Security features in Android 5.0

Android 5.0 is here, but what kind of security does it offer?

We took a look at Android 5.0 Lollipop’s security, specifically its corporate-oriented security features; it offers quite a few.

Android security: the issues

Android has a reputation for having the most malware-targeted mobile OS. In part, this is due to its popularity as a “cheaper alternative” to the iOS-based devices, and partially because of the past errors in code and the persistence of the legacy devices in use. Existence of third-party app stores with under-controlled content is a major factor as well.

While Google engineers argue that the security issues with Android are exaggerated, the latest joint report released in October by Kaspersky Lab and INTERPOL shows that slightly above 98% of mobile malware targets Android-based devices worldwide, and as the user base grows, so do the threats.

Still, it would be unfair to say Google does nothing about it. It actually does a lot. Android 4.2 Jelly Bean, released in 2012, came with a lot of enhanced security features. Among them: a built-in malware scanner which works in combination with Google Play, but is also capable of scanning apps installed from third party sources, and an alert system which notifies the user when an app tries to send a premium-rate text message, blocking the message unless the user explicitly authorizes it.

What comes with Lollipop?


Security candies

New security features in Android 5.0 include:

1. SELinux enforcing mode for all applications on all devices

SELinux stands for Security Enhanced Linux – Android has been built on this since last year. According to Google’s official Android blog, SELinux “pushes enforcement of the Android security model further into the core of the OS and makes it easier to audit and monitor so there’s less room for an attack”. Simply put: The security checks are made at the kernel level. Not exactly a “corporate-oriented” feature, but an extremely important one.

2. Full device encryption from the start

Previously disabled by default, it would require a user to dig up the device setting to find it, then wait while all the device data is being encrypted – a time-consuming task.

This time, Android offers to turn on encryption at the first boot-up of a new device running Lollipop, and since the device is supposed to be mostly clean of data, it will run fast and smooth. New data will be encrypted as it arrives. This feature is of utmost importance for corporate security, as well as for the safety of the users’ personal data.

3. Smart Lock, smart and aware

While malware threats are displeasing, the possibility of losing the device or getting it stolen is a much more immediate threat. What Google offers to mitigate this is strange, but interesting. The Smart Lock feature, according to Google, “lets you tell your phone to unlock using Bluetooth pairing, NFC, or simply your smile — faster than before”.

That essentially means the device will unlock itself once it discovers a certain “beacon of safety” – a certain Bluetooth device or an NFC tag that marks a safe environment.

How safe is this particular approach? Connectivity-for-security is a good trend, well aligned with the “Internet of Things” paradigm, although there is reasonable concern of possible vulnerabilities in certain devices and connectivity protocol implementation issues.

Interestingly, according to Computerworld, Google plans to move forward with this approach, adding features to the current Smart Lock functionality via Google Play (so you won’t have to wait for the next major release to acquire them).

And what about “with your smile”? Its Trusted Face feature unlocks the device by facial recognition. This was actually introduced with Android 4.0, but was barely usable. Now it looks more practical.

4. Lend a device, not data

Android 5.0 offers a set of functions for shared devices – i.e. for smartphones that more than one person uses.

First, there is a Guest User mode available for both phones and tablets: A guest may use their basic functions, but will not have access to the owner’s personal data.

The other feature is more interesting. If you forget your phone, you still can call anyone or access your messages or photos by logging into another Lollypop device. That essentially means data is stored in the cloud and accessible from any Lollypop device. This approach is similar to what Google offers with the Chrome browser: Install a fresh new browser on a new PC, and once you’ve logged into your Google Account, all of your bookmarks and settings are imported automatically.

Google recently tightened the security noose further with Chrome and Google Accounts, preventing – by default – access attempts from “insecure” apps and devices. For instance, just a few days ago this blogpost author’s attempt to login into Google Talk from an iPad failed, and a security alert was raised in Chrome. However, after installing Google Hangouts the problem went away on its own, without changing these new-default settings.

5. Reaching out

With device loss a major security concern, mobile OS simply must have functions for remote control over the device. Android offers a full range of them. Since 2013 it’s equipped with Android Device Manager, which allows you to find the lost device, locate it on a map, or, if it absolutely cannot be recovered promptly, wipe out all of the data, preventing it from getting into the wrong hands.

This is a feature especially important for businesses. Too often sensitive data is stored on mobile devices, which are easily misplaced. Having those devices compromised could lead to long lasting and devastating repercussions.

There is also a Factory Reset Protection feature, a somewhat euphemistic name for remote bricking the device. Without knowing the password, the stolen smartphone or tablet will be unusable and, more importantly, unable to be wiped. This is supposed to be discouraging to thieves since they won’t be able to access the data or sell it as a new device.

6. Android for Work

A number of system-level, enterprise-oriented features have been added to Lollipop. Samsung, which is a hardware mainstay for Android, contributed its Knox security framework for segregating personal and work-oriented data from each other on a device, along with a few accompanying APIs for managing the environment. IT personnel will be able to deploy apps in bulk to business-user devices and maintain centralized control over sensitive functions, which is a necessity for keeping BYOD in good health, diminishing the headache it causes to admins.

7. The right stuff

Google does a great job with improving security. This, however, doesn’t mean that all security issues with Android will be sorted out with 5.0.

First, adoption rates of new versions of Android are notoriously slow. The most popular version today is last year’s Kitkat (4.4) with 30.2% distribution share, but Jelly Bean 4.1.x and 4.2.x, released in July and November 2012, hold 22.8% and 20.8%, respectively (summing to over 40% together). And yet older and weaker 2.3.x Gingerbread versions still hold slightly below 10%.

All of the older versions had a lot of room for improving security – just a week ago a new critical bug was discovered, affecting all Android versions below 5.0. Eventually we will most likely see some critical bugs in Lollipop too, as no software is flawless.

But the “persistence” of the older versions is clearly a human factor, as is the negligence of users who ignore security and encryption tools in their devices.

A human factor is actually the primary security concern everywhere, but the durability and security of a software platform is important, too. Microsoft keeps doing their job by improving the security of Windows, which has always been the most targeted PC operating system. Google is following the same path now with Android, although at a much higher velocity. It is extremely encouraging to see Android’s security being improved quickly, and we can only hope that Google keeps up the good work.