Skip to main content

Google Details Android 5.0 Lollipop’s Major Security Improvements



Android’s newest update is coming soon, with devices running 5.0 Lollipop beginning to ship November 3. While the visual update might be the one that most users pay the most attention to, Android 5.0 also has a number of under-the-hood changes, including some major updates to the overall security of the platform. Google has put a lot of effort into addressing the biggest threats to Android user security, which still overwhelmingly represent lost or stolen devices, and today the company is detailing a few of these efforts.

Lollipop adds some new lock methods that make it easier to keep your device secure, which is a huge boon to the overall integrity of the platform. The biggest roadblock to mobile device security is actually user apathy, which sees people skipping basic security practices like implementing a lock screen pin code because it’s inconvenient when you’re checking your device every few minutes. Lollipop offers Smart Lock to help address this, which uses paired devices to let you tell your device it’s okay to open up without requiring a password or other means of authentication.

The device-based Smart Lock has a similar motivation, and effect, to Apple’s Touch ID: Both serve to get around user reluctance to set up on-device security measures. Using Touch ID is easier than constantly typing in a password, and using Smart Lock offers the same kind of convenience. You can set it up using any NFC or Bluetooth-enabled device that has been paired with your Android 5.0 smartphone or tablet – provided they’ve actually paired, which isn’t always true of short-range wireless communication methods. The pairing requirement adds a layer of security, meaning your smartphone won’t unlock if you happen to be near an NFC terminal you’ve used for an in-store payment at some time in the past, for instance.

Face unlock is also redesigned here, and has been rebuilt to analyze a user’s image continually, as more of a background security process than a device unlocking mechanism.

“Rather than pretending to take a picture, and analyze it, it’s analyzing a user’s face on an ongoing basis,” explained Android security engineering lead Adrian Ludwig in a briefing call. “If a user’s opted in and is using this method, at the moment it detects that a user isn’t the one that it’s expecting, it locks. That’s very different from the previous model.”

Used with something like an Android Wear smartwatch, this means that your phone will be ready to use without a lock code whenever it’s on your person. Used with something like a smart TV, it means that you’ll be safe to bypass security measures only when you’re at home, where your device is unlikely to be pickpocketed or left behind. It’s a feature that offers a lot of initial convenience, and that also has tremendous potential for increased sophistication once Google begins iterating and tying it to other Lollipop features like Guest mode and the ability to offer multiple user accounts, and segregated work data buckets.

Security is also more robust by default, thanks to automatic whole-phone encryption for newly activated devices. In Lollipop, when you power on a new smartphone or tablet, it encrypts all data automatically, and creates a unique key that remains on the device to decrypt the data. Android introduced its encryption features three years ago, but now it’s on by default on new devices, though anyone upgrading on an older device will still have to go into settings to enable it, should they want that additional level of protection.

“The question we’re posing is not ‘does the feature exist,'” Ludwig said. “The question is ‘how do we make sure that [the feature] is available and as easy to use as possible.” Ludwig says that a big barrier to users employing encryption previously has been that a user enabling it on an existing device could take hour depending on how much data was on their phone, whereas now that it’s enabled by default at the beginning of device setup, it takes no time at all.

The encryption key is also wrapped in your device unlock password, and with all Nexus devices, and other new Android hardware that supports it, a secure element located in the device hardware itself that isn’t accessible to the rest of the system.

Finally, Google is pointing to its use of Security Enhanced Linux (SELinux) to enable even further clarity around the isolation of individual apps. This really just means that users have to worry less about apps containing vulnerabilities that allow them to read info from other apps – basically it offers better visibility about how sandboxing works on the platform.

“Our goal with the security model of Android is that you should never have to care, honestly,” Ludwig explained. “I don’t think it’s realistic that the average person should think about security. That’s sort of the confidence level that we’re hoping for in Android, and SELinux gets us that much closer to it, where you don’t have to worry about security, you don’t have to spend time thinking about it.”

Ludwig says that their own research shows that actual risk to users from malware is “extraordinarily low,” with only less than 1 in 1000 Android users ever affected by a malicious local software attack. Device theft and loss is what needs to be addressed as the top immediate threat, and that’s what many of these features focus on. Google is also focusing now more on network level compromises, but in the near-term Lollipop should do a lot to help reassure IT departments worried about absent-minded employees losing track of devices.

Popular posts from this blog

How To Hide Text In Microsoft Word 2007, Reveal It & Protect It

Sometimes what we hide is more important than what we reveal. Especially, documents with sensitive information, some things are supposed to be ‘for some eyes only’. Such scenarios are quite common, even for the more un-secretive among us. You want to show someone a letter composed in MS Word, but want to keep some of the content private; or it’s an official letter with some part of it having critical data. As important as these two are, the most common use could involve a normal printing job. Many a time we have to print different versions of a document, one copy for one set of eyes and others for other sets. Rather than creating multiple copies and therefore multiple printing jobs, what if we could just do it from the same document?  That too, without the hassle of repeated cut and paste. We can, with a simple feature in MS Word – it’s just called Hidden and let me show you how to use it to hide text in Microsoft Word 2007. It’s a simple single click process. Open the docum...

Build Your Own Awesome Personal 3D Avatar with Avatara

Do you use social networks and want to build your own awesome 3D avatar? Maybe you want to send someone a cute cuddly image of yourself (kind of)? Or maybe you have your own ideas of what you would do with an Avatar… Well look no further than Avatara which I discovered from the MakeUseOf directory . You can create 3d avatars out of pre-set up templates or create your own from scratch. To start, visit Avatara’s homepage . You will see this screen: Click Get Started to umm, get started! That will take you to this screen: You see that you can build your own Avatar using an uploaded head shot like the Obama one above (just an example, guys). Or roll with one of their awesome avatars. I chose to start with a blank avatar by clicking Start with a blank avatar at the bottom of the screen. That takes you to here: I clicked on the filter at the top and told it to filter out everything but male characters and then I saw this: I rolled with Buck and continued. You need to click Select...

Ex-Skypers Launch Virtual Whiteboard Deekit

Although seriously long in the tooth and being disrupted by a plethora of startups, for many years Skype has existed as an almost ubiquitous app in any remote team’s toolkit. So it seems apt that a new startup founded by a team of ex-Skype employees is set to tackle another aspect of online collaboration. Deekit, which exits private beta today, is a virtual and collaborative whiteboard to help remote teams work smarter. The Tallinn, Estonia-based startup is headed up by founder and CEO, Kaili Kleemeier, who was previously a Head of Operations at Skype. She and three colleagues quit the Internet calling giant in 2012 and spent a year researching ideas in the remote team space. They ended up focusing on creating a new virtual whiteboard, born out of Kleemeier’s experience collaborating with technical teams remotely, specifically helping Skype deal with incident management. “Working with remote teams has been a challenge in many ways – cultural differences, language differences, a...