Google has explained how it is trying to improve Android security, and the steps it is taking to tackle common threats.
It revealed that 59% of the critical and high-severity security vulnerabilities affecting its Android operating system are memory issues, such as memory corruption and overflows.
Memory safety issues were by far the top category of security issue, followed by permissions bypass flaws, which accounted for 21% of those that Google security engineers fixed in 2019.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Memory issues are generally the top category of security flaw on major platforms like Java, Windows 10, and Chrome. Google engineers last year said 70% of Chrome security bugs are memory safety issues. Prior to that Microsoft engineers said 70% of all the bugs its fixed in its products were memory safety problems, or issues in software that allow access to memory in excess of the memory and addresses that were allocated by the operating system.
Google today says it is encouraging developers to move to memory-safe program languages such as Java, Kotlin, and Rust, but is also attempting to improve the safety of C and C++. These are part of its efforts to harden Android and protect the OS against malware and exploits.
“C and C++ do not provide memory safety the way that languages like Java, Kotlin, and Rust do. Given that the majority of security vulnerabilities reported to Android are memory safety issues, a two-pronged approach is applied: improving the safety of C/C++ while also encouraging the use of memory safe languages,” Google says in a blogpost from the Android Security & Privacy Team.
Amazon Web Services (AWS) and Microsoft are also pushing the adoption of Rust for the same security reasons. Mozilla created Rust to deal with C++ memory-related security issues in its Gecko engine for Firefox. Version 1.0 of Rust launched in 2015, but adoption is still relatively low. Microsoft is eyeing it for systems programming rather than application development. AWS used Rust to build Bottlerocket, its Linux-based container OS.
In terms of Android, the vast majority of bugs Google has fixed in the past year have been in the media, Bluetooth and NFC components. The media library was the key component affected by the critical and remotely exploitable Stagefright bugs in Android that Google disclosed in 2015.
According to Google, its efforts to harden the media server framework in Android meant that in 2020 it received not a single report of remotely exploitable critical vulnerabilities in Android media frameworks.
Google also details some of the security and performance trade offs its engineers weigh up when considering what additional mitigations to add to Android. This decision is complicated by the need for Android to support cheap Android phones.
Beyond memory-safe languages, some of the mitigations in Android include sandboxing, Address Space Layout Randomization (ASLR), Control Flow Integrity (CFI), Stack Canaries, and Memory Tagging.
“Adding too much overhead to some components or the entire system can negatively impact user experience by reducing battery life and making the device less responsive. This is especially true for entry-level devices, which should benefit from hardening as well. We thus want to prioritize engineering efforts on impactful mitigations with acceptable overheads,” Google notes.
SEE: Lightning does strike twice: If you get hacked once, you’ll probably be attacked again within a year
Google notes that the LLVM project’s Control Flow Integrity (CFI) was enabled in the media frameworks, Bluetooth, and NFC in Android Pie in 2018.
Microsoft has also made contributions to improving CFI via the Windows security feature called Control Flow Guard. Last year it enabled CFG support in the Clang and LLVM C++ compiler and Rust.
Both companies are attempting to provide safer systems programming features for C and C++.