The guessing as to what Android Q could stand for is over. As, indeed, is Android Q. Google has announced that Android is evolving, and as part of that evolution the new version of the operating system that will be released in just a few weeks’ time will be called Android 10. "While there were many tempting 'Q' desserts out there," Sameer Samat, vice president of product management for Android, said "we think that at version 10 and 2.5 billion active devices, it was time to make this change." It was also time to address a total of 193 Android security vulnerabilities that Google has confirmed need fixing with the Android 10 release.
Android 10 security vulnerabilitiesThat surprising Google vulnerability confirmation came by way of the official security release notes that were published to the Android Open Source Project (AOSP) security bulletin update on August 20.
The bad news is that 193 Android security vulnerabilities needed to be fixed, covering a broad swathe of elevation of privilege, remote code execution, information disclosure and denial of service categories. Two of these are in the Android runtime itself, another two in the library and 24 in the framework. The bulk, however, is split between the Android media framework with 68 vulnerabilities and the Android system with 97. All have been scored as "moderate" severity.The good news is that all will be fixed by the default Android 10 patch level of 2019-09-01 on release of the new OS. Also on the positive news front, the security bulletin update stated that "we have had no reports of active customer exploitation or abuse of these newly reported issues."
Android 10 privacy improvementsThe good news for 2.5 billion Android fans doesn't stop there. Earlier this year, Stephanie Cuthbertson, director of product management for Android, stated that the then Android Q would bring "almost 50 new features and changes focused on security and privacy." True to her word, a whole host of new security and privacy features are indeed included as part of the Android 10 release.
Details of some of the main privacy changes can be found at the Android "Q" developer website, where a statement reads "Android Q extends the transparency and control that users have over data and app capabilities."
The top changes include "scoped storage" to give users more control over files by only allowing Android 10 apps a filtered view of their app-specific directory and specific types of media.Users will also have more control over when apps can use device location, by offering two options when an app asks for this access: while using the app only, or all the time (in the background, in other words.)
Android 10 will also restrict when background activity can start, so as to minimize interruptions for the user who can maintain better "control of what's shown on their screen" as a result.
There are also changes in how the camera can be accessed by apps. Android 10 requires apps to have been granted camera access permission to get "potentially device-specific metadata."With the introduction of Android 10, apps will not be able to enable or disable Wi-Fi, but must use a settings panel to prompt the user to do so instead. Furthermore, "to protect user privacy, manual configuration of the list of Wi-Fi networks is now restricted to system apps and device policy controllers."According to a report in Wired, "Google will now require developers to use resettable identifiers to keep track of users. That way, if these digital fingerprints are ever compromised, or if you want to wipe your digital slate clean, there's a mechanism to do that."
We recommend hardware security keys like Yubico’s YubiKeys and Google’s Titan Security Key. But both manufacturers have recently recalled keys due to hardware flaws, and that sounds a little worrying. Physical security keys like Google’s Titan Security Key and Yubico’s YubiKeys use the WebAuthn standard, the successor to U2F , to help protect your accounts.
Android 10 security evolutionAndroid 10 will also bring a quiet security evolution rather than revolution it seems. An encryption scheme by the name of Adiantum is to be introduced as part of the Android 10 platform. This is good news as Google will require all new devices running the latest Android OS, including internet-of-things devices, to be encrypted using either the established AES option or Adiantum which has sufficient performance to run on lower-end ARM processor-powered devices.That Wired report also references how a new security library for Android 10 can be used with the Google Jetpack tools package to "help developers get security right in their apps, even if they don't have extensive expertise in the field."
As long as these two terms continue to be misunderstood or interchanged for one another, businesses will struggle to protect the privacy of consumers online. Security software may address the challenge of protecting your devices from viruses and intruders, but it doesn’t provide control over how your information is shared online.
Alongside the introduction of newly hardened sandboxes, including mini-sandboxes that isolate system process and app components, the leaking of data between apps should be less of an issue.
And finally, but certainly not at the bottom of the security importance list, I'm pleased that Google is making changes to the way that Android 10 will handle security updates. Important OS components will now be updated in the background, in much the same way that apps are updated, to bring the latest security fixes onto your device as soon as they are available and without having to reboot the phone!