Author Archives: Reto Meier

Google I/O 2016: Develop, Grow & Earn

By Jason Titus, Vice President, Developer Product Group

Earlier today, we kicked off our 10-year celebration of hosting developer events with Google I/O in front of over 7,000 developers at Shoreline Amphitheatre, and with millions of other viewers on the I/O live stream around the world. During the keynote, we had a number of announcements that featured tools for Android, iOS, and mobile Web developers, showcased the power of machine learning for delivering better user experiences, and introduced a previewed platform for high quality, mobile virtual reality.

And over the next three days at the festival, we’ll continue to focus on things that matter to you: Develop, to build high quality apps; Grow & Earn, to find high quality users, increase user engagement and create successful businesses; and What’s Next, a look at new platforms for future growth.

Develop, Grow & Earn with Firebase

Those core themes are best represented in our launch of Firebase. As shared during the keynote, we’ve significantly expanded Firebase beyond a mobile backend to include brand new features, like mobile analytics, growth tools, and crash reporting. Firebase is now a suite of 15 features and integrations designed to help you develop your app, grow a user base and earn money. At the heart of the suite is a new mobile analytics tool we built from the ground up called Firebase Analytics. Available for free and unlimited usage, Firebase Analytics is inspired by our decade-long experience running Google Analytics, but designed specifically for the unique needs of apps.

Let's also take a closer look at the other major developer news at I/O:

Develop

  • Android N Developer Preview 3 — Get a look at the next release of Android N focused on performance, productivity and security. Even better, Android N is now ready to test on primary phones or tablets.
  • Android VR — A rework of the entire Android stack in N to tailor it to provide high quality mobile VR experiences.
  • Android Studio 2.2 Preview — Our new preview focuses on speed, smarts, and Android platform support. This major update includes a completely rewritten, feature-rich Layout Designer.
  • Android Wear 2.0: A developer preview of the biggest platform update since we launched Android Wear two years ago. It includes updated design guidelines and APIs that make the watch even more useful for watch faces, messaging, and fitness. Apps on the watch can now be standalone, with direct network access to the cloud.
  • Recording APIs: enables Android TV app developers and content providers to bring recording functionality to live channels.
  • Google Play services 9.0 — In addition to Firebase, the next release includes new API updates for Ads, Nearby and Play Games services.
  • Android Pay APIs — A new set of tools that includes support for mobile web, Instant Apps, Save to Android Pay and an API for issuers. We’ll have more to share during the session “Android Pay everywhere: New developments” later today at 2:00 PM PT Stage 1 Hercules.
  • Progressive Web Apps — A new set of capabilities to build app-like mobile websites that work reliably on the worst network connections and can send notifications to re-engage users.
  • Credentials API — The latest version of Chrome now supports the Credential Management API, allowing sites to interact with the browser’s credential manager to improve the sign in experience for users. The API enables users to sign in with one tap and lets them automatically sign back in when returning to the site.
  • Accelerated Mobile Pages — Check out the AMP project, an open source initiative that is helping publishers create mobile-optimized content once and have it load instantly everywhere.

Grow & Earn

  • Reach a global audience on Google Play — New and powerful tools to help you grow your business: discover and join beta tests from the Play Store (including a new Early Access section), discover collections of complementary apps to help users solve complex tasks, see how your app runs on real devices with a new pre-launch report, get insights and benchmarks for reviews and user acquisition, monitor your app stats and get notifications when your updates are live with the new Play Console app, and more.
  • Android Instant Apps — With Android Instant Apps, users can open your app simply by tapping on a link, even if they don’t have the app installed. Instant Apps is compatible with Android Jelly Bean and later, reaching over a billion users. We’re working with a small set of developers now, and we’ll be gradually expanding access.
  • Building for billions — New resources to help you optimize your app and get your business ready to serve over a billion Android users around the world.
  • Universal App Campaigns — Last year, we introduced Universal App Campaigns as a simple and powerful way to surface apps to the billions of users across Google Play, Search, YouTube, and the Google Display Network. We’re building on this success by expanding onto iOS and by helping developers use insights to optimize for lifetime value. See our new apps best practices.

What’s Next

  • Awareness API: We'll be previewing a new, unified sensing platform that enables apps to be aware of all aspects of a user's context, while managing system health for you. Learn more at the "Introducing Awareness API: an easy way to make your apps context aware" session later today at 3:00 PM PT in Stage 5 Libra.
  • Daydream — We’ll have more to share on how developers can start building Daydream apps during the “VR at Google” session tomorrow (May 19) at 9:00 AM PT in the Amphitheatre and livestreamed.
  • Chromebooks — Hear from the team firsthand what’s new with Chromebooks tomorrow (May 19) at 11:00 AM PT in Stage 8 Crater.
  • The Mobile Web — We’ll share what we’re doing to improve the mobile web experience for developers and users tomorrow (May 19) at 2:00 PM PT in the Amphitheatre.

Android Wear 2.0 Developer Preview

Posted by David Singleton, VP of Engineering

Today at Google I/O, we announced the most significant Android Wear update since its launch two years ago: Android Wear 2.0. Based on what we’ve learned from users and developers, we're evolving the platform to improve key experiences on the watch, including watch faces, messaging, and fitness.

Android Wear 2.0 will be available to users this fall. We’re making a Developer Preview available today and plan to release additional updates throughout the summer, so please send us your feedback early and often. Also, please keep in mind that this preview is a work in progress, and is not yet intended for daily use.

What’s new?

  • Standalone apps: Your Android Wear app can now access the internet directly over Bluetooth, Wi-Fi, or cellular, without relying on the Data Layer APIs. This means your app can continue to offer full functionality even if the paired phone is far away or turned off. Removing the requirement to use the Data Layer APIs also enables your app to offer the same functionality regardless of whether the watch is paired with an Android or iPhone. In addition, your app can receive push messages via Google Cloud Messaging and access AccountManager directly on the watch.
  • New system UI: We’ve made a number of UI changes that will help users interact with your app more easily. A new notification design and app launcher make it easier to take action on notifications and launch your app, and a new watch face picker makes switching watch faces fast and fun. The system UI also adopts a dark color palette and makes better use of round displays. We recommend you test your existing Android Wear app and notifications with the new UI.
  • Material design for wearables: The new Material Design for Wearables guide will help you make your app’s interface more consistent, intuitive, and beautiful. The new navigation drawer and action drawer components in the Wearable support library make it easy to align your app with the system UI’s new vertical layout. We’ve also provided guidance on how to adopt the dark color palette.
  • Complications API: Complications are bite-sized pieces of information displayed to users directly on the watch face. Android Wear now has a system-wide framework to enable any app to show data on any watch face that implements the API. As an app developer, you can choose to publish your data to a wide variety of watch faces and make it easier for users to launch your app from the watch face. As a watch face developer, you can rely on data from a rich ecosystem of Wear apps without having to worry about sourcing it yourself.
  • Input methods: Keyboard and handwriting input methods open up new ways to accept text from users on the watch. You can now use these new input methods in your app via RemoteInput and EditText, and notifications that already use RemoteInput for voice replies will automatically support the new input methods. We’ve ported over the full Android input method framework to the watch, so you can even create your own custom input methods if you wish.
  • New MessagingStyle notification: Android Wear 2.0 includes a new notification template with a layout optimized for quick and responsive messaging. This template is also available on phones and tablets using Android N, so creating a great cross-device messaging experience is a breeze.
  • Google Fit platform: Improvements to the Google Fit platform make it easier for your app to use fitness data and detect activity. You can register a PendingIntent to be notified of changes in the fitness data store, so you don’t have to keep querying for changes to weight, nutrition, and other data types. It’s also easier for your app to get a consistent daily step count on Android Wear -- with HistoryApi.readDailyTotal(), a step recording subscription is no longer required. Finally, apps will soon be able to detect (with consent) when the user starts walking, running, or biking.
  • Support for Android N: Your Android Wear app can now take advantage of the latest Android N features such as Data Saver and Java 8 Lambda support. Also, let’s not forget the new emojis!

Get started and give us feedback!

The Android Wear 2.0 Developer Preview includes an updated SDK with tools, and system images for testing on the official Android emulator, the LG Watch Urbane 2nd Edition LTE, and the Huawei Watch.
To get started, follow these steps:
  1. Take a video tour of the Android Wear 2.0 developer preview
  2. Update to Android Studio v2.1.1 or later
  3. Visit the Android Wear 2.0 Developer Preview site for downloads and documentation
  4. Get the emulator system images through the SDK Manager or download the device system images
  5. Test your app with your supported device or emulator
  6. Give us feedback
We will update this developer preview over the next few months based on your feedback. The sooner we hear from you, the more we can include in the final release, so don't be shy!

Introducing Android Instant Apps

Posted by Suresh Ganapathy, Product Manager

 Developers have built amazing Android apps. They use your mobile device to the fullest, including the camera, GPS, and sensors to connect to the real world. They’re beautiful and immersive, with Material Design and smooth animations running at 60 frames per second. They use access to identity and payments to create seamless experiences.

But developers tell us they wish they could bring users into their apps more quickly and easily. With the web, you can click on a link and land on a web page — it takes one click and just a few seconds. It should be easier for users to access a wider range of apps, and for developers to reach more people.

So, we asked ourselves: How do we make it possible for people to access a wider range of apps, seamlessly? How do we help developers reach more people? And how do we do that while giving developers access to the range of capabilities and experiences that Android apps provide?

Today we’re sharing a preview of a new project that we think will change how people experience Android apps. We call it Android Instant Apps, and it evolves Android apps to be able to run instantly, without requiring installation. With Instant Apps, a tap on a URL can open right in an Android app, even if the user doesn’t have that app installed.

As a developer, you won’t need to build a new, separate app. It’s the same Android APIs, the same project, the same source code. You’ll simply update your existing Android app to take advantage of Instant Apps functionality. In fact, it can take less than a day to get up and running for some developers, though the effort involved will vary depending on how your app is structured. You modularize your app, and Google Play downloads only the parts that are needed, on the fly. And when you do upgrade, your app will be available to more than a billion users on Android devices going back to Jelly Bean.

This is a big change, so it's going to take some time. We’ve been working with a small set of partners to help refine the experience, including developers like BuzzFeed, B&H Photo, Medium, Hotel Tonight, Zumper and Disney. We’ll be gradually expanding access for developers and bringing Instant Apps to users later this year.
B&H Photo
(via Google Search)
BuzzFeedVideo
(via a shared link)
Park and Pay (example)
(via NFC)

If you’re interested in learning more about Android Instant Apps, please check out the Android developers website, where you can sign up for updates as they become available. We can’t wait to see what you build when your app is just a tap away.

Improving the Security and User Experience of your Google Sign In Implementation

Posted by Isabella Chen, Software Engineer

We launched a fully revamped Sign-In API with Google Play services 8.3 providing a much more streamlined user experience and enabling easy server authentication and authorization. We’ve heard from many developers that they’ve found these APIs simple and less error prone to use. But when we look at applications in the Play Store, we see many that are still using legacy Plus.API / GoogleAuthUtil.getToken and do not follow best practices for authentication and authorization. Not following best practices can make your apps easily vulnerable to attack.

Ensuring your apps are secure

Developers should ensure that their apps are not open to the following vulnerabilities:

  • Email or user ID substitution attack After signing in with Google on Android, some apps directly send email or user ID in plain text to their backend server as the identity credential. These server endpoints enable a malicious attacker to easily forge a request and gain access to any user’s account by guessing their email / user ID.

    Figure 1. Email / User ID Substitution Attack

    We see a number of developers implement this anti-pattern by using getAccountName or getId from the Plus.API and sending it to their backend.

    Problematic implementations, DO NOT COPY
  • Access token substitution attack After signing in with Google on Android, many apps send an access token obtained via GoogleAuthUtil.getToken to their backend server as the identity assertion. Access tokens are bearer tokens and backend servers cannot easily check if the token is issued to them. A malicious attacker can phish the user to sign-in on another application and use that different access token to forge a request to your backend.

    Figure 2. Access Token Substitution Attack

    Many developers implement this anti-pattern by using GoogleAuthUtil to retrieve an access token and sending it to their server to authenticate like in the following example:

    Problematic implementation, DO NOT COPY

Solution

  1. Many developers who have built the above anti-patterns into their apps simply call our tokenInfo (www.googleapis.com/oauth2/v3/tokeninfo) which is debug-only or unnecessarily call the G+ (www.googleapis.com/plus/v1/people/me) endpoint for user’s profile information. These apps should instead implement our recommended ID token flow explained in this blog post. Check out migration guide to move to a both secure and efficient pattern.
  2. If your server needs access to other Google services, e.g. Drive, you should use server auth code flow. You can also check out this blogpost. Worth mentioning, you can also get an ID token using server auth code flow, from which you can retrieve user id / email / name / profile url without additional network call. Check out the migration guide.

Improving the user experience and performance of your apps

There are still many apps using GoogleAuthUtil for server auth and their users are losing out the improved user experience while the developers of those apps need to maintain a significantly more complicated implementation.

Here are some of the common problems that we see:

Requesting unnecessary permissions and displaying redundant user experience

Many apps request GET_ACCOUNTS permission and draw their own customized picker with all email addresses. After getting the email address, the app calls either GoogleAuthUtil or Plus.API to do OAuth consent for basic sign in. For those apps, users will see redundant user experience like:

Figure 3. GET_ACCOUNTS runtime permission and redundant user experience

The worst thing is the GET_ACCOUNTS permission. On Marshmallow and above, this permission is displayed to the user as ‘Contacts’. Many users are unwilling to grant access to this runtime permission.

Solution

Switch to our new Auth.GOOGLE_SIGN_IN_API for a streamlined user consent experience by providing an intuitive one-tap interface to provide your app with the user’s name, email address and profile picture. Your app receives an OAuth grant when the user selects an account, making it easier to sign the user in on other devices. Learn more


Figure 4. New streamlined, one-tap sign-in experience

Getting ID Token from GoogleAuthUtil for your backend

Before we released revamped Sign-In API, GoogleAuthUtil.getToken was the previously recommended way to retrieve an ID token via a “magic string.”

Wrong pattern, DO NOT COPY

GoogleAuthUtil.getToken needs to take an email address, which usually leads to the undesirable user experience in Figure 3. Also, user’s profile information like name, profile picture url is valuable information to store in your server. The ID token obtained via Auth.GOOGLE_SIGN_IN_API will contain profile information and your server won’t need additional network calls to retrieve them.

Solution Switch to the ID token flow using the new Auth.GOOGLE_SIGN_IN_API and get the one-tap experience. You can also check out this blogpost and the migration guide for more details.

Getting auth code from GoogleAuthUtil for your backend

We once recommended using GoogleAuthUtil.getToken to retrieve a server auth code via another “magic string.”

Wrong pattern, DO NOT COPY


In addition to the possible redundant user experience in Figure 3, another problem with this implementation was that if a user had signed in to your application in the past and then switched to a new device, they would likely see this confusing dialog:

Figure 5. Confusing consent dialog for returned user if using GoogleAuthUtil.getToken for auth code

Solution

To easily avoid this “Have offline access” consent dialog, you should switch to server auth code flow using the new Auth.GOOGLE_SIGN_IN_API . We will issue you an auth code silently for a previously signed-in user. You can also check out this blogpost and migration guide for more info.

Should I ever use GoogleAuthUtil.getToken?

In general, you should NOT use GoogleAuthUtil.getToken, unless you are making REST API call on Android client. Use Auth.GOOGLE_SIGN_IN_API instead. Whenever possible, use native Android API in Google Play services SDK. You can check out those APIs at Google APIs for Android.

Building better mobile apps for work

Posted by Matt Goodridge - Google Play for Work Product Manager

Last year, we introduced Android for Work, a program designed to pair the strength of the Android platform with support from the rich ecosystem of OEMs (device manufacturers like Samsung), EMMs (Enterprise Mobility Managers) and carriers with the goal of transforming the workplace. This means that developers get the support they need to develop apps that configure to meet business needs without customization.

With Android for Work, developers have been able to build apps for business and make them available via Google Play for Work to all types of industries. No matter the place or use case, Android for Work has helped lead businesses to foster employee productivity and creativity through increased mobility.

Today we are announcing the Android for Work DevHub, a place for developers to keep up with Android in the workplace and engage fellow business app developers in an open forum. Android for Work DevHub members will receive access to Google Play for Work and Android for Work product betas and developer events and will have the opportunity to learn from Google experts on topics like how to:

  • leverage tools and resources provided by the AppConfig Community, which established a standard that provides Android developers a simple way set up app configurations,
  • improve app security by integrating with Android for Work APIs,
  • get an app featured on Google Play for Work,
  • and more…

Among the early members of the Android for Work DevHub is Keeper, a mobile-first company committed to securing corporate credentials and sensitive information. Darren Guccione, Keeper’s CEO and co-founder, said: “Having our team be able to talk with Google experts as a part of the Android for Work DevHub has been very helpful in optimizing Keeper, as an essential product, for the workplace.” In addition to Keeper, select developers across an array of industries are already represented in the Android for Work DevHub, and—starting today—any business developer can apply to become a member, too.

To learn more about Android for Work, join us at Google I/O Thursday, May 19th at 2pm on Stage 10 Cassiopeia. I’ll be joined live on stage with James Kelly, product manager in Android for Work and Rich Hyndman, and Android developer advocate, to walk through the latest developments in Android for Work that will help you make awesome apps for businesses and to meet the Android for Work team in-person at our shop to see the Android for Work retail experience.

Designing for Multi-Window

Posted by Ian Lake, Developer Advocate

As a developer, there’s a wide range of features added in Android N to take advantage of, but when it comes to designing and building your UI, having strong multi-window support should be at the forefront.

The primary mode that users will be interacting with multi-window is through split-screen mode, which is available on both handheld devices and larger tablets. In this mode, two apps split the available screen space and the user can drag the divider between the two split screens to resize the apps. As you might imagine, this mode offers some unique design challenges beyond what was needed previously.

An even more responsive UI

The lessons learned from previous versions of Android, the mobile web, and desktop environments still apply to Android N. Designing a responsive UI is still an important first step towards an amazing multi-window experience.

A responsive UI is one that adapts to the size provided, picking the best representation of the content and the appropriate navigation patterns to make a great user experience on any device. Check out the Building a Responsive UI blog post for details on how to design and build an effective responsive UI.

Adapting your layout

As you’re designing layouts for the largest and smallest screens and everything in between, it is important to make resizing a smooth and seamless transition as mentioned in the split screen layout guidelines. If you already have a similar layout between mobile and tablet, you’ll find much of your work taken care of for you.

However, if your mobile and tablet layouts are vastly different and there’s no way to smoothly transition between the two, you should not transition between them when resizing. Instead, focus on making your tablet UI scale down using the same responsive UI patterns. This ensures that users do not have to relearn their UI when resizing your app.

Note that the minimalHeight and minimalWidth layout attributes allow you to set a minimum size you want reported to your Activity, but they do not mean the user cannot resize your activity smaller - it actually means that your activity will be cropped to the size the user requests, potentially forcing elements of your UI off the screen. Strive to support down to the minimum size of 220x220dp.

Design configurations to consider

While many of the sizes and aspect ratios possible in multi-window are similar to existing devices (1/3rd of a landscape tablet is similar to existing mobile devices in screen size), there are a few configurations that are much more common when considering multi-window.

The first is a 16x9 layout on mobile devices in portrait. In this case, the vertical space is extremely limited. If you have a number of fixed elements stacked on top of one another (a toolbar, scrolling content, and a bottom navigation bar), you might find there’s not actually any room for the scrolling content - the most important part!

The second case to consider is the 34.15% layout on tablets. The very wide aspect ratio in device portrait or very tall aspect ratio in device landscape orientation are more extreme than what is found on existing devices. Consider using your mobile layouts as a starting point for this configuration.

Patterns to avoid

When it comes to multi-window, there are a few patterns you want to avoid entirely.

The first is UI interactions that rely on swiping from the edge of the screen. This has already been somewhat of an issue when it comes to the on screen navigation bar prominent on many devices (such as Nexus devices), but is even more so in split-screen mode. Since there is (purposefully) no way to determine if your activity is on the top or bottom or the left or the right, don’t make edge swipes the only way to access functionality in your app. That doesn’t mean you have to avoid them entirely - just make sure there is an alternative. A good example of this is the temporary navigation drawer - an edge swipe opens the drawer, but it is also accessible by pressing the hamburger icon in the toolbar.

The second is disabling multi-window entirely. While there are certainly cases where this makes sense (i.e., it is fundamentally an immersive experience such as a game), there are also cases where your activity and any Activities launched from that Activity are forced to support multi-window. As mentioned in the Preparing for Multi-Window blog post, when you support external apps launching your activity, your activity inherits the multi-window properties of the calling Activity.

Designing for Multi-Window is designing for every device

Building a responsive UI that reacts to the space available is critical to a great multi-window experience, but it is an exercise that can benefit all of your users across the wide variety of Android devices.

So use this as an opportunity to #BuildBetterApps

Follow the Android Development Patterns Collection for more!

Introducing the second class of Launchpad Accelerator

Originally posted on Google Developers blog

Roy Glasberg, Global Lead, Launchpad Program & Accelerator

This week Launchpad Accelerator announces its second class, which includes 24 promising startups from around the world. While the number of accelerators is at an all-time high, we take a different approach with Launchpad Accelerator, a program that exclusively works with late-stage tech startups in emerging markets -- Brazil, Indonesia, India and Mexico.

See what it’s like to participate in the Accelerator.


“We provide comprehensive mentorship that delivers results,” says Jacob Greenshpan, one of Launchpad’s lead mentors. “We start by running a ‘patient diagnostic’ to determine each startup’s critical challenges, and then deploy precise mentorship, actionable solutions, and Google resources that enables the app to scale.”

Class 2 kicks off June 13. The startups will descend on Google HQ for an intensive 2 week bootcamp. Under the tutelage of Google product teams and mentors from the global Launchpad network, they will receive intensive, targeted mentoring, equity-free funding, and more benefits during the 6-month program.

Here’s the full list of startups (by country):

Brazil

BankFacil Emprego Ligado AppProva GetNinjas Edools Love Mondays

Indonesia

HijUp Talenta Jarvis Store Ruangguru IDNtimes Codapay

India

Taskbob Programming Hub ShareChat RedCarpet PlaySimple Games MagicPin

Mexico

Aliada SaferTaxi Conekta Konfio Kichink Miroculus

Google’s “Scalerator” Drives Results for Alumni

What advice do Class 1 alumni give to the new intake? “Come to the accelerator with an open mind. You will be shocked to find how many things are going wrong in your app. Thankfully the mentors will help you implement better solutions,” says Vinicius Heimbeck, Founder of Brazilian mobile game developer UpBeat Games.

UpBeat Games had more than 1,000% increase in daily app installations in Asia during the period of a feature, as well as a 200% overall increase in active users after following a long list of improvements Accelerator mentors suggested. “We made optimizations that led us to be featured in Google Play, which changed everything for us.”

See Upbeat Games at the Accelerator in this video.

“Believe you can build a world class product. The mentors will push you to bet on yourself,” says Amarendra Sahu, Nestaway Co-founder and Class 1 alumni. NestAway just closed a $30M Series C, one of the largest investment rounds in India this year.

“Your biggest enemy is not failure; it is the temptation to be ordinary. But the mentors will push you to build an extraordinary product and scale an extraordinary startup," says eFishery Co-founder and CEO Gibran Chuzaefah Amsi El Farizy, who was announced as one of the top 27 leaders in Indonesia’s startup ecosystem, after participating in the Accelerator program.

Get the guide to News app success on Google Play and see how Nabd engages readers with Material Design

Posted by Tamzin Taylor - Strategic Partner Lead, Google Play

Today we’re releasing The News Publisher Playbook, where you will learn best practices for developing a successful news mobile strategy on Android. This is a new companion guide to our business playbook for developers, The Secrets to App Success on Google Play, focused on the news apps segment.

The guide includes tips and useful resources to help you optimize your news content on mobile, identifying the best distribution channels to reach the right audience, build your brand and maximize your revenue.

You will find tips on mobile website optimization, how to create a Google Play Newsstand edition, and how to improve your native app. You will also get an overview of ways to acquire and engage your readers as well as how to monetize and grow your revenue.

Once you’ve checked out the guide, we’d love to hear your feedback, so we can continue to improve our developer resources. Please let us know what you think.

Android Developer Story: Nabd improves reader engagement with Material Design

Founded in 2012, Nabd is a personalised Arabic news aggregator app based in Kuwait, reaching over 10 million people, of which, 60% use Android devices. Watch this Android Developer Story to hear Abdur-Rahman El-Sayed, Co-founder and CEO, and Abdullah El-Sayed, Co-founder and VP of Engineering, explain how adopting Material Design increased user engagement and improved ratings.


Get the News Publisher Playbook to help you find success on Google Play.


Hardening the media stack

Posted by Dan Austin and Jeff Vander Stoep, Android Security team

To help make Android more secure, we encourage and reward researchers who discover vulnerabilities. In 2015, a series of bugs in mediaserver’s libstagefright were disclosed to Google. We released updates for these issues with our August and September 2015 security bulletins.

In addition to addressing issues on a monthly basis, we’ve also been working on new security features designed to enhance the existing security model and provide additional defense in-depth. These defense measures attempt to achieve two goals:

  • Prevention: Stop bugs from becoming vulnerabilities
  • Containment: Protect the system by de-privileging and isolating components that handle untrusted content

Prevention

Most of the vulnerabilities found in libstagefright were heap overflows resulting from unsigned integer overflows. A number of integer overflows in libstagefright allowed an attacker to allocate a buffer with less space than necessary for the incoming data, resulting in a buffer overflow in the heap.

The result of an unsigned integer overflow is well defined, but the ensuing behavior could be unexpected or unsafe. In contrast, signed integer overflows are considered undefined behavior in C/C++, which means the result of an overflow is not guaranteed, and the compiler author may choose the resulting behavior—typically what is fastest or simplest. We have added compiler changes that are designed to provide safer defaults for both signed and unsigned integer overflows.

The UndefinedBehaviorSanitizer (UBSan) is part of the LLVM/Clang compiler toolchain that detects undefined or unintended behavior. UBSan can check for multiple types of undefined and unsafe behavior, including signed and unsigned integer overflow. These checks add code to the resulting executable, testing for integer overflow conditions during runtime. For example, figure 1 shows source code for the parseChunk function in the MPEG4Extractor component of libstagefright after the original researcher-supplied patch was applied. The modification, which is contained in the black box below, appears to prevent integer overflows from occurring. Unfortunately, while SIZE_MAX and size are 32-bit values, chunk_size is a 64-bit value, resulting in an incomplete check and the potential for integer overflow. In the line within the red box, the addition of size and chunk_size may result in an integer overflow and creation of buffer smaller than size elements. The subsequent memcpy could then lead to exploitable memory corruption, as size + chunk_size could be less than size, which is highlighted in the blue box. The mechanics of a potential exploit vector for this vulnerability are explained in more detail by Project Zero.

Figure 1. Source code demonstrating a subtle unsigned integer overflow.

Figure 2 compares assembly generated from the code segment above with a second version compiled with integer sanitization enabled. The add operation that results in the integer overflow is contained in the red box.

In the unsanitized version, size (r6) and chunk_size (r7) are added together, potentially resulting in r0 overflowing and being less than size. Then, buffer is allocated with the size specified in r0, and size bytes are copied to it. If r0 is less than r6, this results in memory corruption.

In the sanitized version, size (r7) and chunk_size (r5) are added together with the result stored in r0. Later, r0 is checked against r7, if r0 is less than r7, as indicated by the CC condition code, r3 is set to 1. If r3 is 1, and the carry bit was set, then an integer overflow occurred, and an abort is triggered, preventing memory corruption.

Note that the incomplete check provided in the patch was not included in figure 2. The overflow occurs in the buffer allocation’s add operation. This addition triggers an integer sanitization check, which turns this exploitable flaw into a harmless abort.

Figure 2. Comparing unsanitized and sanitized compiler output.

While the integer sanitizers were originally intended as code hygiene tools, they effectively prevent the majority of reported libstagefright vulnerabilities. Turning on the integer overflow checks was just the first step. Preventing the runtime abort by finding and fixing integer overflows, most of which are not exploitable, represented a large effort by Android's media team. Most of the discovered overflows were fixed and those that remain (mostly for performance reasons) were verified and marked as safe to prevent the runtime abort.

In Android N, signed and unsigned integer overflow detection is enabled on the entire media stack, including libstagefright. This makes it harder to exploit integer overflows, and also helps to prevent future additions to Android from introducing new integer overflow bugs.

Containment

For Android M and earlier, the mediaserver process in Android was responsible for most media-related tasks. This meant that it required access to all permissions needed by those responsibilities and, although mediaserver ran in its own sandbox, it still had access to a lot of resources and capabilities. This is why the libstagefright bugs from 2015 were significant—mediaserver could access several important resources on an Android device including camera, microphone, graphics, phone, Bluetooth, and internet.

A root cause analysis showed that the libstagefright bugs primarily occurred in code responsible for parsing file formats and media codecs. This is not surprising—parsing complex file formats and codecs while trying to optimize for speed is hard, and the large number of edge cases makes such code susceptible to both accidental and malicious malformed inputs.

However, media parsers do not require access to most of the privileged permissions held by mediaserver. Because of this, the media team re-architected mediaserver in Android N to better adhere to the principle of least privilege. Figure 3 illustrates how the monolithic mediaserver and its permissions have been divided, using the following heuristics:

  • parsing code moved into unprivileged sandboxes that have few or no permissions
  • components that require sensitive permissions moved into separate sandboxes that only grant access to the specific resources the component needs. For example, only the cameraserver may access the camera, only the audioserver may access Bluetooth, and only the drmserver may access DRM resources.

Figure 3. How mediaserver and its permissions have been divided in Android N.

Comparing the potential impact of the libstagefright bugs on Android N and older versions demonstrates the value of this strategy. Gaining code execution in libstagefright previously granted access to all the permissions and resources available to the monolithic mediaserver process including graphics driver, camera driver, or sockets, which present a rich kernel attack surface.

In Android N, libstagefright runs within the mediacodec sandbox with access to very few permissions. Access to camera, microphone, photos, phone, Bluetooth, and internet as well as dynamic code loading are disallowed by SELinux. Interaction with the kernel is further restricted by seccomp. This means that compromising libstagefright would grant the attacker access to significantly fewer permissions and also mitigates privilege escalation by reducing the attack surface exposed by the kernel.

Conclusion

The media hardening project is an ongoing effort focused on moving functionality into less privileged sandboxes and further reducing the permissions granted to those sandboxes. While the techniques discussed here were applied to the Android media framework, they are suitable across the Android codebase. These hardening techniques—and others—are being actively applied to additional components within Android. As always, we appreciate feedback on our work and welcome suggestions for how we can improve Android. Contact us at [email protected].

Enhancing App Security on Google Play

Posted by Eric Davis, Android Security Team

We’re constantly investing in new tools and services to help developers build secure Android applications. This includes the application sandbox and Security APIs in the platform, Security APIs in Google Play Services, and even open source testing tools. Last year, Google Play also helped developers enhance the security of their applications by looking directly at the code they’ve written and offering suggestions for improvements.

The Google Play App Security Improvement Program is the first of its kind. It has two core components: We provide developers with security tips to help them build more secure apps, and we help developers identify potential security enhancements when uploaded to Google Play. This week, to help educate developers, Kristian Monsen, one of our engineers, gave a presentation about security best practices at the Samsung Developer Conference. And in 2015, we worked with developers to improve the security of over 100,000 apps through the program.

How it works

Before any app is accepted into Google Play, it is scanned for safety and security, including potential security issues. We also continuously re-scan the over one million apps in Google Play for additional threats.

If your app is flagged for a potential security issue, you will be notified immediately to help you quickly address the issue and help keep your users safe. We’ll deliver alerts to you using both email and the Google Play Developer Console, with links to a support page with details about how to improve the app.


Typically, these notifications will include a timeline for delivering the improvement to users as quickly as possible. Applications may be required to make security improvements before any other app updates can be be published.

You can confirm that you’ve fully addressed the issue by uploading the new version of your app to the Google Play Developer Console. Be sure to increment the version number of the fixed app. After a few hours, check the Developer Console for the security alert; if it’s no longer there, you’re all set!

The success of this program rests on our partnership with you—the developers of apps on Google Play—and the security community. We’re all responsible for providing safe, secure apps to our users. For feedback or questions, please reach out to us through the Google Play Developer Help Center. To report potential security issues in apps, please reach out to us at [email protected].