Significant security enhancements of recent major Android versions, starting with Android 5.0 Lollipop (API 21).
Security Enhancements - Android 5
- Starting August 2023, Google Play Services updates will only be received from this Android version see Google Play services discontinuing updates for KitKat (API levels 19 & 20) starting August 2023
- Full Disk Encryption (FDE) by default (manufacturers can still opt out), see Encryption and Security Enhancements in Android 5.0
- SELinux fully enforced, see Security Enhancements in Android 5.0
WebView
is a separate package, see Security Enhancements in Android 5.0 and The Updatable WebView on Android 5.0 Lollipop What Is It and Why Should You Care?
Security Enhancements in Android 6
- Keystore API significantly extended (symmetric cryptographic primitives, AES and HMAC support and access control system for hardware-backed keys) see Hardware-backed Keystore
- TEE is a requirement, see Hardware-backed Keystore and 7.3.10. Fingerprint Sensor section of Android 6.0 Compatibility Definition
- New API (
isInsideSecureHardware
) for checking whether a KeyStore key is stored in secure hardware (e.g., Trusted Execution Environment (TEE) or Secure Element (SE)), see isInsideSecureHardware method of KeyInfo - Apps need to request permissions at runtime see Runtime Permissions section of Android 6.0 Changes and Request runtime permissions and Security Enhancements in Android 6.0
- More restrictive SELinux (IOCTL filtering, tightening of SELinux domains, etc.) see Security-Enhanced Linux in Android and Security Enhancements in Android 6.0
Security Enhancements - Android 7
- Separate User and System Certificate Trust Store, meaning Man-in-the-Middle attacks basically require root access from this point, see Changes to Trusted Certificate Authorities in Android Nougat
- Added Network Security Config support so apps can customize the behavior of their secure (HTTPS, TLS) connections in a simple declarative way, without code modification. It supports custom trust anchors (which Certificate Authorities (CA) the app trusts), debug-only overrides, cleartext traffic opt-out and certificate pinning (limiting which server keys are trusted), see Network Security Config section of Android 7.0 for Developers
- By default apps targeting Android 7.0 only trust system-provided certificates and no longer trust user-added Certificate Authorities (CA), even without custom Network Security Config, see Default Trusted Certificate Authority of Android 7.0 for Developers
- Update to Keymaster 2 with support for Key Attestation and version binding (preventing rolling back to an unsecure old version without losing keys), see Key Attestation section of Android 7.0 for Developers and Keymaster Functions and Verifying hardware-backed key pairs with Key Attestation and Key and ID Attestation
- File Based Encryption (FBE) introduced, but it's optional to implement by manufacturers, see Direct Boot section of Android 7.0 for Developers and Support Direct Boot mode and Encryption
- Updated SELinux configuration: further locking down application sandbox, breaking up mediaserver stack into smaller processes with reduced permissions (mitigation against Stagefright), see Security-Enhanced Linux in Android
Security Enhancements - Android 8
- JavaScript evaluation runs in a separate process in
WebView
so JavaScript code cannot access the app's memory so easily, see What’s new in WebView security and Security section of Android 8.0 Behavior Changes for All Apps WebView
respects Network Security Config andcleartextTrafficPermitted
flag (on older Android versions it loads HTTP sites even if clear text traffic should not be allowed by the config), see Security section of Android 8.0 Behavior Changes for Apps Targeting Android 8.0- Safe Browsing API added to
WebView
so users would be warned when trying to navigating to a potentially unsafe website (verified by Google Safe Browsing) if enabled, see WebView APIs section of Android 8.0 Features and APIs FLAG_SECURE
Window
flag is supported more and disallows taking screenshots of the screen where this is set- Update to Keymaster 3 with rewritten Hardware Abstraction Layers (HALs) written in HAL Interface Definition Language (HIDL) and in C++ (as compared to Legacy HAL that was written in C) with ID attestation support, see Hardware-backed Keystore and Keymaster Functions and Key and ID Attestation
- Project Treble introduced (only devices released with this version support project Treble, the ones updated will not get it), separating lower-level vendor code from Android system framework and enabling easier security update delivery, see Here comes Treble: A modular base for Android and Treble Plus One Equals Four
- Updated SELinux to work with Treble. SELinux policy allows manufacturers and SOC vendors to update their parts of the policy independently from the platform and vice versa, see Security-Enhanced Linux in Android
- Further hardening media stack: mobild Hardware Abstraction Layers (HALs) from running in a shared process to running in their own sandboxed processes
- To allow installing apps from unknown sources (i.e. not from Google Play) apps need explicit permission granted by the user for the particular app in Android settings (and users can revoke such permission and manage it per-app at any time too), see User opt-in for unknown apps and sources section of Publish your app and Security section of Android 8.0 Behavior Changes for All Apps
Android 9 release notes - Security features
- Cleartext network traffic (HTTP) disabled by default, apps need to explicitly set
cleartextTrafficPermitted
totrue
in their Network Security Config it if they still want to use it (not recommended), see Network TLS enabled by default section of Behavior changes: apps targeting API level 28+ and Android: Cleartext HTTP traffic not permitted Android 9 - Update to Keymaster 4 with support for 3DES encryption and secure key import, see Hardware-backed Keystore and Keymaster Functions
- Replace many BouncyCastle implementations of cryptographic algorithms with Conscrypt ones, see Conscrypt implementations of parameters and algorithms section of Android 9 Behavior changes: all apps
- Added support for embedded Secure Element (SE), see Secure Element (SE) service section of Android 9 release notes and CTS test for Secure Element
- Disk Encryption (can be either Full Disk Encryption (FDE) or File Based Encryption (FBE)) is mandatory for all devices (shipping with this version)
- BiometricPrompt introduced standardizing the UI that is shown during biometric authentication and providing a better API to apps that is harder to misuse, the previous solution, FingerprintManager gets deprecated, see Show a biometric authentication dialog
Security Enhancements - Android 10
Android 10 release notes - Security features
- File access disabled by default in
WebView
, see setAllowFileAccess method of WebSettings - TLS 1.3 become available and enabled by default, see TLS 1.3 enabled by default section of Android 10 Behavior changes: all apps
- Certificates signed with SHA-1 no longer trusted in TLS
- Background apps cannot launch other Activities (e.g. other apps), see Background apps launching section of Android 10 release notes and Background activity restrictions section of Security and Privacy Enhancements in Android 10
- File Based Encryption (FBE) is mandatory for devices that launch with this Android version (devices updated to it can still continue using Full Disk Encryption (FDE)), see Encryption
FLAG_SECURE
flag is added for biometric or device credential (PIN, pattern or password) prompts, including both unlocking the device and BiometricPrompt in apps - this means you cannot take a screenshot of these screens and they also appear blacked out in screen shares, see source for com.android.systemui.biometrics.AuthContainerView on Android Code Search- Only the default Input Method Editor (IME) app can access Clipboard data from the background, see Limited access to clipboard data section of Privacy changes in Android 10 and Clipboard data section of Security and Privacy Enhancements in Android 10
- StrandHogg 2.0 exploit (CVE-2020-0096) no longer possible (a patch for the vulnerability is also backported to Android 8.0, 8.1 and 9.0 with the May 2020 security update - if the manufacturer released the update to a device), see StrandHogg Attack / Task Affinity Vulnerability and StrandHogg 2.0 Exploit Explained - Why Users and Android App Developers should care and Strandhogg Vulnerability
Android 11 release notes - Secure
- Task Hijacking (StrandHogg 1.0) exploit (when another app sets its
taskAffinity
to the same as the target to trick the user to launch it even if they inteded to launch the target app and used it's legitimate app icon) no longer possible, see StrandHogg Attack / Task Affinity Vulnerability and Strandhogg Vulnerability - Apps can no longer query information about other installed apps by default, see Package visibility filtering on Android and Package visibility in Android 11
- Runtime Permissions auto-reset for unused apps, see Auto-reset permissions from unused apps section of Permissions updates in Android 11 and Auto-reset permissions of unused apps section of Request runtime permissions
- Scoped Storage introduced, but apps can still opt-out of it via
requestLegacyExternalStorage
, see Storage updates in Android 11 and Opt out in your production app section of Android storage use cases and best practices
Security Enhancements - Android 12
android:exported
flag needs to be defined explicitly in Manifests for components (Activities, Content Providers, etc.) that declare Intent Filters, see Safer component exporting section of Behavior changes: Apps targeting Android 12- Generic web Intents resolve to user's default browser app unless the target app is approved for the specific domain contained in that web Intent, see Web intent resolution section of Android 12 Behavior changes: all apps
- Replace more BouncyCastle implementations of cryptographic algorithms with Conscrypt ones, see BouncyCastle implementation removed section of Android 12 Behavior changes: all apps
- The user gets notified if an app accesses Clipboard data of another app for the first time, see System notification shown when your app accesses clipboard data section of Copy and paste
- Apps can no longer close System Dialogs, see Apps can't close system dialogs section of Android 12 Behavior changes: all apps
- Tapjacking mitigation: Apps are prevented from consuming touch events where an overlay obscures the app, see Cloak & Dagger
- Scoped Storage always enforced, opting out of it via
requestLegacyExternalStorage
is no longer possible, see Opt out in your production app section of Android storage use cases and best practices - New option to only grant permission to access approximate location
- New Privacy Indicators on the status bar to indicate to the user when an app uses camera or microphone
- BiometricManager.Strings API introduced providing localized strings for apps that use
BiometricPrompt
for authentication. - Added support for under-display fingerprint sensors
- Fingerprint Android Interface Definition Language (AIDL) introduced
- Private Compute Services introduced as a secure partition for processing sensitive user data on-device, used by AI-driven features like Live Caption, Now Playing and Smart Reply. Google defines it as a "secure, isolated data processing environment inside of the Android operating system that gives you control of the data inside, such as deciding if, how, and when it is shared with others". See Introducing Android’s Private Compute Services, Google officially explains how Android's Private Compute Core works and Android Private Compute Core Architecture whitepaper
- Rust language support for platform development
Security Enhancements - Android 13
Android 13 release notes - Security
- Non-matching Intents are blocked by Intent filters (apps cannot send an Intent to another app's exported component unless it fully matches the Intent filter defined by it), see Intents should match declared intent filters section of Android 13 and Android 13 QPR release notes
- Only File Based Encryption (FBE) is allowed, Full Disk Encryption (FDE) is no longer - not even for devices updated from a version that it was allowed
- Shared UIDs are deprecated. It was used to share the sandbox access between two or more apps and the ability to run in the same process. It could cause non-deterministic behavior within the package manager so it would be removed in a future Android version. See Application Signing
- Keymaster support for symmetric cryptographic primitives such as AES (Advanced Encryption Standard), HMAC (Keyed-Hash Message Authentication Code), and asymmetric cryptographic algorithms (including Elliptic Curve, RSA2048, RSA4096, and Curve 25519)
POST_NOTIFICATIONS
runtime permission added for sending non-exempt (including Foreground Services (FGS)) notifications from an app, see Notification runtime permission- Added per-use prompt for apps requesting access to all device logs, giving users the ability to allow or deny access, see Manage your device logs on Android
- Android Virtualization Framework (AVF) introduced, bringing together different hypervisors under one framework with standardized APIs.
- APK signature scheme v3.1 introduced, with all new key rotations that use
apksigner
will use the v3.1 signature scheme by default to target rotation for Android 13 and higher.
Security Enhancements - Android 14
Android 14 Security Release Notes
- Add some description to location permission prompts that describe why an app might need this permission.
- Significant improvements to Hardware-assisted AddressSanitizer (HWASan), which was introduced back in Android 10 as a memory error detection tool similar to the deprecated AddressSanitizer which it replaces.
- Added support to reject null-ciphered cellular connections, ensuring that circuit-switched voice and SMS traffic is always encrypted and protected from passive over-the-air interception, see Android 14 introduces first-of-its-kind cellular connectivity security features
- Added support for multiple IMEIs
- AES-HCTR2 is now the preferred mode of filenames encryption for devices with accelerated cryptography instructions.
- If an app targets Android 14 and uses Dynamic Code Loading (DCL), all dynamically-loaded files must be marked as read-only or otherwise, the system will throw an
Exception
, see Safer dynamic code loading section of Behavior changes: Apps targeting Android 14 or higher