1 <html devsite> 2 <head> 3 <title>Security Enhancements in Android 7.0</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>Every Android release includes dozens of security enhancements to protect 27 users. Here are some of the major security enhancements available in Android 28 7.0:</p> 29 30 <ul> 31 <li><strong>File-based encryption</strong>. Encrypting at the file level, 32 instead of encrypting the entire storage area as a single unit, better 33 isolates and protects individual users and profiles (such as personal and 34 work) on a device.</li> 35 <li><strong>Direct Boot</strong>. Enabled by file-based encryption, Direct 36 Boot allows certain apps such as alarm clock and accessibility features to 37 run when device is powered on but not unlocked.</li> 38 <li><strong>Verified Boot</strong>. Verified Boot is now strictly enforced to 39 prevent compromised devices from booting; it supports error correction to 40 improve reliability against non-malicious data corruption.</li> 41 <li><strong>SELinux</strong>. Updated SELinux configuration and increased 42 seccomp coverage further locks down the application sandbox and reduces attack 43 surface.</li> 44 <li><strong>Library load-order randomization and improved ASLR</strong>. 45 Increased randomness makes some code-reuse attacks less reliable.</li> 46 <li><strong>Kernel hardening</strong>. Added additional memory protection for 47 newer kernels by marking portions of kernel memory as read-only, restricting 48 kernel access to userspace addresses and further reducing the existing attack 49 surface.</li> 50 <li><strong>APK signature scheme v2</strong>. Introduced a whole-file signature 51 scheme that improves verification speed and strengthens integrity guarantees.</li> 52 <li><strong>Trusted CA store</strong>. To make it easier for apps to control 53 access to their secure network traffic, user-installed certificate authorities 54 and those installed through Device Admin APIs are no longer trusted by default 55 for apps targeting API Level 24+. Additionally, all new Android devices must 56 ship with the same trusted CA store.</li> 57 <li><strong>Network Security Config</strong>. Configure network security and TLS 58 through a declarative configuration file.</li> 59 </ul> 60 61 62 </body> 63 </html> 64
