cool hit counter Let's all take a look at what security improvements will be introduced with the new Android P_Intefrankly

Let's all take a look at what security improvements will be introduced with the new Android P

According to an overview of the new version of Android released by Google's Android development team, the next version of Android (Android P or Android 9.0) should be available for everyone to "eat" soon. The document indicates that Google's release push plan for the third quarter of 2018 will be implemented in about three months' time: the

The beta testing of AndroidP is now coming to an end and the first release candidate has been officially released in July. As a practitioner in the security industry, it's important to look at exactly what new security features have been introduced in the latest version of Android. In this article, we will mainly discuss the improvements in Android security.

Enhance fingerprint authentication

In order to secure data, the vast majority of devices today have different forms of authentication features. The new version of Android P offers improved biometric-based authentication methods. In Android 8.1, two new metrics were introduced to help the identity system defend against attacks, namely SAR (Spoofing Acceptance Rate) and IAR (Forgery Acceptance Rate). Biometric authentication in the new version of Android will become more reliable and trustworthy with the improved biometric-based security model introduced by Android P.

In addition to this, Android P will also provide a standardized interface layout for the fingerprint verification dialog box as a way to increase user confidence in the security aspect. Application developers need to call a new API called BiometricPrompt when calling the fingerprint verification feature, and the rest of the verification logic does not need to be implemented by the developer.

Signature mechanism v3

AndroidP supports APK signing mechanism V3, the main difference between this version and V2 is the addition of key rotation support. For developers, key rotation is very useful because this mechanism includes ApkSignerLineage. With the help of this feature, you can easily sign a new certificate and bind it to the APK file. Although the signing mechanism V3 is enabled by default in newer versions of the system, you can still use older versions of signing certificates.

HTTPS is supported by default

Nowadays, many apps still transmit user data in an unencrypted form, which is a major security risk. People would be less concerned about data security if they knew that AndroidP supports secure transfer protocols by default. In Android P, third-party developers can enable HTTPS for their own apps, though they can also ignore this recommendation and assign dedicated domains to transmit unencrypted traffic data.

Protection Confirmation API

A Protection Confirmation API will be present in all devices running Android P. With the help of this API, apps can use the ConfirmationPrompt class to show confirmation pop-ups to users and ask them if they are allowed to take the appropriate action, such as sensitive transactions and bill payments, among others.

After confirmation, the App receives a cryptographic signature that is generated in the Trusted Execution Environment (TEE) and protected by a key-based Hash Message Authentication Code (HMAC). This mechanism ensures that the dialog box is displayed correctly and protects the user's input data, which is one aspect of the security enhancement.

Hardware Security Module

This additional update is something that every user will benefit from: devices with Android P installed will support a feature called StringBox Keymaster, a feature module with its own CPU, a secure storage area, and a true random number generator that also protects the app's packets from being tampered with.

To support StringBox Keymaster, Android P uses a subset of keys from the original encryption algorithm, e.g.


AES128 and 256



TripleDES 168

Peripheral device back-office strategy

In Android P, the app will not have direct access to the device's microphone, camera, and sensors. When the app tries to access these components in the background, the user will receive a notification message. If the app tries to access component data in the background, the system will return blank audio data, disconnect the camera, and then have all sensors stop returning data.

Backup data encryption

Starting with Android P, the system will start using a client-based method to encrypt the user's backup data, which means that the entire encryption process will be done on the client device. Prior to this, such an encryption process was done on the server side.

Due to the introduction of the new policy, users will need to enter a device PIN, graphical unlock code or rely on biometrics when restoring backup files.


One thing that all of these improvements will mean is that it will be much harder for cybercriminals to steal user data. This is good news for users as they don't have to go overboard worrying about their private data being compromised like they did before.

* Reference source: malwarebytes, compiled by FB Editor Alpha_h4ck, republished from FreeBuf.COM

More Information

◈ Hundreds of US news sites block European users over GDPR rules

◈ Researchers demonstrate Meltdown attack on Samsung phones

◈ Major U.S. cities with highest malware infection rates in the first half of the year are Atlanta, Orlando and Denver

◈ UK security experts employ modified USB-C Apple chargers to hijack devices

(Information from the Internet, collected and compiled by Anwar Jinhe)

1、Learning Notes Forerunner Course 0109rotate3dVariables Heap Stack
2、MIT Technology Reviews 2016 Worlds 50 Smartest Companies list released 5 Chinese companies on the list
3、Python Comic
4、What is idempotency in distributed systems
5、Code management and build system based on Jenkins and Koji

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送