In order to secure its mobile operating system Android (opens in new tab), Google uses a multi-pronged approach that includes monthly security updates to patch vulnerabilities reported through its Vulnerability Rewards Program (VRP) as well as hardening measures to protect against undiscovered vulnerabilities.
All vulnerabilities submitted through VRP are analyzed by the company's security engineers to determine the root cause of each vulnerability and its overall severity using these guidelines (opens in new tab). At the same time though, Google also relies on internal and external bug reports (opens in new tab) to identify vulnerable components and reveal coding practices that commonly lead to errors.
Relying solely on vulnerability reports can be a problem though as security researchers often flock to areas where others have already found vulnerabilities or use readily-available tools that make it easier to find bugs. For this reason, internal Red Teams at Google analyze less scrutinized or more complex parts of Android so that its mitigation efforts are not biased only towards areas where bugs and vulnerabilities have been reported.
- We've built a list of the best Android antivirus apps (opens in new tab) around
- These are the best identity theft protection (opens in new tab) services on the market
- Also check out our roundup of the best endpoint protection (opens in new tab)
Additionally, continuous automated fuzzers (opens in new tab)run at-scale on both Android virtual machines (opens in new tab) and physical devices to ensure that bugs can be found and fixed early in the development lifecycle. Vulnerabilities discovered this way area also analyzed for root cause and severity to inform mitigation deployment decisions.
Memory bugs
Of the critical and high severity vulnerabilities fixed in Android Security Bulletins in 2019, memory bugs (opens in new tab) accounted for 59 percent of all vulnerabilities followed by permission bypass (opens in new tab) flaws at 21 percent. To prevent memory bugs going forward though, Google is encouraging developers to move to memory-safe programming languages (opens in new tab) such as Java, Kotlin and Rust.
The Android Security and Privacy Team provided further insight on how it's working to migrate to memory-safe languages in a blog post (opens in new tab), saying:
“C and C++ do not provide memory safety the way that languages like Java, Kotlin, and Rust do. Given that the majority of security vulnerabilities reported to Android are memory safety issues, a two-pronged approach is applied: improving the safety of C/C++ while also encouraging the use of memory safe languages.”
With each new Android release, the Android Security and Privacy Team uses the data available to it to balance security improvements that benefit the entire ecosystem with performance and stability.
- We've also highlighted the best antivirus (opens in new tab)
- Check out the latest cheap Android tablets
- Stay safer on your phone with the best Android VPN
Via ZDNet (opens in new tab)
