1 <html devsite> 2 <head> 3 <title>Security Enhancements in Android 5.0</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>Every Android release includes dozens of security enhancements to protect 27 users. Here are some of the major security enhancements available in Android 28 5.0:</p> 29 30 <ul> 31 <li><strong>Encrypted by default.</strong> On devices that ship with L 32 out-of-the-box, full disk encryption is enabled by default to improve 33 protection of data on lost or stolen devices. Devices that 34 update to L can be encrypted in <strong>Settings</strong> > <strong>Security</strong>. 35 <li><strong>Improved full disk encryption.</strong> The user password is 36 protected against brute-force attacks using <code>scrypt</code> and, where 37 available, the key is bound to the hardware keystore to prevent 38 off-device attacks. As always, the Android screen lock secret and the device 39 encryption key are not sent off the device or exposed to any application. 40 <li><strong>Android sandbox reinforced with SELinux</strong>. Android now 41 requires SELinux in enforcing mode for all domains. SELinux is a 42 mandatory access control (MAC) system in the Linux kernel used to augment the 43 existing discretionary access control (DAC) security model. This new layer 44 provides additional protection against potential security vulnerabilities. 45 <li><strong>Smart Lock. </strong>Android now includes trustlets that provide 46 more flexibility for unlocking devices. For example, trustlets can allow 47 devices to be unlocked automatically when close to another trusted device (via 48 NFC, Bluetooth) or being used by someone with a trusted face. 49 <li><strong>Multi user, restricted profile, and guest modes for phones & 50 tablets.</strong> Android now provides for multiple users on phones and 51 includes a guest mode that can be used to provide easy temporary access to your 52 device without granting access to your data and apps. 53 <li><strong>Updates to WebView without OTA. </strong> WebView can now be 54 updated independent of the framework and without a system 55 OTA. This will allow for faster response to potential security issues in 56 WebView. 57 <li><strong>Updated cryptography for HTTPS and TLS/SSL.</strong> TLSv1.2 and 58 TLSv1.1 is now enabled, Forward Secrecy is now preferred, AES-GCM 59 is now enabled, and weak cipher suites (MD5, 3DES, and export cipher suites) 60 are now disabled. See <a 61 href="https://developer.android.com/reference/javax/net/ssl/SSLSocket.html">https://developer.android.com/reference/javax/net/ssl/SSLSocket.html</a> 62 for more details. 63 <li><strong>non-PIE linker support removed.</strong> Android now requires all 64 dynamically linked executables to support PIE 65 (position-independent executables). This enhances Androids address space 66 layout randomization (ASLR) implementation. 67 <li><strong>FORTIFY_SOURCE improvements.</strong> The following libc 68 functions now implement FORTIFY_SOURCE protections: <code>stpcpy()</code>, 69 <code>stpncpy()</code>, <code>read()</code>, <code>recvfrom()</code>, 70 <code>FD_CLR()</code>, <code>FD_SET()</code>, and <code>FD_ISSET()</code>. This 71 provides protection against memory-corruption vulnerabilities involving 72 those functions. 73 <li><strong>Security Fixes.</strong> Android 5.0 also includes fixes for 74 Android-specific vulnerabilities. Information about these vulnerabilities has 75 been provided to Open Handset Alliance members, and fixes are available in 76 Android Open Source Project. To improve security, some devices with earlier 77 versions of Android may also include these fixes. 78 </ul> 79 80 </body> 81 </html> 82
