mainline, the ones updated will not get it), building on top of Treble - that was introduced with Android 9 (API 26)- further simplifying and expediting Android OS updates. It makes possible to deliver selected AOSP components faster, without needing a full OTA update from the phone manufacturer, see Fresher OS with Projects Treble and Mainline
Android 11 release notes - Secure
- Task Hijacking (StrandHogg 1.0) exploit (when another app sets its
taskAffinityto the same as the target to trick the user to launch it even if they inteded to launch the target app and used it's legitimate app icon) no longer possible, see StrandHogg Attack / Task Affinity Vulnerability and Strandhogg Vulnerability - Apps can no longer query information about other installed apps by default, see Package visibility filtering on Android and Package visibility in Android 11
- Runtime Permissions auto-reset for unused apps, see Auto-reset permissions from unused apps section of Permissions updates in Android 11 and Auto-reset permissions of unused apps section of Request runtime permissions
- Scoped Storage introduced, but apps can still opt-out of it via
requestLegacyExternalStorage, see Storage updates in Android 11 and Opt out in your production app section of Android storage use cases and best practices
Security Enhancements - Android 12
android:exportedflag needs to be defined explicitly in Manifests for components (Activities, Content Providers, etc.) that declare Intent Filters, see Safer component exporting section of Behavior changes: Apps targeting Android 12- Generic web Intents resolve to user's default browser app unless the target app is approved for the specific domain contained in that web Intent, see Web intent resolution section of Android 12 Behavior changes: all apps
- Replace more BouncyCastle implementations of cryptographic algorithms with Conscrypt ones, see BouncyCastle implementation removed section of Android 12 Behavior changes: all apps
- The user gets notified if an app accesses Clipboard data of another app for the first time, see System notification shown when your app accesses clipboard data section of Copy and paste
- Apps can no longer close System Dialogs, see Apps can't close system dialogs section of Android 12 Behavior changes: all apps
- Tapjacking mitigation: Apps are prevented from consuming touch events where an overlay obscures the app, see Cloak & Dagger
- Scoped Storage always enforced, opting out of it via
requestLegacyExternalStorageis no longer possible, see Opt out in your production app section of Android storage use cases and best practices - New option to only grant permission to access approximate location
- New Privacy Indicators on the status bar to indicate to the user when an app uses camera or microphone
- BiometricManager.Strings API introduced providing localized strings for apps that use
BiometricPromptfor authentication. - Added support for under-display fingerprint sensors
- Fingerprint Android Interface Definition Language (AIDL) introduced
- Private Compute Services introduced as a secure partition for processing sensitive user data on-device, used by AI-driven features like Live Caption, Now Playing and Smart Reply. Google defines it as a "secure, isolated data processing environment inside of the Android operating system that gives you control of the data inside, such as deciding if, how, and when it is shared with others". See Introducing Android’s Private Compute Services, Google officially explains how Android's Private Compute Core works and Android Private Compute Core Architecture whitepaper
- Rust language support for platform development
Security Enhancements - Android 13
Android 13 release notes - Security
- Non-matching Intents are blocked by Intent filters (apps cannot send an Intent to another app's exported component unless it fully matches the Intent filter defined by it), see Intents should match declared intent filters section of Android 13 and Android 13 QPR release notes
- Only File Based Encryption (FBE) is allowed, Full Disk Encryption (FDE) is no longer - not even for devices updated from a version that it was allowed
- Shared UIDs are deprecated. It was used to share the sandbox access between two or more apps and the ability to run in the same process. It could cause non-deterministic behavior within the package manager so it would be removed in a future Android version. See Application Signing
- Keymaster support for symmetric cryptographic primitives such as AES (Advanced Encryption Standard), HMAC (Keyed-Hash Message Authentication Code), and asymmetric cryptographic algorithms (including Elliptic Curve, RSA2048, RSA4096, and Curve 25519)
POST_NOTIFICATIONSruntime permission added for sending non-exempt (including Foreground Services (FGS)) notifications from an app, see Notification runtime permission- Added per-use prompt for apps requesting access to all device logs, giving users the ability to allow or deny access, see Manage your device logs on Android
- Android Virtualization Framework (AVF) introduced, bringing together different hypervisors under one framework with standardized APIs.
- APK signature scheme v3.1 introduced, with all new key rotations that use
apksignerwill use the v3.1 signature scheme by default to target rotation for Android 13 and higher. - Restricted Settings introduced to disallow sideloaded apps (installed without using the session-based installation API) from getting permissions deemed particularly dangerous by Google (users can still manually grant these permissions in Android Settings). Currently this applies to Accessibility and having a Notification Listener, see Android 13's Restricted setting feature will block malicious apps from accessing your notifications. Keep in mind though that malicious apps aware of this restriction can bypass it by installing another app using said session-based installation API after they are installed, so restrictions not apply to the second app.
Security Enhancements - Android 14
Android 14 Security Release Notes
- Introducing minimum
targetSdkrequirement: apps that target Android versions older than Android 6 (API 23) can no longer be installed. This means that you can assume that the security restrictions (noteworthily Runtime Permission handling in this case) introduced with Android 6 (API 23) now applies to all apps installed on the device (this minimum is expected to increase with each future Android versions), see Minimum installable target API level section of Behavior changes: all apps - The app's name, that stored a particular media file is redacted by default (unless it's package name is always visible to other apps or the app that queries it has the
QUERY_ALL_PACKAGESpermission granted - which requires special manual Google Play review to attain), see Media owner package names might be redacted section of Behavior changes: all apps - Add some description to location permission prompts that describe why an app might need this permission.
- Significant improvements to Hardware-assisted AddressSanitizer (HWASan), which was introduced back in Android 10 as a memory error detection tool similar to the deprecated AddressSanitizer which it replaces.
- Added support to reject null-ciphered cellular connections, ensuring that circuit-switched voice and SMS traffic is always encrypted and protected from passive over-the-air interception, see Android 14 introduces first-of-its-kind cellular connectivity security features
- Added support for multiple IMEIs
- AES-HCTR2 is now the preferred mode of filenames encryption for devices with accelerated cryptography instructions.
- If an app targets Android 14 and uses Dynamic Code Loading (DCL), all dynamically-loaded files must be marked as read-only or otherwise, the system will throw an
Exception, see Safer dynamic code loading section of Behavior changes: Apps targeting Android 14 or higher
Android 15 Security Release Notes
- Apps that target Android versions older than Android 7 (API 24) can no longer be installed. This means that you can assume that security restrictions introduced with Android 7 (API 24) now applies to all apps installed on the device, see Increased minimum target SDK version from 23 to 24 section of Behavior changes: all apps
- The system now asks for biometrics (if they are enrolled) when changing USB mode and screen timeout, see Android 15 will verify it's you when you connect to a PC
- Further mitigation for task hijacking (StrandHogg): Introduce new flag that blocks apps that don't match the top UID on the stack from launching activities (though both the sender and receiver - i.e., attacker and victim - needs to have its
targetSdkset to 35 (Android 15), so this will be only really effective on future Android versions that require this as minimum - e.g., Android 15 requires Android 7 (API 24)), see Block apps that don't match the top UID on the stack from launching activities section of Behavior changes: Apps targeting Android 15 or higher - Further mitigation for task hijacking (StrandHogg): if the top activity finishes a task, Android will go back to whichever task was last active. Moreover, if a non-top activity finishes its task, Android will go back to the home screen; it won't block the finish of this non-top activity, see Other changes section of Behavior changes: Apps targeting Android 15 or higher
- Further mitigation for task hijacking (StrandHogg): Arbitrary activities can no longer be launched from other apps into your own task, see Other changes section of Behavior changes: Apps targeting Android 15 or higher
- Mitigation for attackers abusing misconfigured PendingIntents:
PendingIntentcreators now block background Activity launches by default if your app targets Android 15 (API 35), see Other changes section of Behavior changes: Apps targeting Android 15 or higher - By default, apps are no longer allowed to bring the task stack to the foreground unless the
PendingIntentcreator allows background activity launch privileges or the sender has background activity launch privileges, if your app targets Android 15 (API 35), see Other changes section of Behavior changes: Apps targeting Android 15 or higher - Non-visible windows are now blocked from being considered for background activity launches. This mitigates Denial of Service (DoS) attacks and popup ads, while also provides mitigation for full or partial tapjacking and full-screen phishing, see Other changes section of Behavior changes: Apps targeting Android 15 or higher
- Intents that target specific components must accurately match the target's intent-filter specifications. If you send an intent to launch another app's activity, the target intent component needs to align with the receiving activity's declared intent-filters, see Safer Intents section of Behavior changes: Apps targeting Android 15 or higher
- Intents without an action (action set to
null) will no longer match any intent-filters. This means that intents used to start activities or services must have a clearly defined action, see Safer Intents section of Behavior changes: Apps targeting Android 15 or higher - The creator of the
PendingIntentis treated as the sender of the enclosing intent, not the sender of the pending intent, see Safer Intents section of Behavior changes: Apps targeting Android 15 or higher - Google Play Protect requires biometric or device credential (PIN, password or pattern that's used to unlock the device) confirmation before sideloading apps that target Android 10 (API 29) or earlier. This is part of an ongoing effort to fight malicious apps by Play Protect with more similar prompts likely coming (possibly without even requiring a new OS version), see Google to add extra layer of protection when installing sketchy apps (APK teardown)