Google is hardening Android security at the firmware level

Why it matters: Android is the world’s most popular mobile operating system, but it’s also the hardest to secure against a variety of cybersecurity threats that keep evolving. Google aims to improve on that front by introducing security features baked in at the firmware level, some of which will come with a performance hit.

Google says it’s working on a new way to boost the security of its Android operating system by reinforcing it at the level closest to the actual hardware it’s running on. The decision aligns with the general trend of securing less visible components of the software stack to add more protection layers against modern cyber threats.

All Android devices today are powered by multi-core processors called application processors, and they are accompanied by additional processors specialized for processing images, video, and security as well as cellular communications. Collectively, they are known as Systems-on-Chip or SoCs and are governed by firmware.

Malicious actors are increasingly targeting this part of the software stack by finding bugs and vulnerabilities which can be exploited over the air. This kind of attack surface is of particular concern to companies like Google that have to coordinate with a large number of OEM partners to distribute security fixes in a timely manner.

Google has a multi-pronged approach to hardening the security of the Android platform. First, it wants to introduce a protection mechanism in the form of compiler-based sanitizers which are able to catch memory safety issues early on in the software development process.

Second, it will work with hardware partners to add memory safety features at the firmware level. These are supposed to prevent any critical memory errors and include a mechanism that zeroes out memory pages before they can be allocated by an app. This ensures that random data left behind by a different app is truly gone.

Last, the company will incorporate a series of mitigations designed to make it harder for hackers to exploit unknown bugs. One side effect of these will be that performance will take a hit as not all parts of an SoC have the same resources. Google admits this will be a challenge moving forward but also emphasizes that optimizations can be done to achieve a good balance between performance and security.

Meanwhile, one of Google’s biggest security issues remains the fragmentation of the Android ecosystem. The company has put a lot of effort into writing almost all new code for Android versions 12 and newer in memory-safe languages like Rust, but adoption by users has been relatively slow. It also doesn’t help that malware creators are easily defeating Android security with stolen Platform certificates.

Masthead credit: Daniel Romero