Safeguarding user security on Android

00:00

[MUSIC PLAYING]

00:04

DOM ELLIOTT: Hi, I'm Dom and I'm joined by my colleagues,

00:08

Tina and Sabs, from the Android team.

00:10

We're thrilled to be here today to share the latest

00:12

updates on how we're safeguarding Android

00:14

users' security and privacy.

00:17

Each year, we've consistently improved user protections

00:20

in the Android platform, and we've

00:22

raised the bar for safe, Trusted Apps on Google Play.

00:25

In 2023, we prevented over 2 million policy-violating apps

00:29

from being published, we banned over 300,000 bad developer

00:33

accounts, we scanned over $200 billion apps every day

00:36

for malware, and we paid out over $10 million to security

00:40

researchers.

00:41

That's not all.

00:42

Google Play Protect can now recommend a real-time app

00:45

scan when an app is being installed that has never

00:48

been scanned before.

00:49

This is already helping us to detect emerging security threats

00:52

more quickly.

00:53

Play Protect has identified over 500,000 new malicious apps

00:57

and issued 3 million new warnings as a result of this

01:00

scanning.

01:01

OK, let's get on to the main updates.

01:04

First, Tina will talk about the latest Android features

01:07

protecting users against scams, fraud and device theft.

01:11

Then, I'll go over the new Integrity API

01:13

features, which you can use to defend your app against attacks

01:16

and abuse.

01:17

And finally, Sabs is going to give you

01:20

a detailed look at the most important security

01:22

changes in Android 15 that you should be aware of.

01:26

Now it's over to Tina.

01:29

TINA SRISKANDARAJAH: Thanks, Tom.

01:31

Hi, everyone.

01:32

I'm Tina, a Product Manager on Android Framework.

01:35

There are a number of ways the platform already

01:38

helps users view and manage their data, including

01:42

runtime permission controls and the privacy dashboard.

01:46

I'm excited to tell you about some of the new protections

01:49

we're introducing this year to make Android even better.

01:53

I'll share about our efforts to help prevent abuse

01:56

across screen sharing, device-theft detection

01:59

and remediation, and more.

02:02

First, we'll talk about improvements to the user

02:05

screen-sharing experience.

02:08

When users share their screens, they might unintentionally

02:11

reveal more information with remote viewers than intended.

02:15

Malicious actors can even convince

02:17

users to share their screen in situations when users

02:22

don't really need to share.

02:24

Actors then use that view to steal information

02:27

off users' screens.

02:30

To help address the situation, we

02:32

are changing the default screen-sharing scope

02:35

to just a single app.

02:37

If users want to share their entire screen,

02:40

they can still choose to do so.

02:43

With the single-app option, the status bar, navigation bar,

02:47

notifications, and other system UI elements

02:50

are excluded from the shared display.

02:53

Only the content of the selected app is shared.

02:57

Another scenario we want to improve with screen sharing

02:59

is the visibility of notifications.

03:02

If a remote viewer sees the user's notifications,

03:06

it could reveal embarrassing or even sensitive

03:09

information, like one-time passwords.

03:12

Starting in Android 15, we'll protect

03:15

notification content that appears

03:17

during a screen-share session.

03:20

If you want users to see notification content even

03:23

during screen sharing, provide a public version

03:26

of notification content for your app.

03:28

If a public version is not provided,

03:31

a private version is shown, which does not

03:33

contain notification content.

03:36

We'll also hide app-activity windows

03:39

if the app posts a notification containing a one-time password

03:43

during a user's screen-share session.

03:46

This will be automatically done when

03:48

notifications with one-time passwords

03:50

are detected by the platform.

03:54

In this example, a user's messaging app

03:57

has posted a notification with a one-time password

04:00

during a screen-share session.

04:02

The user taps the notification to open the messaging app.

04:05

The remote viewer, however, sees a blank screen

04:09

instead of the app window containing

04:11

the one-time password.

04:14

Another way malicious attackers can

04:15

snoop a user's one-time password is

04:18

through apps that have been granted the notification

04:21

Listener Service permission.

04:24

Starting in Android 15, apps that

04:27

use the notification Listener Service will

04:29

receive notifications with one-time password content

04:32

removed.

04:35

Apps that depend on the full notification

04:37

content, such as wearable apps connected through companion

04:40

Device Manager, will continue to receive the full notification

04:44

content.

04:45

Now I'm going to tell you more about what Android

04:48

is doing to protect users from physical device theft this year.

04:52

We're hardening the device against theft

04:55

and adding more data protections to make the device less

04:58

attractive to thieves.

05:00

We'll lock out thieves who have access to your phone

05:03

if they fail multiple times to log

05:05

into a PIN or biometric-protected app

05:08

or service.

05:10

We're also requiring authentication

05:12

when someone tries to change certain sensitive settings.

05:16

In the moment when a thief tries to take your phone,

05:19

a new detection feature will activate.

05:21

This locks the screen and protects your data.

05:26

If a device is taken, it's often a shocking situation

05:29

for the user.

05:30

They don't always remember how to protect

05:32

their data after the fact.

05:35

So we're adding a new remote-locking feature

05:38

that will provide an even easier way for users

05:41

to remotely lock their device, even if they don't remember

05:44

their Google-account password.

05:47

We're also adding a new private-space feature.

05:49

So even if your device falls into the wrong hands,

05:52

you have more protection for your apps.

05:56

Private space is your separate space on the device for any apps

06:01

you don't want others to access or know about.

06:05

This space can be populated with any apps you want and can

06:09

be locked and hidden from view.

06:11

Private space can have its own separate lock.

06:15

This feature can be useful for protecting your sensitive apps

06:18

in case of theft, accidental exposure, or snooping.

06:24

Something else we're doing to protect users

06:26

is reducing broad access to their photos and videos.

06:30

Last year, Google Play announced a policy related to the photo

06:35

and video permissions.

06:37

Apps must now demonstrate that they require broad access

06:41

to the photos and videos for their core use case

06:44

in order to use this permission.

06:46

Google Play will begin actively enforcing this policy in August.

06:52

Many apps request media permissions for legacy reasons

06:55

that no longer apply.

06:57

So you may be able to simply stop

06:59

requesting the media permissions without making

07:01

any other changes to your app.

07:03

If your app uses the photo or video permission for custom

07:06

photo-picking experience, for example,

07:09

if you ask the user to select a profile picture,

07:12

we recommend you use the Android-system photo

07:15

picker instead.

07:17

The Android photo picker is the best solution

07:19

for nearly every app.

07:21

It does not require any permissions,

07:23

includes cloud photos from Google Photos,

07:26

is customizable for your app's needs

07:28

and is super easy to implement.

07:32

We are continuing to improve the photo picker with Search

07:35

and more exciting features to create

07:37

the best possible photo-picking experience for your users.

07:41

Try it in your app today.

07:43

TINA SRISKANDARAJAH: Now I'm going to hand

07:45

it back to Dom to talk about additional ways

07:47

to protect your users and your business.

07:52

DOM ELLIOTT: Thank you, Tina.

07:54

Now, let's talk about what you can

07:56

do to protect your users against attacks and scams

07:59

while also protecting your app and business from abuse.

08:03

The Play Integrity API helps you check

08:05

that user actions and server requests

08:07

are coming from your apps unmodified binary, installed

08:11

by Google Play, and running on a genuine Android device.

08:14

The Play Integrity API works across Android SDK versions

08:18

and is fully supported on mobile phones, tablets, and foldables.

08:22

You can also use it on Google Play games for PC

08:25

and other Android form factors.

08:27

How does it work?

08:29

You call Play Integrity API at important moments in your app

08:32

or in the background to obtain an integrity token from Google.

08:36

You pass the integrity token to your app's backend server

08:39

where you can decrypt it to obtain Plays integrity verdict.

08:43

With this verdict, you can decide

08:45

whether you trust the request was made by your genuine app.

08:48

If something is wrong, your app's backend server

08:51

can decide what to do next.

08:53

For example, you can ask the user to verify themselves,

08:56

or you could deny access to some sensitive functionality.

09:00

Thousands of developers are using

09:02

Play Integrity API in production to perform integrity checks.

09:05

And developers using Play Integrity features

09:08

see, on average, 80% lower unauthorized usage

09:11

compared to unprotected apps.

09:14

So what's new?

09:15

First up, app access risk is a new verdict

09:19

that you can use to check whether there

09:21

is a risk of other apps running that could access or control

09:24

your app.

09:25

Say, for example, the user is about to perform

09:28

a sensitive action, such as transferring some money.

09:31

Before allowing the transfer to proceed,

09:33

you can check the app access risk verdict

09:35

and check there aren't other apps running

09:37

that can capture the screen or that can control the device.

09:41

You can also show a Google Play dialogue to prompt the user

09:44

to ask them to close any capturing or controlling

09:46

apps that are open.

09:48

App access risk has different risk levels.

09:51

A capturing response means other apps are running

09:54

that can capture the screen.

09:56

A controlling response means other apps are running

10:00

that can control the device, and hence, they

10:02

could both capture the screen and even control inputs

10:05

into your app.

10:08

App access risk automatically excludes genuine accessibility

10:11

apps known to Google that have been through a special review

10:14

process.

10:16

Like the other signals in the Play Integrity API,

10:18

the requesting app receives no user or device identifiers,

10:22

nor does it receive any information

10:24

about the apps that resulted in a positive verdict.

10:28

We've already been testing app access risk

10:30

with early-access partners, like Nubank, Revolute, Mercado Libre,

10:34

and PhonePe.

10:36

It's available now in public beta

10:38

and will be generally available in the coming months.

10:43

The second feature is the Play Protect verdict.

10:47

This tells your app where the Play Protect is turned on

10:50

and whether it has found known harmful apps on the device.

10:54

If malware is a particular concern

10:56

for your app or your users' data, you can check this verdict

10:59

and ask your users to turn on, Play Protect

11:02

or remove harmful apps before proceeding.

11:06

The third feature is recent device activity.

11:10

This tells you how many integrity requests your app

11:12

has made on that specific device in the last hour.

11:16

This is useful to detect anomalously high requests.

11:20

That could be a sign of attack.

11:23

First, you should check the data to see

11:26

what the typical device-activity levels for your app

11:28

are across all of your devices.

11:31

Then you can decide how your app should respond when a device is

11:34

making too many requests.

11:36

If the activity is a little high,

11:38

you might want to ask the user to try again later.

11:41

If the activity is very high, you

11:42

might want to take stronger enforcement action.

11:46

You can opt in to all three new features

11:48

in both standard and classic Integrity API requests.

11:52

Standard API requests, launched last year,

11:55

are the low-latency option for integrity verdicts.

11:58

They're suitable for the majority of apps and games,

12:01

and you can make them on demand at important moments

12:03

in your app.

12:05

After you start making requests, you

12:07

can visit the revamped Integrity API report in the Play Console

12:12

to break down your responses and check for any anomalies.

12:15

You can use the report to understand your install base

12:18

better before you decide what actions and enforcements you're

12:21

going to take next.

12:24

In addition to the Play Integrity

12:26

API, which is available to all Android developers,

12:28

select Google Play partners also have access

12:31

to automatic integrity protection in the Google Play

12:34

console.

12:35

When you turn on automatic protection,

12:37

Google Play will automatically add and install

12:40

a check to your app and the strongest version of Google

12:44

Play's anti-tamper protection.

12:46

This protects your app without any developer work required

12:49

and without any backend server integration needed.

12:54

DOM ELLIOTT: OK, now it's Sabs's turn

12:56

to talk about what's new in Android 15.

12:58

Sabs, over to you.

13:03

SABS: Thanks, Dom.

13:04

I'm excited about those changes coming to Play Integrity API.

13:08

Hi, everyone.

13:08

I'm Sabs and I'm part of the Android Security Team.

13:12

Today I'm going to talk with you about some important platform

13:15

security updates for Android 15 and what you need

13:19

to do to keep your apps secure.

13:22

I will walk you through three key areas with changes--

13:25

TargetSdk, Safer Intents, and background-activity launching.

13:30

Let's begin with an update on the TargetSdk version.

13:34

Following up on Android's 14 improvements,

13:37

Android 15 prevents apps with TargetSdk version lower than 24

13:41

from being installed.

13:43

Requiring apps to meet this minimum target

13:45

API improves security and privacy for users

13:48

by encouraging apps to apply the latest security patches, privacy

13:52

controls, and development practices,

13:54

while discouraging the use of outdated and potentially risky

13:58

components.

14:00

On devices upgrading to Android 15, any apps with TargetSdk

14:04

version lower than 24 will remain installed.

14:07

Developers should expect similar bumps

14:09

in future Android versions.

14:12

Next, let's take a look at what our teams are

14:15

doing to make intents safer.

14:18

Intents are the messaging glue that connect activities

14:21

between different apps.

14:22

They signal when your app intends to perform some action

14:26

or communicate with some other component.

14:28

Intents are powerful tools for communicating

14:31

between app processes.

14:33

However, improper handling of intents

14:35

can create vulnerabilities that a malicious actor could exploit.

14:40

In Android 15, we have added tools

14:42

to help developers identify when their apps' intents are

14:45

mismatching other apps' intent filters.

14:48

The key takeaway here is that if you

14:50

are sending explicit intents, make

14:52

sure they satisfy the target component intent-filter.

14:56

Why?

14:57

Well, here's a vulnerability pattern

14:59

that we have seen in practice.

15:01

Let's say we have a Package, com.victim,

15:04

and inside the manifest file we define two broadcast receivers.

15:09

First, there is an internal receiver, which is not exported,

15:12

and then there's an external receiver, which is exported.

15:17

Each receiver handles its own internal interaction.

15:20

The internal one handles sensitive items,

15:23

and the external one handles things that are public.

15:26

To receive those intents, we define

15:28

the centralized intent-handler object within the main activity.

15:32

With this object, we define two intent actions.

15:35

The private action will send data

15:37

to an internal receiver within the app,

15:39

and the public action sends data to another app's

15:42

external receiver.

15:44

Now, an attacker could simply define an intent action

15:48

as the internal one and point to the external component.

15:51

This switch causes the internal receiver to be called.

15:54

The attacker has successfully called internal action even

15:58

though it was not exported.

16:00

To help developers guard against this kind of attack,

16:03

we're adding some protections for Android 15.

16:07

When developers enable the Strict Mode,

16:09

they will be able to see the mismatching

16:11

as a violation in Logcat, suggesting they

16:13

should update their intents.

16:16

To offer app compatibility and ease adoption,

16:18

Strict Mode is not mandatory.

16:20

In fact, your app must target Android 15 in order

16:24

to use the Strict Mode.

16:26

In Android 15, sending NULL action intents we

16:29

no longer match any intent-filter.

16:32

For this other change, here's another vulnerable pattern.

16:35

On the left, we have a broadcast receiver named MyReceiver.

16:39

This receiver is exported and has no action.

16:43

On the right, we have to create a NULL intent [? adjacent ?]

16:45

in it, and the broadcast receiver

16:47

will still receive the intent.

16:50

A lot of broadcast receivers in real-world apps

16:52

do not expect the intent action to be nullable

16:55

and will actually crash with a NULL pointer exception

16:58

when receiving these kind of intents.

17:02

Here's what's coming in Android 15 to help developers.

17:05

We will update the match method of the IntentFilter class

17:09

so that when an intent sends a NULL action,

17:11

the system converts it to a NO_MATCH_ACTION.

17:15

And it will be available as part of Strict Mode.

17:19

Before moving to the next topic, let's

17:21

review best practices for using pending intents.

17:25

For the Safer Intents update, the creator of the PendingIntent

17:28

is treated as the sender of the closing intent,

17:31

not as the sender of the PendingIntent.

17:34

Handle PendingIntents carefully in your app,

17:37

make sure who is the creator and the sender of the PendingIntent.

17:41

Now, let's look at what's coming for Android 15

17:44

in background activity launches.

17:47

Background activities are processes

17:49

within an app that run even when the app is indirectly

17:52

in the foreground.

17:53

This means they aren't immediately visible to the user,

17:56

but they are still performing essential tasks.

18:00

We know that unwanted, malicious background activity

18:02

launches are among the most common issues

18:05

found by security researchers.

18:07

We updated our documentation to include best practices

18:10

that help developers mitigate the risks with background

18:13

activity launches.

18:15

Let's take a look at some of the vulnerable patterns

18:18

with background activity launches.

18:20

For pop-up ads, a background app starts

18:22

on top of the foreground app, limiting the user's interactions

18:25

with the device.

18:26

This can lead to full denial of service

18:29

where the user can't use the device.

18:32

Another type of vulnerability is tapjacking

18:34

where a background app can partially or fully

18:36

cover the foreground app.

18:39

A third type of vulnerability is a screen phishing,

18:41

where a background app can show a modal dialog or full-screen

18:45

activity after the foreground app's dialog or activity is

18:48

closed.

18:49

This allowed the background app to impersonate the recently used

18:52

foreground app.

18:55

Here's how we'll further improve background activity launch

18:57

security in Android 15.

19:00

First, PendingIntent creators will now

19:02

block background activity launches by default.

19:05

Because the system does not restrict background activity

19:07

launches, we have seen cases where

19:10

an app will bypass background activity launches by sending

19:13

a system-creator PendingIntent.

19:16

Second, we're going to update when an activity starts

19:19

in the background, and we won't bring

19:21

the task stack to the foreground unless the PendingIntent

19:25

creator or sender is allowed to launch background activities.

19:29

Currently, malicious apps can obtain and trigger

19:32

PendingIntents.

19:33

This brings the system activity into malicious app tag stack

19:37

and can terminate the system's activity unexpectedly.

19:41

Third, we will update how an activity that

19:44

matches the top app's user ID can start activities, create

19:48

a new task, or bring a task into the foreground.

19:51

This prevents the situation where

19:53

a malicious app in the foreground

19:55

launches a victim's activity on top of it

19:57

and then, subsequently, impersonated by launching

20:00

one of its own activities.

20:03

Finally, we will update how an activity finishes its task.

20:07

If the activity is in the foreground,

20:09

the user will be returned to whichever activity was last

20:12

active.

20:13

And if the activity wasn't on top,

20:15

the user will go back to the home screen.

20:17

This prevents user interaction with a victim app

20:20

that was previously launched by a malicious app,

20:23

allowing for the stealing of the user's credentials

20:25

and other bad behavior.

20:27

And that's all we have for the platform security updates.

20:30

We hope this helped you protect your users.

20:33

Back to you, Tina.

20:36

TINA SRISKANDARAJAH: Thank you for taking the time

20:38

to learn more about Android's latest privacy and security

20:42

features.

20:43

Protecting users is a shared responsibility between Android

20:47

and app developers.

20:48

And we know these features will go a long way

20:51

to upholding a safe and trusted user experience.

20:54

To recap some of the best practices to keep users safe,

20:59

app developers should continue to use

21:01

flag_secure to protect app activities that could contain

21:04

sensitive content.

21:07

Target the latest SDK versions as soon

21:09

as possible to apply the latest security enhancements to app

21:13

automatically.

21:15

Check out all the functionality offered through the Play

21:17

Integrity API to protect the security and business

21:21

value of your app.

21:22

And make sure your intents are being

21:25

sent to the right component and your app opts-in to the latest

21:28

background activity launch updates

21:30

in order to help your app be more secure.

21:33

TINA SRISKANDARAJAH: We appreciate your time today.

21:36

If you'd like to learn more, please visit the Android

21:38

developer's website.

21:40

We've included some useful links below.

21:42

Thank you again for doing your part to keep Android users safe.

21:46

[MUSIC PLAYING]