In Android 11 we continue to increase the security of the Android platform. We have moved to safer default settings, migrated to a hardened memory allocator, and expanded the use of compiler mitigations that defend against classes of vulnerabilities and frustrate exploitation techniques.
We’ve enabled forms of automatic memory initialization in both Android 11’s userspace and the Linux kernel. Uninitialized memory bugs occur in C/C++ when memory is used without having first been initialized to a known safe value. These types of bugs can be confusing, and even the term “uninitialized” is misleading. Uninitialized may seem to imply that a variable has a random value. In reality it isn’t random. It has whatever value was previously placed there. This value may be predictable or even attacker controlled. Unfortunately this behavior can result in a serious vulnerability such as information disclosure bugs like ASLR bypasses, or control flow hijacking via a stack or heap spray. Another possible side effect of using uninitialized values is advanced compiler optimizations may transform the code unpredictably, as this is considered undefined behavior by the relevant C standards.
In practice, uses of uninitialized memory are difficult to detect. Such errors may sit in the codebase unnoticed for years if the memory happens to be initialized with some “safe” value most of the time. When uninitialized memory results in a bug, it is often challenging to identify the source of the error, particularly if it is rarely triggered.
Eliminating an entire class of such bugs is a lot more effective than hunting them down individually. Automatic stack variable initialization relies on a feature in the Clang compiler which allows choosing initializing local variables with either zeros or a pattern.
Initializing to zero provides safer defaults for strings, pointers, indexes, and sizes. The downsides of zero init are less-safe defaults for return values, and exposing fewer bugs where the underlying code relies on zero initialization. Pattern initialization tends to expose more bugs and is generally safer for return values and less safe for strings, pointers, indexes, and sizes.
Automatic stack variable initialization is enabled throughout the entire Android userspace. During the development of Android 11, we initially selected pattern in order to uncover bugs relying on zero init and then moved to zero-init after a few months for increased safety. Platform OS developers can build with
`AUTO_PATTERN_INITIALIZE=true m` if they want help uncovering bugs relying on zero init.
Initializing the Kernel:
Automatic stack and heap initialization were recently merged in the upstream Linux kernel. We have made these features available on earlier versions of Android’s kernel including 4.14, 4.19, and 5.4. These features enforce initialization of local variables and heap allocations with known values that cannot be controlled by attackers and are useless when leaked. Both features result in a performance overhead, but also prevent undefined behavior improving both stability and security.
For kernel stack initialization we adopted the
CONFIG_INIT_STACK_ALL from upstream Linux. It currently relies on Clang pattern initialization for stack variables, although this is subject to change in the future.
Heap initialization is controlled by two boot-time flags, init_on_alloc and init_on_free, with the former wiping freshly allocated heap objects with zeroes (think
s/kmalloc/kzalloc in the whole kernel) and the latter doing the same before the objects are freed (this helps to reduce the lifetime of security-sensitive data).
init_on_alloc is a lot more cache-friendly and has smaller performance impact (within 2%), therefore it has been chosen to protect Android kernels.
Scudo is now Android’s default native allocator
In Android 11, Scudo replaces jemalloc as the default native allocator for Android. Scudo is a hardened memory allocator designed to help detect and mitigate memory corruption bugs in the heap, such as:
Scudo does not fully prevent exploitation but it does add a number of sanity checks which are effective at strengthening the heap against some memory corruption bugs.
It also proactively organizes the heap in a way that makes exploitation of memory corruption more difficult, by reducing the predictability of the allocation patterns, and separating allocations by sizes.
In our internal testing, Scudo has already proven its worth by surfacing security and stability bugs that were previously undetected.
Finding Heap Memory Safety Bugs in the Wild (GWP-ASan)
Android 11 introduces GWP-ASan, an in-production heap memory safety bug detection tool that’s integrated directly into the native allocator Scudo. GWP-ASan probabilistically detects and provides actionable reports for heap memory safety bugs when they occur, works on 32-bit and 64-bit processes, and is enabled by default for system processes and system apps.
GWP-ASan is also available for developer applications via a one line opt-in in an app’s AndroidManifest.xml, with no complicated build support or recompilation of prebuilt libraries necessary.
Software Tag-Based KASAN
Continuing work on adopting the Arm Memory Tagging Extension (MTE) in Android, Android 11 includes support for kernel HWASAN, also known as Software Tag-Based KASAN. Userspace HWASAN is supported since Android 10.
KernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to find out-of-bound and use-after-free bugs in the Linux kernel. Its Software Tag-Based mode is a software implementation of the memory tagging concept for the kernel. Software Tag-Based KASAN is available in 4.14, 4.19 and 5.4 Android kernels, and can be enabled with the CONFIG_KASAN_SW_TAGS kernel configuration option. Currently Tag-Based KASAN only supports tagging of slab memory; support for other types of memory (such as stack and globals) will be added in the future.
Compared to Generic KASAN, Tag-Based KASAN has significantly lower memory requirements (see this kernel commit for details), which makes it usable on dog food testing devices. Another use case for Software Tag-Based KASAN is checking the existing kernel code for compatibility with memory tagging. As Tag-Based KASAN is based on similar concepts as the future in-kernel MTE support, making sure that kernel code works with Tag-Based KASAN will ease in-kernel MTE integration in the future.
Expanding existing compiler mitigations
We’ve continued to expand the compiler mitigations that have been rolled out in prior releases as well. This includes adding both integer and bounds sanitizers to some core libraries that were lacking them. For example, the libminikin fonts library and the libui rendering library are now bounds sanitized. We’ve hardened the NFC stack by implementing both integer overflow sanitizer and bounds sanitizer in those components.
The effectiveness of our software codec sandbox
Prior to the Release of Android 10 we announced a new constrained sandbox for software codecs. We’re really pleased with the results. Thus far, Android 10 is the first Android release since the infamous stagefright vulnerabilities in Android 5.0 with zero critical-severity vulnerabilities in the media frameworks.
Thank you to Jeff Vander Stoep, Alexander Potapenko, Stephen Hines, Andrey Konovalov, Mitch Phillips, Ivan Lozano, Kostya Kortchinsky, Christopher Ferris, Cindy Zhou, Evgenii Stepanov, Kevin Deus, Peter Collingbourne, Elliott Hughes, Kees Cook and Ken Chen for their contributions to this post.
This blog post is part of a weekly series for #11WeeksOfAndroid. For each #11WeeksOfAndroid, we’re diving into a key area so you don’t miss anything. This week, we spotlighted Privacy and Security; here’s a look at what you should know.
Privacy and security is core to how we design Android, and with every new release we increase our investment in this space. Android 11 continues to make important strides in these areas, and this week we’ll be sharing a series of updates and resources about Android privacy and security. But first, let’s take a quick look at some of the most important changes we’ve made in Android 11 to protect user privacy and make the platform more secure.
As shared in the “All things privacy in Android 11” video, we’re giving users even more control over sensitive permissions. Throughout the development of this release, we have engaged deeply and frequently with our developer community to design these features in a balanced way – amplifying user privacy while minimizing developer impact. Let’s go over some of these features:
One-time permission: In Android 10, we introduced a granular location permission that allows users to limit access to location only when an app is in use (aka foreground only). When presented with the new runtime permissions options, users choose foreground only location more than 50% of the time. This demonstrated to us that users really wanted finer controls for permissions. So in Android 11, we’ve introduced one time permissions that let users give an app access to the device microphone, camera, or location, just that one time. As an app developer, there are no changes that you need to make to your app for it to work with one time permissions, and the app can request permissions again the next time the app is used. Learn more about building privacy-friendly apps with these new changes in this video.
Background location: In Android 10 we added a background location usage reminder so users can see how apps are using this sensitive data on a regular basis. Users who interacted with the reminder either downgraded or denied the location permission over 75% of the time. In addition, we have done extensive research and believe that there are very few legitimate use cases for apps to require access to location in the background.
In Android 11, background location will no longer be a permission that a user can grant via a run time prompt and it will require a more deliberate action. If your app needs background location, the system will ensure that the app first asks for foreground location. The app can then broaden its access to background location through a separate permission request, which will cause the system to take the user to Settings in order to complete the permission grant.
In February, we announced that Google Play developers will need to get approval to access background location in their app to prevent misuse. We’re giving developers more time to make changes and won’t be enforcing the policy for existing apps until 2021. Check out this helpful video to find possible background location usage in your code.
Permissions auto-reset: Most users tend to download and install over 60 apps on their device but interact with only a third of these apps on a regular basis. If users haven’t used an app that targets Android 11 for an extended period of time, the system will “auto-reset” all of the granted runtime permissions associated with the app and notify the user. The app can request the permissions again the next time the app is used. If you have an app that has a legitimate need to retain permissions, you can prompt users to turn this feature OFF for your app in Settings.
Data access auditing APIs: Android encourages developers to limit their access to sensitive data, even if they have been granted permission to do so. In Android 11, developers will have access to new APIs that will give them more transparency into their app’s usage of private and protected data. The APIs will enable apps to track when the system records the app’s access to private user data.
Scoped Storage: In Android 10, we introduced scoped storage which provides a filtered view into external storage, giving access to app-specific files and media collections. This change protects user privacy by limiting broad access to shared storage in many ways including changing the storage permission to only give read access to photos, videos and music and improving app storage attribution. Since Android 10, we’ve incorporated developer feedback and made many improvements to help developers adopt scoped storage, including: updated permission UI to enhance user experience, direct file path access to media to improve compatibility with existing libraries, updated APIs for modifying media, Manage External Storage permission to enable select use cases that need broad files access, and protected external app directories. In Android 11, scoped storage will be mandatory for all apps that target API level 30. Learn more in this video and check out the developer documentation for further details.
Google Play system updates: Google Play system updates were introduced with Android 10 as part of Project Mainline. Their main benefit is to increase the modularity and granularity of platform subsystems within Android so we can update core OS components without needing a full OTA update from your phone manufacturer. Earlier this year, thanks to Project Mainline, we were able to quickly fix a critical vulnerability in the media decoding subsystem. Android 11 adds new modules, and maintains the security properties of existing ones. For example, Conscrypt, which provides cryptographic primitives, maintained its FIPS validation in Android 11 as well.
BiometricPrompt API: Developers can now use the BiometricPrompt API to specify the biometric authenticator strength required by their app to unlock or access sensitive parts of the app. We are planning to add this to the Jetpack Biometric library to allow for backward compatibility and will share further updates on this work as it progresses.
Identity Credential API: This will unlock new use cases such as mobile drivers licences, National ID, and Digital ID. It’s being built by our security team to ensure this information is stored safely, using security hardware to secure and control access to the data, in a way that enhances user privacy as compared to traditional physical documents. We’re working with various government agencies and industry partners to make sure that Android 11 is ready for such digital-first identity experiences.
Thank you for your flexibility and feedback as we continue to build an increasingly more private and secure platform. You can learn about more features in the Android 11 Beta developer site. You can also learn about general best practices related to privacy and security.
You can find the entire playlist of #11WeeksOfAndroid video content here, and learn more about each week here. We’ll continue to spotlight new areas each week, so keep an eye out and follow us on Twitter and YouTube. Thanks so much for letting us be a part of this experience with you!
- Cloud infrastructure supports smart meter energy use in Texas
- A strategic approach to adopting cloud-native application development
- Quantum-safe cryptography: What it means for your data in the cloud
- LogDNA and IBM find synergy in cloud
- AWS Firewall Manager Update – Support for VPC Security Groups
- New M5n and R5n EC2 Instances, with up to 100 Gbps Networking
- Now Available: Bare Metal Arm-Based EC2 Instances
- Migration Complete – Amazon’s Consumer Business Just Turned off its Final Oracle Database
- Now Available – Amazon Relational Database Service (RDS) on VMware
- New – Amazon CloudWatch Anomaly Detection
- 3 critical capabilities of a multicloud solution
- 5 ways hyperlocal climate forecasting can help businesses worldwide
- Improve Your App Testing With Amplify Console’s Pull Request Previews and Cypress Testing
- Accelerating the application containerization journey
- 200 Amazon CloudFront Points of Presence + Price Reduction
- AWS reports $8.99bn in revenues for Q319 – yet slowing growth concerns analysts
- IBM Cloud news: Latest enhancements and client wins in regulated industries
- Cloud Management Platforms (CMP)
- AWS Step Functions with direct sqs integration
- Virtual private cloud?
- Cloud modernization: A holistic approach
- Data centers, fiber optic cables at risk from rising sea levels
- Expedite innovation by design with IBM Garage
- Digital Realty to acquire Interxion for $8.4bn in biggest data centre deal ever
- 5 key elements for a successful cloud migration
- In the Works – AWS Region in Spain
- Cheapest cloud compute resources with GPU
- Tutorial: Terraform with KVM, Docker and Azure
- AWS DynmoDB Query Flexibility Using GSIs
- lakecli: open source cli to manage AWS Glue and Lake Formation permissions
- Platform as a service solutions are secure – as long as they’re not misconfigured
- Should I learn amazon AWS without earning a certificate?
- New product preview at In-Cosmetics Asia 2019: a second innovative carotenoid from DEINOVE
- New Listing Site Launched with Action-Packed Promo Video
- The Best VPN for Portugal in 2019: Port Wine and Privacy
- Avira vs Avast: Which is the Best Antivirus Software in 2019?
- New Xiaomi Mi CC9 Pro Smartphone Uses Elliptic Labs’ INNER BEAUTY Virtual Proximity Sensor
- New preclinical data on naptumomab estafenatox will be presented at the Society for Immunotherapy of Cancer’s 34th Annual Meeting
- New Schneider Electric Whitepaper Provides Guidance on Next-Generation DCIM for Edge Computing
- Why businesses fail to maximise the value of data visualisation
- New Trimble R12 Receiver Boosts Surveying Performance
- New Study Highlights Five Traits of Leading Innovators
- New CrowdStrike Store Apps Extend the Power of the Falcon Platform
- New Microsoft Industry Experience Center Showcases Digimarc Platform
- New Director Provides Solution to Improve Processes
- New Squid PCI Express Gen3/USB3.1 Carrier Board Supports Multi-Channel Wireless Applications up to 5G
- New Rugged Supercomputing Servers Enable AI, HPC and Sensor Fusion Applications at the Edge
- New Data Shows Auto Services Stores Fail to Capture Millions in Sales from Customers Over the Phone
- New Report Offers Insight on Evolution of ESG Proxy Season Shareholder Proposals
- New Patient Access Survey Shows Consumers Are Increasingly Self-Empowered in Their Care Decisions and Place a Growing Premium on Convenience
- New Version Of Shure Microflex® Advance™ MXA910 Microphone For Drop-Ceiling Installation Now Available For Pre-Order In U.S.
- New Fujifilm Technology At Clemson University’s Sonoco Institute Advances Learning, Prepares Students For Industry Needs
- New Finn Partners Research Report Unveils Top Factors Influencing B2B Purchasing Decisions
- New Aimia Loyalty Solutions Report Analyzes Emotional Loyalty by Vertical & Region
- New KAYAK Guides Help You Find Your One in a Billion Trip
- News Media Canada Calls for Applications for Local Journalism Initiative
- New South Wales Government Delivers Exceptional Services for its Citizens with Data and H2O.ai
- New Report by Futurum Research Shows Adoption of RPA and Intelligent Automation Going Nowhere but Up
- Now Available: New C5d Instance Sizes and Bare Metal Instances
- New York Police Commissioner James P. O’Neill to Join Visa as Senior Vice President, Head of Global Security
- Panoply – automated ELT and data replication for Azure SQL DWH
- New Report Reveals How Rollout of Gigabit Broadband Is Set to Transform Lives Across Europe
- How to Sustain DNS outages – a blog by Grofers’ Security Team
- New Clinical Trial Results and Market Research Support Significant Commercial Opportunity for Oral, Once Daily BCX7353 in HAE
- New study from Ernst & Young LLP and Institute of International Finance tackles how banks can manage key risks in the next decade
- New Meraki Go Networking Solution Delivers a Competitive Edge for Small Business
- New Report Defines Opportunity Gap in New York City’s Tech Workforce
- Reading json file content from AWS S3 in a Lambda
- New Schneider Electric Whitepaper Provides Guidance on Next-Generation DCIM for Edge Computing
- New COM Express Type 10 Carrier Card
- New Features, Destinations and Enhancements Are Available for Fujitsu’s Easy NX Connect Software
- New NASA Postdoctoral Program Policy Helps Level Playing Field
- New Poll From The Learning Corp Reveals Patients Ready for Virtual Therapy Options to Address Gaps in Care
- Looking to the ‘HyPE’ of cloud storage: How HPE is looking to help with hybrid cloud
- Flask Web App, deploy to AWS or GCP?
- Cloud innovation enhances fan experience
- Meet the newest AWS Heroes, including the first Data Heroes!
- New Mountain Finance Corporation Announces Financial Results for the Quarter Ended September 30, 2019
- Experience with Alibaba Cloud E-MapReduce or Tencent Elastic MapReduce?
- New Video that Pokes at On-Prem: Gone-Prem HPC Disposal
- New – Savings Plans for AWS Compute Services
- VyprVPN vs NordVPN: A Close 2019 VPN Battle
- New Experian credit score may improve access to credit for more than 40 million credit invisibles
- New Digital Innovation Hub: MSX International Drives Digitization Of Business Processes For Automotive Industry
- New Fidelity® Total Well-Being Solution Provides Employers With Greater Insight on Employee Needs to Help Drive Benefits Utilization
- AWS introduces Savings Plans in attempt to make cloud instance billing not terrible
- New Yellowfin 9 Delivers Exceptional End User Experiences that Enable Organizations to Generate Transformational Value from Data
- New ZTE Blade 10 Prime Arrives at Visible & ZTE Blade 10 Debuts Unlocked
- New ZTE Blade A7 Prime Smartphone Arrives at Visible Today
- New Schneider Electric Whitepaper Provides Guidance on Next-Generation DCIM for Edge Computing
- New ‘Sprint Perks’ Unlocks $875 in Value for Customers on its Top-Tier Unlimited Plan
- IBM debuts cloud platform for financial services industry
- New Study from EDC and SRI International Demonstrates Positive Effects of PBS KIDS Digital Media on Young Children’s Science and Engineering Learning
- Avast vs AVG: Battle for the Best Free Antivirus of 2019
- New ATP Tour App Designed by Infosys Brings Fans Closer to Pro Tennis Tours
- VM Provisioning Failure Due to Dual Gateways
- New FT Specialist Documentary Reveals the Real Benefits of Citizenship by Investment to Dominica
- IBM touts first financial services-specific public cloud after Bank of America collaboration
- How to install Kubernetes on CentOS 8
- How to install Kubernetes on CentOS 8
- Linus Torvalds banishes masters, slaves and blacklists from the Linux kernel, starting now
- I created a simple lyric viewer (i.e. karaoke app) in flutter for linux, check it out!
- Overview of openSUSE 15.2 Leap
- Is microsoft really helpful linux or is it exclusive to wsl 2?
- Automatic backlit keyboard script… is there a better way?
- Does movie quality lower when watched from cloud?
- Re: “Microsoft Windows is better for gaming”
- Learning to use GIMP again and thought I’d do something amusing…
- Conversation: Can we stop using the term “Beginner Distro”?
- hello guys i have a wine CLI question
- Looking to try Linux on a phone…
- Blacklist/Whitelist Alternative Proposal
- Best Free Cloud Storage for 2020
- Best Cloud Storage: Picking The Right Service in 2020
- I wrote an MPRIS bridge for XMMS2
- What can I do with a 10 year old laptop?
- New SSD problem – I/O error
- Latency implications of virtual memory from the perspective Linux kernel running on AMD64 / x86-64 architecture
- What linux version to use
- May/June in KDE PIM
- New Linux user here, want to see if I can get some help.
- Linus Torvalds: “I hope AVX512 dies a painful death, and that Intel starts fixing real problems instead of trying to create magic instructions to then create benchmarks that they can look good on.”
- Creating a JWT auth server in 1 second
- cron.weekly issue #142: PHP, SSL, Debian, ip2unix, Ansible & more
- Weird flex but okay.
- scp flow
- Top 5 Open Source Video Conferencing Tools for Remote Working and Online Meetings
- Porting a C audio filter to Rust
- Help me install wine on chromebook
- Analyzing IO Amplification in Linux File Systems (PDF Link warning)
- Would it be possible to install Linux on an Insignia ns-pdvd9 portable DVD player? The only way I can think of is with a disc of some sort.
- Reddington learns of Linux’s neutral terminology
- Pro tip : put your .config folder in a partition on an SSD to load your applications faster
- Started my self-taught Linux refresher course today
- Am I right?
- Any way to use Intel Optane with a Linux Distro? (Currently using Ubuntu 20.04)
- You know some spanish? Check out my Linux related YouTube channel!
- China’s preferred Linux distro trumpets Arm benchmark results
- Automatically populate grub with btrfs snapshots in Ubuntu
- Looking for image-viewer with multi-page support
- Using React Native, Ionic, and JHipster for Mobile Development
- **stdrename** – A Free and Easy to Use Command Line Tool I Made To Standardize The Naming Convention of All Your Files
- Good news: Gentoo works on my ancient IBM Valuepoint 486SX, using FPU emulation, 40MB RAM. 4.14.185 kernel. Boot took about an hour! Bad news is I just blew out the case with compressed air and sadly it won’t POST any more, so if anyone has a spare board…
- Computer doesn’t work? Recompile everything
- What happened to Ubuntu networking?
- Gnome DE is held back by it’s own maintainers
- Small Rant: Microsoft: Getting More and More Like Apple Each Day!
- I’m a 100% Windows user and I’m interested in Linux for my soon-to-buy laptop…
- Ballish, a pretty fast code search tool
- LXC containers are now working in SailfishOS: demo with Debian+i3wm running within SFOS on a slider-keyboard phone
- Add videos as wallpaper on your Linux desktop
- Linux adds inclusive terminology guidelines
- LibreOffice: the next five years [LWN.net]
- FreeCAD BIM development news – June 2020
- Alternatives to offlineimap
- Which OS for Lenovo T14s (AMD) with WWAN
- Anyone tried OVH Cloud’s sandbox instances?
- Second Monitor (Not sure if its even able to be “fixed”)
- Need help installing wine
- This week in KDE: New features galore!
- Install VirtualBox in Linux mint 20
- How to Upgrade to Linux Mint 20 Ulyana
- Which modern Linux distro is best for computational physics and TCAD simulations?
- Linux kernel in-tree Rust support
- IRIX Interactive Desktop like Environment for Linux?
- Align Engineering Metrics to Business KPIs
- Popular TP-Link Family of Kasa Security Cams Vulnerable to Attack
- Automated Rollback the Ultimate Application Release Insurance Policy
- A Simulation Using Sequential and Parallel Collections in Scala 2.13
- How to Develop a Secure Application
- 7 Key Node.js Advantages to Develop Scalable Web Apps
- AR and VR Trends: Differences Between Developers and Non-Developers
- Merging 2 audio inputs/sources
- Software as a Service (SaaS): A cheat sheet
- Shaking Down the Raspberry Pi High Quality Camera
- Compiling Trouble Shooting: Segmentation Fault and GCC Illegal Instruction
- Micronaut in the Cloud: Intro to MongoDB in Microservices
- Deno JS: Introduction
- Deno JS: CRUD and MySQL Connection
- Top Linux Interview Questions
- Are SMTP relays safe?
- Natural language processing: A cheat sheet
- Google Bans Stalkerware Ads – With a Loophole
- Mobian is a Linux-based smartphone OS based on Debian
- Rethinking the futex API [LWN.net]
- LibreOffice Is at Serious Risk
- Emulating Windows system calls in Linux [LWN.net]
- How To Achieve Mongo Replication on Docker
- Leveraging DevOps Services: Development, Testing, and Delivery
- Develop Camel-Quarkus Applications Using Red Hat
- An Ultimate Guide to the Scrum Project Management
- Build an API Using AWS API Gateway and Dell Boomi — Step 1
- Staff Absence Management Guide for Agile Teams
- Weekend Fluff / Linux in the Wild Thread – July 10, 2020
- Using Lua to write bash prompts
- kermit: Yet another VTE-based terminal emulator (froggy)
- Smartwatch Hack Could Trick Dementia Patients into Overdosing
- Productivity Cheat Sheet to Work Smarter