Tag Archives: safety and security

Sharing what’s new in Android Q

 This year, Android is reaching version 10 and operating on over 2.5 billion active devices. A lot has changed since version 1.0, back when smartphones were just an early idea. Now, they’re an integral tool in our lives—helping us stay in touch, organize our days or find a restaurant in a new place.

Looking ahead, we’re continuing to focus on working with partners to shape the future of mobile and make smartphones even more helpful. As people carry their phones constantly and trust them with lots of personal information, we want to make sure they’re always in control of their data and how it’s shared. And as people spend more time on their devices, building tools to help them find balance with technology continues to be our priority. That’s why we’re focusing on three key areas for our next release, Android Q: innovation, security and privacy and digital wellbeing.

New mobile experiences

Together with over 180 device makers, Android has been at the forefront of new mobile technologies. Many of them—like the first OLED displays, predictive typing, high density and large screens with edge-to-edge glass—have come to Android first. 

This year, new industry trends like foldable phone displays and 5G are pushing the boundaries of what smartphones can do. Android Q is designed to support the potential of foldable devices—from multi-tasking to adapting to different screen dimensions as you unfold the phone. And as the first operating system to support 5G, Android Q offers app developers tools to build for faster connectivity, enhancing experiences like gaming and augmented reality.

See how Asphalt 9 adapts screen dimensions as you unfold the phone, a feature Android Q was built to support.

We’re also seeing many firsts in software driven by on-device machine learning. One of these features is Live Caption. For 466 million deaf and hard of hearing people around the world, captions are more than a convenience—they make content more accessible. We worked closely with the Deaf community to develop a feature that would improve access to digital media. With a single tap, Live Caption will automatically caption media that’s playing audio on your phone. Live Caption works with videos, podcasts and audio messages, across any app—even stuff you record yourself. As soon as speech is detected, captions will appear, without ever needing Wifi or cell phone data, and without any audio or captions leaving your phone.

A video that gives background on the history of captioning. In 2009, Google added automatic captions to videos on YouTube, taking a step towards making videos universally accessible. With Live Caption, we're bringing these captions to media on phones.

On-device machine learning also powers Smart Reply, which is now built into the notification system in Android, allowing any messaging app to suggest replies in notifications. Smart Reply will now also intelligently predict your next action—for example, if someone sends you an address, you can just tap to open that address in Maps.

A phone screen showing a message coming in with an address, and a chip in the notification that opens the address in Google Maps.

Security and privacy as a central focus

Over the years, Android has built out many industry-first security and privacy protections, like file-based encryption, SSL by default and work profile. Android has the most widely-deployed security and anti-malware service of any operating system today thanks to Google Play Protect, which scans over 50 billion apps every day. 

We’re doing even more in Android Q, with almost 50 new features and changes focused on security and privacy. For example, we created a dedicated Privacy section under Settings, where you’ll find important controls in one place. Under Settings, you’ll also find a new Location section that gives you more transparency and granular control over the location data you share with apps. You can now choose to share location data with apps only while they’re in use. Plus, you’ll receive reminders when an app has your location in the background, so you can decide whether or not to continue sharing. Android Q also provides protections for other sensitive device information, like serial numbers.

Finally, we're introducing a way for you to get the latest security and privacy updates, faster. With Android Q, we’ll update important OS components in the background, similar to the way we update apps. This means that you can get the latest security fixes, privacy enhancements and consistency improvements as soon as they’re available, without having to reboot your phone.

Helping you find balance

Since creating our set of Digital Wellbeing tools last year, we’ve heard that they’ve helped you take better control of your phone usage. In fact, app timers helped people stick to their goals over 90 percent of the time, and people who use Wind Down had a 27 percent drop in nightly phone usage.

This year, we’re going even further with new features like Focus mode, which is designed to help you focus without distraction. You can select the apps you find distracting—such as email or the news—and silence them until you come out of Focus mode. And to help children and families find a better balance with technology, we’re making Family Link part of every device that has Digital Wellbeing (starting with Android Q), plus adding top-requested features like bonus time and the ability to set app-specific time limits.

Phone screens showing new Family Link controls in Android Q.

Available in Beta today

Android Q brings many more new features to your smartphone, from a new gesture-based navigation to Dark Theme (you asked, we listened!) to streaming media to hearing aids using Bluetooth LE. 

A grid of logos that demonstrates which devices and brands Android Q beta is available on, including Pixel, Sony, Nokia, Huawei and LG.

You can find some of these features today in Android Q Beta, and thanks to Project Treble and our partners for their commitment to enable faster platform updates, Beta is available for 21 devices from 13 brands, including all Pixel phones.

Source: Android


Introducing auto-delete controls for your Location History and activity data

Whether you’re looking for the latest news or the quickest driving route, we aim to make our products helpful for everyone. And when you turn on settings like Location History or Web & App Activity, the data can make Google products more useful for you—like recommending a restaurant that you might enjoy, or helping you pick up where you left off on a previous search. We work to keep your data private and secure, and we’ve heard your feedback that we need to provide simpler ways for you to manage or delete it.


You can already use your Google Account to access simple on/off controls for Location History and Web & App Activity, and if you choose—to delete all or part of that data manually. In addition to these options, we’re announcing auto-delete controls that make it even easier to manage your data. Here’s how they’ll work:

Gif showing how to choose how long to keep your web and app activity. gif

Choose a time limit for how long you want your activity data to be saved—3 or 18 months—and any data older than that will be automatically deleted from your account on an ongoing basis. These controls are coming first to Location History and Web & App Activity and will roll out in the coming weeks.


You should always be able to manage your data in a way that works best for you--and we’re committed to giving you the best controls to make that happen.

The ultimate account security is now in your pocket

Phishing—when an attacker tries to trick you into turning over your online credentials—is the most common cause of security breaches. Preventing phishing attacks can be a major challenge for personal and business users alike. At Google, we automatically block the overwhelming majority of malicious sign-in attempts (even if an attacker has your username or password), but an additional layer of protection can be helpful.

Two-step verification (or 2SV) makes it even harder for attackers to gain access to your accounts by adding one more step to the sign-in process. While any form of 2SV, like SMS text message codes and push notifications, improves the security of your account, sophisticated attackers can skirt around them by targeting you with a fake sign-in page to steal your credentials.

We consider security keys based on FIDO standards, like our Titan Security Key, to be the strongest, most phishing-resistant method of 2SV on the market today. These physical security keys protect your account from phishers by requiring you to tap your key during suspicious or unrecognized sign-in attempts.

Now, you have one more option—and it’s already in your pocket. Starting today in beta, your phone can be your security key—it’s built into devices running Android 7.0+. This makes it easier and more convenient for you to unlock this powerful protection, without having to carry around additional security keys. Use it to protect your personal Google Account, as well as your Google Cloud Accounts at work. We also recommend it for people in our Advanced Protection Program—like journalists, activists, business leaders and political campaign teams who are most at risk of targeted online attacks.

Using the built-in security key in a Pixel 3 to log into your Google Account.gif

To activate your phone’s built-in security key, all you need is an Android 7.0+ phone and a Bluetooth-enabled Chrome OS, macOS X or Windows 10 computer with a Chrome browser. Here’s how to do it:

  1. Add your Google Account to your Android phone.
  2. Make sure you’re enrolled in 2SV.
  3. On your computer, visit the 2SV settings and click "Add security key".
  4. Choose your Android phone from the list of available devices—and you’re done!

When signing in, make sure Bluetooth is turned on on your phone and the device you are signing in on.

We recommend registering a backup security key to your account and keeping it in a safe place, so you can get into your account if you lose your phone. You can get a security key from a number of vendors, including our own Titan Security Key.

Now on Android, your phone is a security key to protect your accounts from phishing. Christiaan Brand, product manager on the Google Cloud Security team, explains why protecting your identity is top of mind for Android.

Here’s to stronger account security—right in your pocket.

Source: Android


Building a safer internet, one secure domain at a time

Do you lock your doors when you're not home or when you’re sleeping at night? Your home protects everything and everyone that lies within it—whether that’s your family, pets or belongings—and a door is the most direct way for a criminal to access your home. Locking your door is the simplest thing you can do to keep safe. Similarly, when you’re browsing the web, there’s one key thing that helps keep you and your information safe and “locked” up.


HTTPS is a certificate that works just like the lock on your front door at home. By “locking” your connection to a website, it helps prevent interception or alteration of content on the site you’re visiting. We want every website to have a lock on it. That’s why Google Registry created safe.page: so you can understand the most direct steps you can take to keep yourself and others safe while browsing the internet.

Visit safe.page to learn how to read a URL (to avoid phishing attacks) and the importance of a secure connection (especially when sharing sensitive info like credit cards and passwords).

Build safely, get rewarded

That’s not all we’re doing to support HTTPS. We're also teaming up with WordPress to make it easy for anyone to build a secure website. They make building secure websites a snap by automatically installing SSL certificates at no cost for domains they host. If HTTPS is locking your online information safely, an SSL certificate acts like the actual lock on the door.


If you’ve been thinking of building a website, now’s a good time to get started: We're running a contest for the best sites created through April 30, 2019. Nine winners will be selected based on their website’s user experience, user interface, originality, design and content clarity. Winners will receive a Pixel 3 phone or equivalent prize and the opportunity to be featured on one of Google Registry's websites (get.page, get.app and get.dev). Entering the competition is simple:

  1. Register your .page, .app or .dev domain. All three extensions are secure by default (registered domains only work with an SSL certificate). You can register your domain through your preferred registrar.
  2. Build your website. You can get started building your site on WordPress.com and save 25 percent using the promo code SAFE_A24F at checkout. (The offer is valid until April 30, 2019.) Websites created in other ways on .app, .page and .dev are also eligible for the contest.
  3. Learn more about the contest rules here, including eligibility restrictions, prize details and entry deadlines. Submit your website to the contest at safe.page.

That’s it! Regardless of whether you create your own secure website, we encourage everyone to visit safe.page to learn the fundamentals of keeping your information safe. Good luck and thanks for doing your part to build a safer internet!

Fighting disinformation across our products

Providing useful and trusted information at the scale that the Internet has reached is enormously complex and an important responsibility. Adding to that complexity, over the last several years we’ve seen organized campaigns use online platforms to deliberately spread false or misleading information.

We have twenty years of experience in these information challenges and it's what we strive to do better than anyone else. So while we have more work to do, we’ve been working hard to combat this challenge for many years.

Today at the Munich Security Conference, we presented a white paper that gives more detail about our work to tackle the intentional spread of misinformation—across Google Search, Google News, YouTube and our advertising systems. We have a significant effort dedicated to this work throughout the company, based on three foundational pillars:

  • Improve our products so they continue to make quality count;
  • Counteract malicious actors seeking to spread disinformation;
  • Give people context about the information they see.

The white paper also explains how we work beyond our products to support a healthy journalistic ecosystem, partner with civil society and researchers, and stay one step ahead of future risks.

We hope this paper and increased transparency can lead to more dialogue about what we and others can do better on these issues. We're committed to acting responsibly and thoroughly as we tackle this important challenge.

Working with security researchers to make the web safer for everyone

What do a 19-year-old researcher from Uruguay, a restaurant owner from Cluj, Romania and a Cambridge professor have in common? They’re all security researchers—a global community of professionals, academics, students and hobbyists who are essential to the safety of our products and the web as a whole. We’re grateful to be a part of this community and support their work in a bunch of ways, including the Vulnerability Rewards Program and our 2018 Privacy and Security academic research awards.

Vulnerability Reward Program: Year in Review

Whether it’s been written by a PhD or a hobbyist, software inevitably has bugs that make it behave in unexpected ways. The important thing is that bugs are identified and patched as quickly as possible. Back in 2010, we started the Vulnerability Reward Program to get help from the security research community in identifying and reporting bugs in Google apps and software. The goal of the program is simple: encourage researchers to report issues so that we can fix them quickly and keep users’ data secure. We also provide financial rewards for bug reporters, ranging from $100 to $200,000, based on the risk level of their discovery. 

Since 2015, we’ve taken a look back at what VRP researchers have done to help make Google users safer. Here’s 2018, by the numbers:

vrp2018

Thanks to researchers from all around the world, we’ve been able to patch all different types of bugs. Ezequiel Pereira, a 19-year-old researcher from Uruguay, uncovered a Remote Code Execution "RCE" bug that allowed him to gain remote access to our Google Cloud Platform console. Tomasz Bojarski from Poland discovered a bug related to Cross-site scripting (XSS), a type of security bug that can allow an attacker to change the behavior or appearance of a website, steal private data or perform actions on behalf of someone else. Tomasz was last year’s top bug hunter and used his reward money to open a lodge and restaurant. After Dzmitry Lukyanenka, a researcher from Minsk, Belarus, lost his job, he began bug-hunting full-time and became part of our VRP grants program, which provides financial support for prolific bug-hunters over time.

Security and Privacy Research awards

We’ve also worked closely with leading security and privacy experts in academia, collaborating when we can provide the technology needed to carry out specific research projects. Academic breakthroughs help improve data privacy and security for years to come. Last year, we announced the Security and Privacy research awards, a new effort to recognize academics who have made major contributions to the field. Awards winners are selected by a committee of senior security and privacy researchers at Google.

Today, we’re revealing the 2018 winners—and on their behalf, we’re making a financial contribution to their universities totaling more than half a million dollars:

Whether they’re finding bugs today or making breakthroughs that will protect the web years into the future, the security research community is making everyone’s information safer online. We’ll continue to do our part to support it.

Encryption for everyone: How Adiantum will keep more devices secure

Editor's note: February 5 was Safer Internet Day, but we’ll be talking about it all week with a collection of posts from teams from across Google.


Encryption is incredibly important. It underpins our digital security. Encryption encodes data so that it can only be read by individuals with a key. With encryption, you are in complete control of this key, and you can store sensitive information such as personal data securely.

But encryption isn’t always practical, since it would slow some computers, smartphones and other devices to the point of being unusable. That changes with Adiantum, which we are introducing today in the spirit of Safer Internet Day.

Adiantum is a new form of encryption that we built specifically to run on phones and smart devices that don’t have the specialized hardware to use current methods to encrypt locally stored data efficiently. Adiantum is designed to run efficiently without that specialized hardware. This will make the next generation of devices more secure than their predecessors, and allow the next billion people coming online for the first time to do so safely. Adiantum will help secure our connected world by allowing everything from smart watches to internet-connected medical devices to encrypt sensitive data. (For more details about the ins and outs of Adiantum, check out the security blog.)

Our hope is that Adiantum will democratize encryption for all devices. Just like you wouldn’t buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance. Everyone should have privacy and security, regardless of their phone’s price tag.

Source: Android


How a data hack led Heather Adkins to her career

Editor’s note: Two-factor authentication, not using my pet’s name for a password, surfing the web on a secure browser—I do what I can to keep my data safe online. But thanks to the work of Heather Adkins—Google’s Director of Information Security—and her team, I don’t have to worry about my account getting hacked on a daily basis. I caught up with her for this latest She Word to learn about her career path in information security, her love for medieval history, her advice on how we can all protect ourselves online and more.

How do you explain your job at a dinner party?

I keep the hackers out of Google.

How did you get into information security field?

In college, I had a job at a small ISP (internet service provider) and we got hacked. When most people get hacked for the first time, there’s helplessness, fear and panic—you feel like you’re having your house burgled. Instead, I felt a sense of curiosity: How did the hackers possibly manage that? What do they know that I don’t?

I knew that’s what I wanted to do for the rest of my life: get hacked—or at least study the techniques hackers use, and find ways to defend against it. My career found me, and I can’t imagine doing anything else.

There are high-stakes and stressful situations when you’re investigating potential security threats. How do you stay focused and calm?

One of the most important things is to make it a team effort. This responsibility doesn’t fall on any one person’s shoulders; it falls on a set of people who can support each other. It helps to distribute the stress—without a team, it would be too much.

My team has a heavy focus on trying to maintain work-life balance. Since our work is 24/7, we use a “follow the sun” model, moving responsibility of a project along with offices’ daytime working hours. This gives people a sense of closure at the end of their day, knowing that their work isn’t going to get dropped.

You’ve been at Google for 16 years—how many different roles have you had? How have you seen online security change during that time?

I’m one of the founding members of the security team. It’s changed so much—there was no Gmail when I joined Google! As the company has grown over time, so has our responsibility as a security team. But a lot of fundamental things are the same: Google was really committed  to security before I got here. And the passion of people who work in security hasn’t changed—they love technology and they care about keeping people safe online.

What’s one thing everyone should do right now to better protect themselves online?

Two-factor authentication, where it’s offered, and use a security key if you’re a Google user.

My career found me, and I can’t imagine doing anything else.
heather4'

What’s one habit that makes you successful?

I like to read lots of different things. When I started in the industry, I would get up and read Bugtraq (an electronic mailing list covering issues about computer security). When I wake up today, however, I want to know what the trade relationship is between the U.S. and other countries. The security industry is as much driven by geopolitical trends as anything. I find inspiration for solutions in all kinds of places; I’m reading books about quantum physics and civilizations at the moment.

What are you passionate about outside of work?

I study medieval history as a hobby. We know very little about this period of time in history because nobody kept what we would consider to be good records. It’s similar to what interests me when it comes to working on a system compromise—it’s a desire to put the picture back together, and figure out what happened.

Who has been a strong female influence in your life?

There are numerous luminaries I admire like Admiral Grace Hopper but they loom large at a distance (I’ve never met them). In my professional life, there haven't been many—I knew maybe five women in the field when I joined. In my personal life, my mom has been my biggest influence.

What advice do you have for women starting out in their careers?

Build resiliency in yourself. Finding a way to be resilient through tough times and come out the other side—having grown a little—means that you’re going to be able to go farther. To do that, you have to make sure you have joy elsewhere in your life to offset the difficult moments. It’s an engineering job: you have to be able to engineer your own happiness. You can get through anything in life if you can do that.

Protecting your data, no matter where you go on the web

Editor’s note: Today is Safer Internet Day, but we’ll be talking about it all week with a collection of posts from teams from across Google.

We’re always working to make sure your data is protected, whether you’re using Google products or checking out your favorite websites and apps.

Today, we’re introducing two new updates that will help keep your data secure, beyond just Google’s sites and apps: Password Checkup, a Chrome extension that helps protect your accounts from third party data breaches, and a new feature called Cross Account Protection.

Password Checkup

We help keep your Google Account safe by proactively detecting and responding to security threats. For example, we already automatically reset the password on your Google Account if it may have been exposed in a third party data breach—a security measure that reduces the risk of your account getting hacked by a factor of ten.

But we want to provide you with the same data breach protections for your accounts, beyond just Google apps and sites. This is where the new Password Checkup Chrome extension can help. If we detect that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised, the extension will trigger an automatic warning and suggest that you change your password.

Password Checkup

We built Password Checkup so that no one, including Google, can learn your account details. To do this, we developed privacy-protecting techniques with the help of cryptography researchers at both Google and Stanford University. For a more technical description of these innovations, check out our security blog post.

This is our first version of the Password Checkup, and we’ll be refining in the coming months. You can take advantage of these new protections right away by installing the extension.

Cross Account Protection

In the rare case that an attacker is able to find a way into your Google Account, we’ve built useful tools to help you quickly get back to safety. Unfortunately, these protections haven’t extended to the apps that you sign into with Google Sign In.

Cross Account Protection helps address this challenge. When apps and sites have implemented it, we’re able to send information about security events—like an account hijacking, for instance—to them so they can protect you, too.

We’ve designed the security events to be extremely limited to protect your privacy:

  • We only share the fact that the security event happened.
  • We only share basic information about the event, like whether your account was hijacked, or if we forced you to log back in because of suspicious activity.
  • We only share information with apps where you have logged in with Google.

We created Cross Account Protection by working closely with other major technology companies, like Adobe, and the standards community at the Internet Engineering Task Force (IETF) and OpenID Foundation to make this easy for all apps to implement.

Signing In With Google

For app developers using Firebase or Google Cloud Identity for Customers & Partners, it is included by default. We’re getting this effort off the ground now, and developers can get started today to improve security for everyone.  

With technologies like Password Checkup and Cross Account Protection, we're continuing to improve the security of our users across the internet, not just on Google. We'll never stop improving our defenses to keep you safe online.