Android Security Evolution

Significant security enhancements of recent major Android versions, starting with Android 5.0 Lollipop (API 21).

Android 5.0 (API 21) - Lollipop

Security Enhancements - Android 5

• Starting August 2023, Google Play Services updates will only be received from this Android version see Google Play services discontinuing updates for KitKat (API levels 19 & 20) starting August 2023
• Full Disk Encryption (FDE) by default (manufacturers can still opt out), see Encryption and Security Enhancements in Android 5.0
• SELinux fully enforced, see Security Enhancements in Android 5.0
• WebView is a separate package, see Security Enhancements in Android 5.0 and The Updatable WebView on Android 5.0 Lollipop What Is It and Why Should You Care?

Android 6 (API 23) - Marshmallow

Security Enhancements in Android 6

• Keystore API significantly extended (symmetric cryptographic primitives, AES and HMAC support and access control system for hardware-backed keys) see Hardware-backed Keystore
• TEE is a requirement, see Hardware-backed Keystore and 7.3.10. Fingerprint Sensor section of Android 6.0 Compatibility Definition
• New API (isInsideSecureHardware) for checking whether a KeyStore key is stored in secure hardware (e.g., Trusted Execution Environment (TEE) or Secure Element (SE)), see isInsideSecureHardware method of KeyInfo
• Apps need to request permissions at runtime see Runtime Permissions section of Android 6.0 Changes and Request runtime permissions and Security Enhancements in Android 6.0
• More restrictive SELinux (IOCTL filtering, tightening of SELinux domains, etc.) see Security-Enhanced Linux in Android and Security Enhancements in Android 6.0

Android 7 (API 24) - Nougat

Security Enhancements - Android 7

• Separate User and System Certificate Trust Store, meaning Man-in-the-Middle attacks basically require root access from this point, see Changes to Trusted Certificate Authorities in Android Nougat
• Added Network Security Config support so apps can customize the behavior of their secure (HTTPS, TLS) connections in a simple declarative way, without code modification. It supports custom trust anchors (which Certificate Authorities (CA) the app trusts), debug-only overrides, cleartext traffic opt-out and certificate pinning (limiting which server keys are trusted), see Network Security Config section of Android 7.0 for Developers
• By default apps targeting Android 7.0 only trust system-provided certificates and no longer trust user-added Certificate Authorities (CA), even without custom Network Security Config, see Default Trusted Certificate Authority of Android 7.0 for Developers
• Update to Keymaster 2 with support for Key Attestation and version binding (preventing rolling back to an unsecure old version without losing keys), see Key Attestation section of Android 7.0 for Developers and Keymaster Functions and Verifying hardware-backed key pairs with Key Attestation and Key and ID Attestation
• File Based Encryption (FBE) introduced, but it's optional to implement by manufacturers, see Direct Boot section of Android 7.0 for Developers and Support Direct Boot mode and Encryption
• Updated SELinux configuration: further locking down application sandbox, breaking up mediaserver stack into smaller processes with reduced permissions (mitigation for Stagefright), see Security-Enhanced Linux in Android

Android 8 (API 26) - Oreo

Security Enhancements - Android 8

• JavaScript evaluation runs in a separate process in WebView so JavaScript code cannot access the app's memory so easily, see What’s new in WebView security and Security section of Android 8.0 Behavior Changes for All Apps
• WebView respects Network Security Config and cleartextTrafficPermitted flag (on older Android versions it loads HTTP sites even if clear text traffic should not be allowed by the config), see Security section of Android 8.0 Behavior Changes for Apps Targeting Android 8.0
• Safe Browsing API added to WebView so users would be warned when trying to navigating to a potentially unsafe website (verified by Google Safe Browsing) if enabled, see WebView APIs section of Android 8.0 Features and APIs
• FLAG_SECURE Window flag is supported more and disallows taking screenshots of the screen where this is set
• Update to Keymaster 3 with rewritten Hardware Abstraction Layers (HALs) written in HAL Interface Definition Language (HIDL) and in C++ (as compared to Legacy HAL that was written in C) with ID attestation support, see Hardware-backed Keystore and Keymaster Functions and Key and ID Attestation
• Project Treble introduced (only devices released with this version support project Treble, the ones updated will not get it), separating lower-level vendor code from Android system framework and enabling easier security update delivery, see Here comes Treble: A modular base for Android and Treble Plus One Equals Four
• Updated SELinux to work with Treble. SELinux policy allows manufacturers and SOC vendors to update their parts of the policy independently from the platform and vice versa, see Security-Enhanced Linux in Android
• Further hardening media stack: mobild [Ha