Android Lollipop's Best New Security Features
Besides receiving a major redesign and many new features, Android 5.0 Lollipop also comes with some strong security improvements that should keep users' data safer, if users actually take advantage of them.
Default Encryption
The first big improvement actually doesn't require anything from the user. All new Android Lollipop devices will be encrypted by default at boot, with a unique key that never leaves the device (an important feature of this type of encryption). The new iOS 8 has the same type of encryption, as well.
The only major computing platform that isn't doing default encryption with local key storage is Windows, but hopefully, Microsoft will add it to Windows 10 as another one of its security improvements by the time this new version is out.
There is one downside to this type of encryption, though: without a pattern lock, PIN or password, it doesn't help all that much. The data is fully protected only if some kind of lock exists. Otherwise, anyone who can pick up your phone can obviously still look through it and has access to all the data you would. However, even without a lock, it should still protect users' data against any remote attacker who tries to read it from the phone's memory.
Smart Lock
Because many people don't like to put a password or even a pattern lock on their phones, Google has come up with an alternative that's essentially just as easy (if not easier) to use than Apple's Touch ID.
This new feature is called Smart Lock, and it works very differently than Touch ID. Instead of requiring your fingerprint every time you open the phone, it completely eliminates the need to unlock the phone, as long as you pair it with another NFC- or Bluetooth-enabled device.
Once the two devices are paired, your phone can stay unlocked only when it's in the NFC or Bluetooth range of that device. As an example, you could pair the phone to a laptop or a Bluetooth-enabled TV, and whenever you're in the same room as those devices, your phone will remain unlocked. As soon as you get out of their Bluetooth range, your phone will lock itself again.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Bluetooth can have a relatively long range (10m), so if you decide to pair the phone with a smartwatch, which is much closer to your phone, it would be preferable to use NFC. Then, you won't have to worry about nearby hackers trying to steal data from your device in some way, because NFC has a very short range (4cm).
Just like fingerprint scanning security has the (major) downside that if your fingerprint is stolen once, then you can essentially never use that fingerprint again, Smart Lock has a downside as well. If you pair it with a smartwatch, it should protect your phone if lost or stolen, but if you get robbed, the thief might take your smartwatch as well, and then your phone is also vulnerable.
One way Google could fix this is by mandating a "panic button" to all Android Wear smartwatches, so that the phone would be immediately locked, and the pairing process would have to start again before the phone could be unlocked.
Improved Face Unlock
Android 4.0 Ice Cream Sandwich added an intriguing and futuristic feature – the ability to unlock your phone by having it scan your face. It's not quite retina scanning, but it's close. However, the feature was both slow, and it had poor security that could be relatively easily bypassed with a photo of the owner.
This feature has been overhauled for Android 5.0. It's not only much faster, but once you activate it, you may even forget it's there, scanning your face. The way it works now is that the device starts scanning your face as soon as the screen is on. By the time you finish messing with your lockscreen notifications, the scanning (and the unlocking of the device) should already be done. If the face scanning fails, you'll still be prompted for your PIN or password (if you have them set-up).
There's also good news in regards to the security of this feature (without which it wouldn't be more than a simple gimmick). Google hasn't given too many details on this yet, but apparently, instead of just taking a photo of the user's face, it now analyzes the user's face on an ongoing basis, so it should be much harder to try to trick the scan with a simple picture. When the device senses the user is not real, it locks itself.
SELinux
SELinux, which stands for Security Enhanced Linux, was initially developed by the NSA and was released as an open source project back in 2000. It has been thoroughly analyzed since then, so the chance of having a backdoor should be nonexistent by now.
Android adopted SELinux for the first time in version 4.3, but only in Permissive mode. That didn't do much to improve security, but it was Google's way of testing it on Android in the real world before deploying a stricter mode, much like how Google implemented the Android Runtime in KitKat, but only uses it as default in Lollipop.
Starting with KitKat, Google enabled the Enforcing mode for SELinux, and Adrian Ludwig, Android's Lead Security Engineer said that in Lollipop the Enforcing mode is "required for all applications on all devices."
SELinux in Enforcing mode essentially restricts malware or even users with administrator/root privileges from doing certain damage to the system. It's "enforcing" a minimum level of security and app isolation that nobody can bypass. When it comes to security, that's usually a good thing.
Factory Reset Protection
Due to a rapid increase in smartphone thefts there has been much talk, and even a law passed in California, about smartphone "kill switches." Trying to avoid much stricter laws and potentially government-controlled kill switches, companies have promised to come up with their own kill switch technology before they are forced to do so in more places or countries.
Google came up with this new "Factory Reset Protection" feature that's available in Android Lollipop and requires a password before the device can be reset. This sounds much lighter-weight than a "kill" switch, or a technology that can brick devices, but that's probably for the best. This feature should stop thieves from trying to sell the device to someone else, or at least it should make it much harder to do so. The Factory Reset Protection would essentially get the same result as bricking the device, especially if the device is already locked and encrypted by default, so the thief can't access it in any way.
Unfortunately, unlike Apple, which has enabled a similar feature (called Activation Lock) for its new devices by default, Google has kept this feature opt-in only so far. If you want to take advantage of it, you have to enable it first. Google has presumably kept it opt-in only for Android Lollipop in order to test it first, but the company may also enable it by default in the next version of Android.
Security is never "complete," and thanks to Android's immense popularity in the mobile market which makes it a bigger target for attackers, Google will have its hands full. Hopefully, this means we'll continue to see significant security improvements in the upcoming versions of Android.
Follow us @tomshardware, on Facebook and on Google+.
Nvidia, AMD, and Intel all invest in light-based communication networks powering next-gen chips — Ayar Labs gets $155 million in funding
Fanless Ryzen 9 9950X seemingly outperforms the same liquid-cooled chip in Cinebench R23 — flagship Zen 5 CPU hit 95ºC at full load
AMD to release the Krackan at CES — CPU rivals Intel Lunar Lake in new benchmarks, Ryzen AI 7 350 takes on the Core Ultra 7 258V
-
Kary K The Android App Delayed Lock already allows you to keep your phone unlocked when paired with a bluetooth device, or when connected to certain Wi-Fi networks. Very handy.Reply -
Kary K The Android App Delayed Lock already allows you to keep your phone unlocked when paired with a bluetooth device, or when connected to certain Wi-Fi networks. Very handy.
So when you're robbed and someone takes all your devices your phone is still unlocked...brilliant "security" measure. Android and security...two words never to be used in the same sentence. Making the "Factory Reset Protection" opt-in only is absolutely ridiculous. At least you'll be able to get Lollipop in say 6-8 months after it's released..lol
There is some possibility of that, but it locks pretty quickly when no longer connected. I let it be unlocked when at home or in my car (BT from car stereo), but not at the office. -
rubberjohnson The Android App Delayed Lock already allows you to keep your phone unlocked when paired with a bluetooth device, or when connected to certain Wi-Fi networks. Very handy.
So when you're robbed and someone takes all your devices your phone is still unlocked...brilliant "security" measure. Android and security...two words never to be used in the same sentence. Making the "Factory Reset Protection" opt-in only is absolutely ridiculous. At least you'll be able to get Lollipop in say 6-8 months after it's released..lol
There is some possibility of that, but it locks pretty quickly when no longer connected. I let it be unlocked when at home or in my car (BT from car stereo), but not at the office.
Please don't reply to the Trolls Kary. It's easier to ignore the Apple shill then counter his BS. -
fkr or you just go to android device manager on the web and set a new password and remotely wipe the device.Reply
https://www.google.com/android/devicemanager
seriously people who do not how to control there tech just piss themselves off while I laugh.
you can track the device and get complete path tracking for the entire lifetime of that email account. or you can delete it. it is your info to use and control.
but in the end all I know is that 75% of all tech support calls for mobile devices were apple related so thank god for the easy work.
and also of interesting note is that it seemed like 80% of people who had issues with android were one who lived in the sticks. -
mykalios No offense to Apple users in general, but with Android if you actually do your homework and are moderately techy, then you wont have any problems. Apple was smart by making its products almost idiot proof, but yet like fkr said if you listen to these tech calls for Apple users you realize they are completely retarded when it comes to technology (or modern science i imagine).Reply
Google's mistake is that they have to much faith in the average user (Oops) -
canadianvice Sort of peripheral to the thread, but SELinux by the NSA.... really?Reply
Who would be stupid enough to use that, FOSS or not... -
ajiam "... if you decide to pair the phone with a smartwatch, which is much closer to your phone, it would be preferable to use NFC."Reply
Don't most (right-handed) people wear their watch on their left wrist and use their phone with their right hand? -
Kary K 14473571 said:"... if you decide to pair the phone with a smartwatch, which is much closer to your phone, it would be preferable to use NFC."
Don't most (right-handed) people wear their watch on their left wrist and use their phone with their right hand?
What's the range of NFC? I thought it was inches.
-
ajiam That is my point. Why does the author suggest that NFC is better for such a purpose if its range is only 4cm?Reply