Google is turning its attention to improving a vital part of Android security
Android smartphones, tablets and other devices have increased in complexity in the past decade. Now, Android devices are powered by multi-core processors and many other specialized processors that are part of a System on Chip (SoC).
These other processors play important roles, as they may offer specialized functionality to the system, be it by improving security, helping speed up image & video processing, or managing cellular communications.
The main processor, the Application Processor, was at the center of security in recent years. Threat actors devised methods and programs to exploit vulnerabilities, and manufacturers such as Google patched these and added more security features to make new exploits more difficult.
Google noticed the rise of a new attack vector in recent time. This one focused on "other parts of the software stack", including firmware according to Google. Firmware can best be described as software that powers devices. What makes firmware particularly interesting from a threat actor's perspective are several characteristics:
- Firmware is executed early when a device is powered on.
- It may be difficult to update firmware, especially if it has been attacked successfully.
- Firmware manipulations may grant malware persistency.
Firmware attacks are not as widespread as phishing or the spreading of malicious applications for Android. Firmware attacks are sophisticated, and most focus on lucrative targets and not broad attacks. While that makes it less likely that regular Android users will become the victims of such attacks, it is nevertheless important to deal with this threat.
Google announced plans to improve firmware defenses in future versions of Android. Google launched compiler-based mitigations in Android over the last years that added more layers of defense across the platform. The company wants to use the same methodology to harden the security of firmware that runs on Android.
Google is working with "ecosystem partners" to harden the security of firmware on Android. The company gives two examples. First, by using compiler-based sanitizers and other exploit mitigations in firmware, and second, by enabling additional memory safety features in firmware.
Compiler-based sanitizers are designed to detect bugs in code; Google uses them for other software projects, including its Google Chrome web browser, already. These would prevent exploits that target memory corruption vulnerabilities according to Google.
Google admits that these exploit mitigations are difficult to implement in firmware running on bare metal targets. One of the challenges that engineers face is that these systems are often resource-constrained and designed to "run a very specific set of functions". Improperly designed mitigations could result in functionality, performance or stability issues on the device.
The main goal is to maximize impact of the mitigations while minimizing the performance and stability impact of them.
Firmware hardening is one of Google's top priorities when it comes to Android security. Google plans to expand these mitigations to more "bare metal targets" in the future, and hopes that its partners will do the same.
The company has yet to reveal when this new wave of mitigations will become available. Google published the first preview of Android 14 earlier this month. Instructions on installing the Android 14 Developer Preview are found here.
It’s nice Google are working with “ecosystem partners” to harden the security of firmware on Android. However, I can’t help but feel it would be more impactful if they would work with “ecosystem partners” to ensure a stricter security update patching routine.
Some Android “ecosystem partners” only provide security updates for a short period of time; others provide security updates for a longer period of time, but roll them out if and when they feel like it. This leaves uses exposed to more risk than firmware bugs. With vulnerabilities being constantly discovered, “ecosystem partners” either not providing the security updates, or not providing timely security updates, is a problem (I.E. they should be patched monthly). If a security vulnerability is being exploited in the wild or is publicly disclosed and the devices are not patched for months (or at all), then that needs addressing. Apple and Microsoft manage it.
All currently OS that are widespread around tons of devices should invest 80% of their task force to prevent security breaches and make robust security implementations. Thanks for the article.