Lookout Details Android 5.0 Lollipop Has Toughened Security Features

October 17, 2014 - Written By David Steele

Android 5.0 Lollipop is going to be Google’s most significant release of Android yet with a whole raft of features across the board. We also have two new devices to play with in the shape of the Nexus 6 and Nexus 9. Some of Android 5.0 Lollipop’s more glamorous features have been stealing the limelight, such as support for 64-bit processors, Material Design, the improvements to power management and the switch from the Dalvik RunTime to the Android RunTime, ART, which should make our devices smoother and faster. However, some of the most important changes are happening under the skin and in particular when it comes to security. You see, depending on where you read, Android has picked up something of a bad reputation for security. That’s no doubt fuelled by Tim Cook of Apple claiming that Android isn’t secure *cough iCloud leaks cough* but there is more than an element of truth: because Android is easier to customize, hack and sideload applications, so it’s potentially less safe. Of course, the most determined of users will be able to pick up mobile malware no matter what platform they use, but Google have worked on improving Android’s security. Let’s take a look at three ways we’re going to be safer with Android Lollipop.

The first way is the built-in kill switch, also known as Factory Reset Protection. The idea behind the kill switch is that it prevents unauthorized use of the device; if you lose your Android device or it’s stolen, you can lock it down so that the thief (or unwary buyer) cannot use the handset or tablet. This can either be a way of stopping the device from working including being reset, or forcably resetting the device and preventing it from being activated without the necessary unlock code. With Android 5.0, this is still going to be an optional step of the device and Android Lollipop is going to make it much easier to use and understand what you’re doing with the device. After all, the most sophisticated security technique is only as handy as it is easy to use, understand and set. Plus, once word’s out that it’s difficult to sell on a smartphone (no matter the make), they’re much less likely to be stolen in the first place.

The second way is linked to the first and uses a feature that’s been present in Android since 4.0 Ice Cream Sandwich, which is device encryption. Until now, encryption has been an optional security feature that most people will only activate if their corporate email account tells them to do so! From Android 5.0, encryption is going to be enabled by default. This gives users another PIN or password to remember but keeps the data on the device much safer from prying eyes. This is linked in with the kill switch detailed above: without device encryption, a thief could access the information on the device. And related to on-device encryption is some improvements to the LINUX core of Android by setting the default SELinux policies to “enforcing mode.” This hardens the device to malicious rooting and privilege escalation attacks, which are sophisticated ways to circumvent other device security systems to gain access to information. One side effect of this change is that it will prevent some root-enabled applications from working properly, so this is a feature that will likely require some updates to such applications.

The final improvement concerns using our mobile Android devices in the so-called enterprise environment. And, no, I don’t mean pretending that we are Captain Kirk but instead, using our devices as part of a corporate (and so tightly controlled and locked down) network. Research from Gartner shows that half of enterprises will operate a BYOD (bring your own device, whereby the employee is responsible for buying and running their own smart device for use with the work system) in the next three years. It’s an area where Apple are keen to break in, because remember that Apple sell iPhones to sell iPads to sell Macs. Mobile devices can store and handle huge amounts of potentially sensitive data, are highly portable and often use unsecure networks, so are considered to be the weaknest link in an enterprise security system (presumably excluding the user, but I’ll write about this in a little bit). Google have shored up the enterprise support on Android devices by including a corporate user profile, in essence allowing a segregrated work area of the device, which may be managed by the enterprise admin. This may be completely ringfenced from the rest of the device, so the user won’t be able to access company information from a personal email account, for example, nor will a third party application have access to this data.

I hinted at this above, but weak link in our device security will remain as us, the user. If we leave our device unattended and unlocked, this could cause a lot of potential issues. Likewise, check the source of applications and their permissions, be especially wary when sideloading applications or installing apps from websites. Google’s improvements to Android Lollipop are welcome but no substitute for common sense!