It’s official: Android 10, the next version of the Android operating system, ships 3 September 2019. Well, it’s semi-official, at least.
Mobile site PhoneArena reports that Google’s customer support staff let the date slip to a reader during a text conversation. Expect the operating system, also known as Android Q, to hit Google’s Pixel phones first before rolling out to other models. It will include a range of privacy and security improvements that should keep Android users a little safer.
Some of the most important privacy upgrades are those that stop applications and advertisers knowing more about your phone. Android 10 will now make apps transmit a randomised MAC address (this is a unique identifier for the network hardware in your phone) and also requires extra permissions to access the phone’s International Mobile Equipment Identity (IMEI) and serial numbers, both of which uniquely identify the device.
Google has also taken steps to protect information about how you interact with your contacts. When you grant an app access to your contacts, Android will no longer provide it with ‘affinity information’, which orders your contact data according to who you interact with most. Mark that one in the “wait, what? It did that?” file.
One of the other significant privacy enhancements is control over how an app accesses a phone’s location. A new dialog will let users choose whether apps can access location at all times, or only when running in the foreground. Google is playing catch-up here, as iOS already does this.
What about those apps that snoop on location data using other means, such as looking at Wi-Fi access points or checking folders for location data that other apps have left? The new version of Android will require specific fine location permissions for apps accessing selected Wi-Fi, telephony, and Bluetooth functions. It also has a new feature called scoped storage, which restricts an app’s access to files on external storage, only giving it access to its specific directory and media types.
Google has obviously been listening to researchers who discovered that a phone’s sensors could implicitly reveal details about its user. Android Q will introduce a new version of its
ACTIVITY_RECOGNITON permission for apps that look at physical activity, like step count.
Other privacy enhancements include restrictions on when apps can start in the background, and the OS will also stop apps from silently accessing the device’s screen.
Google is also rolling out several security enhancements to complement the privacy features in Android 10. The new version of the OS will feature better support for biometric authentication. It will include two modes, explicit and implicit, which developers can use to remove friction from the authentication process.
The idea is that you want to be very clear about authorising some things. You don’t just want Android scanning your face to get authorisation for a credit card transaction without asking you first, for example. So explicit mode makes you click a button to let the phone scan your face or iris, authenticating you for high-value actions like that.
Conversely, implicit mode is far more lax. It lets Android get authentication for a task by scanning your face or iris without asking first. It’s designed for easily-reversible things like auto-filling forms.
One of the elements Google addresses in Android Q is encryption, and it does it in two ways. First, it provides better encrypted communication.
Android phones already encrypt data in transit over HTTPS using the transport layer security (TLS) encryption protocol. Google is moving to version 1.3 of that protocol, approved as a standard a year ago. TLS 1.3 connects the phone to its destination up to 40% faster according to Google, because it uses fewer handshakes (the initial messages that set up a communication session). It also encrypts more of that handshake and strips out some less secure cryptographic algorithms.
The second enhancement is in file encryption. Some Android phones already encrypt files stored on the device using AES, a tried-and-tested method that has been around for decades. However, not all of them do. AES encryption and decryption has a computing overhead. Manufacturers using low-end processors in their phones often can’t manage AES, meaning that Google had to make an exemption for them.
Android 10 fixes this using Adantium, an encryption system that Google introduced in February. Instead of using AES, Adantium is based on a less demanding cipher called ChaCha12. It relies purely on the core functions of the CPU, meaning that processors which don’t include built-in hardware acceleration for cryptography can use it. Because it uses far less computing power than other methods of AES encryption, it can be used in everything from low-powered phones to smartwatches and medical devices, the company says.
Android 10 also features a number of security enhancements to existing parts of the operating system. Google analyses data from its bug bounty program with each release to work out what to focus on. Last year, it found that most of the bugs were in its media and Bluetooth functions.
Some 80% of Android’s media bugs were in its software codecs. Codec stands for coder/decoder, and it’s a software program that either turns multimedia into a data stream or decodes that data stream at the other end and turns it into something viewable. It has done its best to fix the bugs by moving software codecs into their own separate sandbox, which constrains what they can do. That means they have no access to hardware device drivers, so attackers can’t touch as much of your system using them.
Security and privacy enhancements are always a work in progress. These latest improvements to Android 10 / Q won’t be the last, but they show that Google is listening to cybersecurity researchers and responding. Android users with phones that support the new version should upgrade as soon as it becomes available.
8 comments on “Android 10 coming soon, with important privacy upgrades”
Any mention of WPA3?
Yep, it supports WPA3 too.
Can implicit biometric recognition be disabled?
App developers can choose whether to implement it or not.
Fox to hens: “Don’t worry! I’M in charge of hen-house security now.”
Do the higher level permissions put in for apps accessing data also restrict goog’s apps?
And all those out of date Androids waiting to be botted?