Category Archives: Android Blog

News and notes from the Android team

Making Android better for kids and families

We spend a lot of time thinking about how to make Android work for everyone. Whether it’s giving people their choice of device, or helping app developers make their apps more accessible, we think Android is at its best when more people have access to the power of mobile technology. And that includes kids. Kids are the most curious among us, and technology can be an avenue for them to express their creativity and to help them learn—whether they’re doing research for a school report, learning to string together a few chords on a guitar, or just playing their favorite games. At the same time, we want parents and kids to navigate technology together in a way that makes sense for their family.


Today, we’re happy to announce that Family Link, our solution for bringing kids and their parents into the Android ecosystem, is now available to parents in the United States without an invitation. Parents can also create a Google Account for their kid right from Android setup, and then manage their kid’s account and device with Family Link.


This is the next step in our journey, but we’re far from done. We’ve been humbled by the response from those who have already been using Family Link, and want to say thank you. We appreciate the positive pieces of feedback, as well as the many feature requests, and will continue to listen to your feedback as the product evolves.

Unicorn2

Getting started with Family Link


When you're setting up your kid's Android device (see available devices), Google asks you to create an account. Enter your kid’s birthday, and if they’re under 13, you’ll be asked to provide consent to create the account. Once that's done, Family Link will automatically be downloaded to your kid's device, and you can choose the apps and settings that you want for your child. Once your kid’s device is setup, download Family Link on your own device, and you can use it to do things like:


  • Manage the apps your kid can use: Approve or block the apps your kid wants to download from the Google Play Store.

  • Keep an eye on screen time: See how much time your kid spends on their favorite apps with weekly or monthly activity reports, and set daily screen time limits for their device.

  • Set device bedtime: Remotely lock your kid’s device when it’s time to play, study, or sleep.


Family Link can help you set certain digital ground rules that work for your family, whether you’re occasionally checking in on your kid’s device activity, or locking their device every day before dinner time.


If you have questions about setting up an account for your kid or using Family Link, check out our Help Center.

Source: Android


Project Fi welcomes Android One, with the moto x4

With Project Fi, we set out to make your wireless experience fast, easy and fair—with access to three national 4G LTE networks, and international roaming at no extra cost. But many of you have asked us for more options for high quality, affordable devices that work with Project Fi. We've heard you and we're excited to launch our newest phone for Project Fi: the Android One moto x4.

We took some important steps with Android One earlier this month by expanding the program to bring a fresh, secure software experience designed by Google to more high-quality devices no matter the price point. The launch of Android One moto x4 on Project Fi is the next step in our commitment to work with more partners and expand Android One to new places.



Packed with a pure Android experience, advanced hardware and great network connectivity, here’s a closer look at what you’ll get with the new Android One moto x4.

Best-in-class software experience designed by Google

Like all Android One phones, Android One moto x4 runs a pure Android experience, with a clean software design and a carefully curated set of preinstalled apps to give you just what you need. For example, it comes optimized for the Google Assistant to help you get more done, and offers high-quality video calling with Google Duo. You’ll also get access to the latest updates from Android, such as Android Oreo before the end of the year. Android One moto x4 will be among the first to receive an upgrade to Android P.


Powerful cameras and unlimited high-quality photo storage

The Android One moto x4 comes with three cameras. A 12MP + 8MP dual rear camera system lets you capture wide-angle photos and detailed portraits. The front-facing camera comes packed with 16MP and an adaptive low light mode. And with free high quality storage from Google Photos, you never have to worry about running out of space.


All day battery and ultra-fast charging

Power through the day and enjoy your favorite Android software features like battery saver. When you need to recharge, TurboPower™ charging makes it ultra fast: You can get up to six hours of power in just 15 minutes.


Top of the line security

The Android One moto x4 will receive timely security updates and built-in malware protection from Google Play Protect, working around the clock to keep your device, data and apps safe.


The Android One moto x4 is priced at $399, comes in Super Black and Sterling Blue, and is available only in the U.S. on Project Fi’s network. You can pre-order it on the Project Fi website starting today. If you've got an older Nexus phone and want to trade it in for a new device, we're making it easier than ever with our new trade-in program. We’ll give you up to $165 for select Nexus devices, and if you start your trade-in for an Android One moto xby October 5, you’ll earn an extra $50 Fi credit.

Source: Android


7 ways admins can help secure accounts against phishing in G Suite

We work hard to help protect your company against phishing attacks—from using machine learning, to tailoring our detection algorithms, to building features to spot previously unseen attacks. While we block as many external attacks as we can, we continue to build and offer features designed to empower IT administrators to develop strong internal defenses against phishing.

Here are seven things we recommend admins do in G Suite to better protect employee data.

1. Enforce 2-step verification

Two-step verification (2SV) is one of the best ways to prevent someone from accessing your account, even if they steal your password. In G Suite, admins have the ability to enforce 2-step verification. 2SV can reduce the risk of successful phishing attacks by asking employees for additional proof of identity when they sign in. This can be in the form of phone prompts, voice calls, mobile app notifications and more.

Image 1: phishing post

G Suite also supports user-managed security keys—easy to use hardware authenticators. Admins can choose to enforce the use of security keys to help reduce the risk of stolen credentials being used to compromise an account. The key sends an encrypted signature and works only with authorized sites. Security keys can be deployed, monitored and managed directly from within the Admin console.

The Key to working smarter faster and safer

2. Deploy Password Alert extension for Chrome

The Password Alert chrome extension checks each page that users visit to see if that page is impersonating Google’s sign-in page and notifies admins if users enter their G Suite credentials anywhere other than the Google sign-in page.

Admins can enforce deployment of the Password Alert Chrome extension from the Google Admin Console (Device management > App Management > Password Alert)—just sign in and get started. You should check “Force installation" under both “User Settings” and “Public session settings.”

Image 2: phishing post

Admins can also enable password alert auditing, send email alerts and enforce a password change policy when G Suite credentials have been used on a non-trusted website such as a phishing site.

3. Allow only trusted apps to access your data

Take advantage of OAuth apps whitelisting to specify which apps can access your users’ G Suite data. With this setting, users can grant access to their G Suite apps’ data only to whitelisted apps. This prevents malicious apps from tricking users into accidentally granting unauthorized access. Apps can be whitelisted by admins in the Admin console under G Suite API Permissions.

Image 3: phishing post

4. Publish a DMARC policy for your organization

To help your business avoid damage to its reputation from phishing attacks and impersonators, G Suite follows the DMARC standard. DMARC empowers domain owners to decide how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy and turning on DKIM email signing, you can ensure that emails that claim to be from your organization, are actually from you.

5. Disable third-party email client access for those who don't need it

The Gmail clients (Android, iOS, Web) leverage Google Safe Browsing to incorporate anti-phishing security measures such as disabling suspicious links and attachments and displaying warnings to users to deter them from clicking on suspicious links.


By choosing to disable POP and IMAP, Google Sync and G Suite Sync for Microsoft Outlook, admins can ensure that a significant portion of G Suite users will only use Gmail clients and benefit from the built-in phishing protections that they provide. Additional measures include enabling OAuth apps whitelisting to block third-party clients as suggested earlier in the blog.


Note: all third-party email clients, including native mobile mail clients, will stop working if the measures outlined above are implemented.

Image 4: phishing post
Image 5: phishing post

6. Encourage your team to pay attention to external reply warnings

By default, Gmail clients (Android, Web) warn G Suite users if they’re responding to emails sent from outside their domain by someone they don’t regularly interact with, or from someone not in their contacts. This helps businesses protect against forged emails, from malicious actors or just plain old user-error like sending an email to the wrong contact. Educate your employees to look for these warnings and be careful before responding to unrecognized senders. Unintended external reply warnings are controlled from the Admin console control in the “Advanced Gmail” setting.

Image 6: phishing post

7. Enforce the use of Android work profiles

Work profiles allow you to separate your organization's apps from personal apps, keeping personal and corporate data separate. By using integrated device management within G Suite to enforce the use of work profiles, you can whitelist applications that access corporate data and block installation of apps from unknown sources. You now have complete control over which apps have access to your corporate data.

Image 7: phishing post

These steps can help you improve your organization’s security posture and become more resistant to phishing attacks. Learn more at gsuite.google.com/security or sign up for our security webinar on September 20, 2017 which features new security research from Forrester and a demonstration on how the cloud can help effectively combat cyber threats.

Source: Android


7 ways admins can help secure accounts against phishing in G Suite

We work hard to help protect your company against phishing attacks—from using machine learning, to tailoring our detection algorithms, to building features to spot previously unseen attacks. While we block as many external attacks as we can, we continue to build and offer features designed to empower IT administrators to develop strong internal defenses against phishing.

Here are seven things we recommend admins do in G Suite to better protect employee data.

1. Enforce 2-step verification

Two-step verification (2SV) is one of the best ways to prevent someone from accessing your account, even if they steal your password. In G Suite, admins have the ability to enforce 2-step verification. 2SV can reduce the risk of successful phishing attacks by asking employees for additional proof of identity when they sign in. This can be in the form of phone prompts, voice calls, mobile app notifications and more.

Image 1: phishing post

G Suite also supports user-managed security keys—easy to use hardware authenticators. Admins can choose to enforce the use of security keys to help reduce the risk of stolen credentials being used to compromise an account. The key sends an encrypted signature and works only with authorized sites. Security keys can be deployed, monitored and managed directly from within the Admin console.

2. Deploy Password Alert extension for Chrome

The Password Alert chrome extension checks each page that users visit to see if that page is impersonating Google’s sign-in page and notifies admins if users enter their G Suite credentials anywhere other than the Google sign-in page.

Admins can enforce deployment of the Password Alert Chrome extension from the Google Admin Console (Device management > App Management > Password Alert)—just sign in and get started. You should check “Force installation" under both “User Settings” and “Public session settings.”

Image 2: phishing post

Admins can also enable password alert auditing, send email alerts and enforce a password change policy when G Suite credentials have been used on a non-trusted website such as a phishing site.

3. Allow only trusted apps to access your data

Take advantage of OAuth apps whitelisting to specify which apps can access your users’ G Suite data. With this setting, users can grant access to their G Suite apps’ data only to whitelisted apps. This prevents malicious apps from tricking users into accidentally granting unauthorized access. Apps can be whitelisted by admins in the Admin console under G Suite API Permissions.

Image 3: phishing post

4. Publish a DMARC policy for your organization

To help your business avoid damage to its reputation from phishing attacks and impersonators, G Suite follows the DMARC standard. DMARC empowers domain owners to decide how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy and turning on DKIM email signing, you can ensure that emails that claim to be from your organization, are actually from you.

5. Disable POP and IMAP access for those who don’t need it

The Gmail clients (Android, iOS, Web) leverage Google Safe Browsing to incorporate anti-phishing security measures such as disabling suspicious links and attachments and displaying warnings to users to deter them from clicking on suspicious links. 

By choosing to disable POP and IMAP, admins can ensure that all G Suite users will only use Gmail clients and benefit from the built-in phishing protections that they provide. POP and IMAP access can be disabled by admins at the organizational unit level.

Note: all third-party email clients including native mobile mail clients will stop working if POP and IMAP are disabled.

Image 4: phishing post
Image 5: phishing post

6. Encourage your team to pay attention to external reply warnings

By default, Gmail clients (Android, Web) warn G Suite users if they’re responding to emails sent from outside their domain by someone they don’t regularly interact with, or from someone not in their contacts. This helps businesses protect against forged emails, from malicious actors or just plain old user-error like sending an email to the wrong contact. Educate your employees to look for these warnings and be careful before responding to unrecognized senders. Unintended external reply warnings are controlled from the Admin console control in the “Advanced Gmail” setting.

Image 6: phishing post

7. Enforce the use of Android work profiles

Work profiles allow you to separate your organization's apps from personal apps, keeping personal and corporate data separate. By using integrated device management within G Suite to enforce the use of work profiles, you can whitelist applications that access corporate data and block installation of apps from unknown sources. You now have complete control over which apps have access to your corporate data.

Image 7: phishing post

These steps can help you improve your organization’s security posture and become more resistant to phishing attacks. Learn more at gsuite.google.com/security or sign up for our security webinar on September 20, 2017 which features new security research from Forrester and a demonstration on how the cloud can help effectively combat cyber threats.

Source: Android


Android Wear: 20+ watches for fall

Android Wear was created to take smartwatches beyond “one size fits all.” That's why we're thrilled there are even more ways to express your style this fall—all while keeping you informed with messages at a glance, activity tracking, and help from your Google Assistant.

Android Wear Gallery

Fit for the runway

With Android Wear, you never have to sacrifice fashion for function. We've partnered with designer brands like: Diesel, Emporio Armani, Fossil, Guess, Gc, Hugo Boss, Michael Kors and Tommy Hilfiger. With a range of designs and endless watch face options, you'll always be able to find a look that matches your outfit or mood. The Michael Kors Access My Social app lets you dress up your watch face with your favorite Instagram or Facebook photos. Fossil Q Explorist and Q Venture’s unique social sharing feature lets you share your personalized watch face with friends.

Crafted for multi-tasking

If you want a watch that keeps up with your busy life, Android Wear has options. The Montblanc Summit lets you stay ahead and in style, while keeping an eye on your heart rate. The TAG Heuer Connected Modular 45 is the ultimate in customizable luxury, combining the latest technology with Swiss watchmaking—including both Android Pay and built-in GPS. Movado Connect maintains its iconic design while providing 100 watch face variations and on-watch payments with Android Pay. Want to leave your phone behind? The ZTE Quartz is smart, affordable and cellular enabled.

Stamina for active lives

With heart rate monitoring, activity tracking, GPS, music on the go and sporty designs, Android Wear has a range of watches built for your workout. The Huawei Watch 2 provides motivation with a professional running coach feature and comes fully-loaded with a heart-rate monitor, GPS and Android Pay. The Polar M600 is designed to keep you connected while you train, including smart coaching features that turn your activity and training data into actionable insights. Ticwatch S&E is great for your everyday workout, with a lightweight, breathable design, heart rate monitor and GPS antenna integrated right into the band.

Made for the journey

For the jet setter, Android Wear apps provide on-watch boarding options, travel tips, translations, world timers and maps to help guide your trip. Louis Vuitton Tambour Horizon connects you to exclusive travel apps like “LV Guide” and “My Flight,” which organizes your flight times, gates and terminals to guide your journey.

Built for adventure

From climbing to kayaking, the Casio Pro-Trek Smart is your outdoor companion. Built to military standards, the Pro-Trek is crazy tough, with unique outdoor capabilities like advanced GPS functionality and built-in sensors that measure altitudes and atmospheric pressure. With location memory and a full-color offline map, you can even track your hike and record voice-notes along the way.

Whether you’re a jetsetter or trendsetter, Android Wear has got you covered. With so many new watches to choose from, it’s never been easier to wear what you want.

Source: Android


Android Wear: 20+ watches for fall

Android Wear was created to take smartwatches beyond “one size fits all.” That's why we're thrilled there are even more ways to express your style this fall—all while keeping you informed with messages at a glance, activity tracking, and help from your Google Assistant.

Android Wear Gallery

Fit for the runway

With Android Wear, you never have to sacrifice fashion for function. We've partnered with designer brands like: Diesel, Emporio Armani, Fossil, Guess, Gc, Hugo Boss, Michael Kors and Tommy Hilfiger. With a range of designs and endless watch face options, you'll always be able to find a look that matches your outfit or mood. The Michael Kors Access My Social app lets you dress up your watch face with your favorite Instagram or Facebook photos. Fossil Q Explorist and Q Venture’s unique social sharing feature lets you share your personalized watch face with friends.

Crafted for multi-tasking

If you want a watch that keeps up with your busy life, Android Wear has options. The Montblanc Summit lets you stay ahead and in style, while keeping an eye on your heart rate. The TAG Heuer Connected Modular 45 is the ultimate in customizable luxury, combining the latest technology with Swiss watchmaking—including both Android Pay and built-in GPS. Movado Connect maintains its iconic design while providing 100 watch face variations and on-watch payments with Android Pay. Want to leave your phone behind? The ZTE Quartz is smart, affordable and cellular enabled.

Stamina for active lives

With heart rate monitoring, activity tracking, GPS, music on the go and sporty designs, Android Wear has a range of watches built for your workout. The Huawei Watch 2 provides motivation with a professional running coach feature and comes fully-loaded with a heart-rate monitor, GPS and Android Pay. The Polar M600 is designed to keep you connected while you train, including smart coaching features that turn your activity and training data into actionable insights. Ticwatch S&E is great for your everyday workout, with a lightweight, breathable design, heart rate monitor and GPS antenna integrated right into the band.

Made for the journey

For the jet setter, Android Wear apps provide on-watch boarding options, travel tips, translations, world timers and maps to help guide your trip. Louis Vuitton Tambour Horizon connects you to exclusive travel apps like “LV Guide” and “My Flight,” which organizes your flight times, gates and terminals to guide your journey.

Built for adventure

From climbing to kayaking, the Casio Pro-Trek Smart is your outdoor companion. Built to military standards, the Pro-Trek is crazy tough, with unique outdoor capabilities like advanced GPS functionality and built-in sensors that measure altitudes and atmospheric pressure. With location memory and a full-color offline map, you can even track your hike and record voice-notes along the way.

Whether you’re a jetsetter or trendsetter, Android Wear has got you covered. With so many new watches to choose from, it’s never been easier to wear what you want.

Source: Android


Taking the next step with Android One

When we launched Android One in India back in 2014, the goal was to get the next billion people online by providing them with high quality, affordable phones. Since then, the larger community has told us they value what Android One stands for across a range of phones—a refreshingly simple software experience that is accessible, always fresh and stays ahead of the curve, with improvements to battery life, usability, and of course, security.  

As phone manufacturers continue to innovate by delivering high quality devices at accessible price points, keeping the inside of one’s phone innovative, fresh and secure is critical to a great experience. We’re extending our commitment to Android One by working with more partners to build phones that run a software experience designed by Google.

In the past year, we’ve expanded the program to new partners, geographies and price points. For example, in Japan, Android One devices are among the top selling phones in Softbank-owned Y!Mobile stores. General Mobile has committed a full portfolio of Android One devices in Turkey, and recently released their fourth offering, the GM 6

Today, our newest program partner Xiaomi just launched Mi A1. This phone is a great example of what Android One represents: a collaboration between Google and our partners to deliver a software experience designed by Google. For example, users can capture moments in stunning detail on Xiaomi’s dual camera with 2X optical zoom. They can then seamlessly save unlimited photos at high quality with Google Photos. Mi A1 will be available in dozens of markets, including India, Indonesia, Russia, Vietnam and Taiwan.

All Android One phones are powered by a Google designed software experience that is:

simple smart
Simple and smart

  • Simple: All Android One phones consistently run a pure Android experience with a clean design and a small, carefully curated set of preinstalled apps.
  • Smart: The latest technology from Google is built right into Android One phones and core to the experience. For example, all devices will be optimized for the Google Assistant for a personalized experience. Google Photos will also be the default gallery for Android One phones to help users avoid running out of space, by providing free and unlimited storage of high quality photos and videos.

secure_fresh_3.png
Secure and fresh

  • Secure: With multiple layers of protection, Android One phones are kept safe and secure with regular security updates. Devices will also stay secure with Google Play Protect: built-in malware protection that keeps phones clean, fast and high-performing. 
  • Fresh: Android One devices will receive timely upgrades to the latest Android OS, so people can quickly gain access to the latest platform innovations on their device. Users of the new Mi A1 will receive an upgrade to Android Oreo before the end of the year and next year they will also be one of the first to receive an upgrade to Android P. 
Android One phones are Google endorsed devices that run a simple, fresh, and secure experience. We look forward to bringing more Android One partner phones to more consumers around the world. Check out android.com/one to learn more.

Source: Android


Taking the next step with Android One

When we launched Android One in India back in 2014, the goal was to get the next billion people online by providing them with high quality, affordable phones. Since then, the larger community has told us they value what Android One stands for across a range of phones—a refreshingly simple software experience that is accessible, always fresh and stays ahead of the curve, with improvements to battery life, usability, and of course, security.  

As phone manufacturers continue to innovate by delivering high quality devices at accessible price points, keeping the inside of one’s phone innovative, fresh and secure is critical to a great experience. We’re extending our commitment to Android One by working with more partners to build phones that run a software experience designed by Google.

In the past year, we’ve expanded the program to new partners, geographies and price points. For example, in Japan, Android One devices are among the top selling phones in Softbank-owned Y!Mobile stores. General Mobile has committed a full portfolio of Android One devices in Turkey, and recently released their fourth offering, the GM 6

Today, our newest program partner Xiaomi just launched Mi A1. This phone is a great example of what Android One represents: a collaboration between Google and our partners to deliver a software experience designed by Google. For example, users can capture moments in stunning detail on Xiaomi’s dual camera with 2X optical zoom. They can then seamlessly save unlimited photos at high quality with Google Photos. Mi A1 will be available in dozens of countries, including India, Indonesia, Russia, Vietnam and Taiwan.

All Android One phones are powered by a Google designed software experience that is:

simple smart
Simple and smart

  • Simple: All Android One phones consistently run a pure Android experience with a clean design and a small, carefully curated set of preinstalled apps.
  • Smart: The latest technology from Google is built right into Android One phones and core to the experience. For example, all devices will be optimized for the Google Assistant for a personalized experience. Google Photos will also be the default gallery for Android One phones to help users avoid running out of space, by providing free and unlimited storage of high quality photos and videos.

secure_fresh_3.png
Secure and fresh

  • Secure: With multiple layers of protection, Android One phones are kept safe and secure with regular security updates. Devices will also stay secure with Google Play Protect: built-in malware protection that keeps phones clean, fast and high-performing.

  • Fresh: Android One devices will receive timely upgrades to the latest Android OS, so people can quickly gain access to the latest platform innovations on their device. Users of the new Mi A1 will receive an upgrade to Android Oreo before the end of the year and next year they will also be one of the first to receive an upgrade to Android P.

Android One phones are Google endorsed devices that run a simple, fresh, and secure experience. We look forward to bringing more Android One partner phones to more consumers around the world. Check out android.com/one to learn more.

Source: Android


Automatic protections in Android: Q&A with a security expert

Editor's note: The Android security team works to keep more than two billion users safe, and with the release of Android Oreo, they’ve rolled out some new security protections. We sat down with Adrian Ludwig, Director of Android Security to learn about his team, their approach to security, and what Oreo’s new protections mean for people who use and love Android.

Keyword: Talk to us a bit about what your team does.

Adrian: We build security features for Android that help keep the whole ecosystem safe. Our software engineers write code that encrypts user data, helps find security bugs faster, prevents bugs from becoming security exploits, and finds applications that are trying to harm users or their information.  

How do you build these protections?

It starts with research. Because security is constantly evolving, our teams have to understand today’s issues, in Android and elsewhere, so we can provide better security now and in the future. Researchers in and out of Google are like detectives: they find new stuff, work to understand it deeply, and share it with the broader security community.

We then use those findings to make our protections stronger. We’re focused on tools like Google Play Protect and efforts like “platform hardening,” incremental protections to the Android platform itself. We’re also starting to apply machine learning to security threats, an early stage effort that we’re really excited about.

The final step is enabling all Android users to benefit from the protections. I’m really proud of the work our team has done with Google Play Protect, for example. Every day, it monitors more than 50 billion apps in Play, other app marketplaces, and across the web for potentially unsafe apps. If it finds any, we’ll prevent people from installing them and sometimes remove them from users’ phones directly. Users don’t need to do anything—this just works, automatically.

What are the challenges to protecting Android?

In security, we often talk about the trade-off between usability and protection. Sometimes, you can protect a device more effectively if there are certain things users can’t do on your device. And security is always much easier when things are predictable: for instance when all of the devices you are protecting are built the same way and can basically do the same thing.

But, Android security is different because the ecosystem is so diverse. The variety of use cases, form factors, and users forces us to be open-minded about how we should secure without limiting Android’s flexibility. We can’t possibly protect Android users with a single safeguard—our diversity of protections reflects the diversity in the Android ecosystem.

What are some of the new ways you’re protecting users in Android Oreo (not in robo- speak, please)?

Hang on, I gotta turn on Google Translate.

There are a … 0101100110 … sorry … a bunch! We’ve invested significantly in making it easier to update devices with security “patches,” fixes for potential safety problems, more commonly known as vulnerabilities. As a sidenote, you may have heard about “exploits.” If a vulnerability is a window, an exploit is a way to climb through it. The vast majority of the time, we’ll patch a vulnerability before anyone can exploit it. We have a project called Treble that makes it easier for us to work with partners and deliver updates to users. We want to close the window (and add some shutters) as quickly as possible.

We’ve also worked to improve verified boot, which confirms the device is in a known good state when it starts up, further hardened the Android kernel, which makes sure that hackers can’t change the way that code executes on a device, and evolved Seccomp which limits the amount of code that is visible to hackers.  Basically, we’re moving all the windows higher so any open ones are harder to climb through.

You announced Google Play Protect earlier this year. Tell us a bit about that and why it’s important for Android users?

For several years, we’ve been building “security services” which periodically check devices for potential security issues, allow Google and/or the user to review the status, and then use that information to protect the device. These services interact with Google Play in real-time to help secure it, hence the name “Google Play Protect.”

Our goal with Google Play Protect is to make sure that every user and every device has constant access to the best protections that Google can provide. Those protections are easy to use (ironically, for many people, Google Play Protect is so easy to use that they didn’t even know it was turned on!) and they benefit from everything Google knows about the security of Android devices.

Google Play Protect isn’t available just for users with Oreo -- it guards any device with Google Play Services, running Android Gingerbread, or later.

Updates are a challenge with Android, especially in regard to security. Why is that so hard? What are you doing to improve it?

What makes Android so cool and unique—its flexibility and openness—also presents a really big security challenge. There is a broad and diverse range of devices running Android, operated by a complex collection of partners and device manufacturers around the world. It’s our responsibility to make it easy for the entire ecosystem to receive and deploy updates, but the ecosystem has to work together in order to make it happen. One approach to the problem is to make updates easier through technical changes, such as Project Treble. Another is to work with partners to better understand how updates are produced, tested, and delivered to users.  

What’s the toughest part of your job?

Prioritization. Often we need to balance researching super cool, extremely rare issues with more incremental maintenance of our existing systems. It’s really important that we are laser-focused on both; it’s the only way we can protect the entire ecosystem now and longer-term.

What’s your favorite part?

I’m amazed and humbled by how many people use Android as their primary (or only) way to connect to the internet and to the broader world. We’ve still got a ton of work to do, but I’m incredibly proud of the role my team has played in making those connections safe and secure.  

Ok, last question: How do you eat your Oreos?

In one bite. (But I can’t handle the Double Stufs).

Source: Android


Automatic protections in Android: Q&A with a security expert

Editor's note: The Android security team works to keep more than two billion users safe, and with the release of Android Oreo, they’ve rolled out some new security protections. We sat down with Adrian Ludwig, Director of Android Security to learn about his team, their approach to security, and what Oreo’s new protections mean for people who use and love Android.

Keyword: Talk to us a bit about what your team does.

Adrian: We build security features for Android that help keep the whole ecosystem safe. Our software engineers write code that encrypts user data, helps find security bugs faster, prevents bugs from becoming security exploits, and finds applications that are trying to harm users or their information.  

How do you build these protections?

It starts with research. Because security is constantly evolving, our teams have to understand today’s issues, in Android and elsewhere, so we can provide better security now and in the future. Researchers in and out of Google are like detectives: they find new stuff, work to understand it deeply, and share it with the broader security community.

We then use those findings to make our protections stronger. We’re focused on tools like Google Play Protect and efforts like “platform hardening,” incremental protections to the Android platform itself. We’re also starting to apply machine learning to security threats, an early stage effort that we’re really excited about.

The final step is enabling all Android users to benefit from the protections. I’m really proud of the work our team has done with Google Play Protect, for example. Every day, it monitors more than 50 billion apps in Play, other app marketplaces, and across the web for potentially unsafe apps. If it finds any, we’ll prevent people from installing them and sometimes remove them from users’ phones directly. Users don’t need to do anything—this just works, automatically.

What are the challenges to protecting Android?

In security, we often talk about the trade-off between usability and protection. Sometimes, you can protect a device more effectively if there are certain things users can’t do on your device. And security is always much easier when things are predictable: for instance when all of the devices you are protecting are built the same way and can basically do the same thing.

But, Android security is different because the ecosystem is so diverse. The variety of use cases, form factors, and users forces us to be open-minded about how we should secure without limiting Android’s flexibility. We can’t possibly protect Android users with a single safeguard—our diversity of protections reflects the diversity in the Android ecosystem.

What are some of the new ways you’re protecting users in Android Oreo (not in robo- speak, please)?

Hang on, I gotta turn on Google Translate.

There are a … 0101100110 … sorry … a bunch! We’ve invested significantly in making it easier to update devices with security “patches,” fixes for potential safety problems, more commonly known as vulnerabilities. As a sidenote, you may have heard about “exploits.” If a vulnerability is a window, an exploit is a way to climb through it. The vast majority of the time, we’ll patch a vulnerability before anyone can exploit it. We have a project called Treble that makes it easier for us to work with partners and deliver updates to users. We want to close the window (and add some shutters) as quickly as possible.

We’ve also worked to improve verified boot, which confirms the device is in a known good state when it starts up, further hardened the Android kernel, which makes sure that hackers can’t change the way that code executes on a device, and evolved Seccomp which limits the amount of code that is visible to hackers.  Basically, we’re moving all the windows higher so any open ones are harder to climb through.

You announced Google Play Protect earlier this year. Tell us a bit about that and why it’s important for Android users?

For several years, we’ve been building “security services” which periodically check devices for potential security issues, allow Google and/or the user to review the status, and then use that information to protect the device. These services interact with Google Play in real-time to help secure it, hence the name “Google Play Protect.”

Our goal with Google Play Protect is to make sure that every user and every device has constant access to the best protections that Google can provide. Those protections are easy to use (ironically, for many people, Google Play Protect is so easy to use that they didn’t even know it was turned on!) and they benefit from everything Google knows about the security of Android devices.

Google Play Protect isn’t available just for users with Oreo -- it guards any device with Google Play Services, running Android Gingerbread, or later.

Updates are a challenge with Android, especially in regard to security. Why is that so hard? What are you doing to improve it?

What makes Android so cool and unique—its flexibility and openness—also presents a really big security challenge. There is a broad and diverse range of devices running Android, operated by a complex collection of partners and device manufacturers around the world. It’s our responsibility to make it easy for the entire ecosystem to receive and deploy updates, but the ecosystem has to work together in order to make it happen. One approach to the problem is to make updates easier through technical changes, such as Project Treble. Another is to work with partners to better understand how updates are produced, tested, and delivered to users.  

What’s the toughest part of your job?

Prioritization. Often we need to balance researching super cool, extremely rare issues with more incremental maintenance of our existing systems. It’s really important that we are laser-focused on both; it’s the only way we can protect the entire ecosystem now and longer-term.

What’s your favorite part?

I’m amazed and humbled by how many people use Android as their primary (or only) way to connect to the internet and to the broader world. We’ve still got a ton of work to do, but I’m incredibly proud of the role my team has played in making those connections safe and secure.  

Ok, last question: How do you eat your Oreos?

In one bite. (But I can’t handle the Double Stufs).

Source: Android