Android has been the most used mobile operating system till date. With the huge base of end-users, Android has been guilty of hosting numerous security related bugs in the past. With the latest version of Android 6.0 namely Marshmallow being released, I expected to see a few changes in the security model.
Change in the permissions model
In the versions of Android prior to Marshmallow, apps used to declare the permissions (install time permissions) they will require to the application manifest and then post installation, they were able to make use of these permissions without any need for user’s explicit permission. But now, a secondary notification has been added to the user. This will mandate the user’s permission when an application would look to access data (run time permissions) or functionality even if the application is a Google application. This will create an added layer of security for Android and will be helpful in stopping applications that invade our privacy.
Hence, the replacement of the existing install time permissions approach with the run time permissions approach will make sure that the user is prompted for permission each time the application accesses some data.
Setting the individual application permissions
The settings will have an option to “turn on” and “turn off” individual application permissions inside the ‘Apps’ menu or from the ‘App Info’ screen. This will enable us to use an app, even if we are concerned about the application having access to certain permissions, we can easily grant or revoke the permission by the use of the slider button in settings.
Encryption enabled Device
Encryption will be enabled on Android devices by default. The new devices that come with Marshmallow will have encryption enabled by default with a necessary condition being:
– AES crypto performance above 50MiB-per-second
The devices which fulfil the above-mentioned criteria will be enabled with encryption of the private user data partition and the public data partition which resides in /data and /sdcard respectively.
More details can be found in Android 6.0 Compatibility Definition Document (CDD).
Android security patch level
A new field ‘Android security patch level’ is added in the latest version of Android. It can be found in the ‘About Phone’ settings. This would be a better indicator for users so as to understand what is the up-to-date level of their device. In the earlier versions, there was some build number, but with the introduction of this field the patch level is represented in a much more meaningful month/day/year format.
“It should make it really simple for users to understand the state of the device. The feature is part of Android’s attempt at making sure that security information and patch level information is available to users”
- Adrian Ludwig, the lead security engineer for Android
It will be interesting to see how these security features pan out once devices start getting Marshmallow update.
To know more go through our mobile application security services