Android P Developer Preview: Google’s next OS update will stop apps from spying on you
Google will bar apps from accessing to your microphone when you’re not using them.tech Updated: Mar 10, 2018 13:13 IST
Google earlier this week rolled out the first developer preview of its next big update to Android operating system. Currently called Android P, the preview comes with a host of new features that focus on improving user experience and support for iPhone X-inspired notch displays. The preview also reveals Google’s increased focus on users’ privacy and security.
Android P will address concerns relating to certain mobile applications capable of accessing your camera and microphone without your consent. For instance, Facebook was suspected of accessing users’ microphones to deliver targeted ads. The social networking giant, however, refuted the claim.
Just recently, a dangerous malware called Skygofree was found to be capable of running 48 commands, including the ability to switch on your microphone and listen from it, without users’ knowledge.
Android P, however, is going to fix this problem by disabling the applications in the background from accessing your microphone and camera. Google recently updated its Android Open Source Project (AOSP) policies to categorically ban this.
“If a UID is in an idle state, we don’t allow recording to protect user’s privacy. If the UID is in an idle state, we allow recording but report empty data (all zeros in the byte array) and once the process goes in an active state we report the real mic data. This avoids the race between the app being notified about its lifecycle and the audio system being notified about the state of a UID,” said Google on its AOSP page, updated last month.
A similar update was made for disallowing background apps from accessing the camera.
“If a UID is idle (being in the background for more than certain amount of time) it should not be able to use the camera. If the UID becomes idle, we generate an error and close the cameras for this UID. If an app in an idle UID tries to use the camera we immediately generate an error. Since apps already should handle these errors, it is safe to apply this policy to all apps for protecting user privacy,” it added.
The two updates were implemented in Google’s latest Android P developer preview. The idea behind the change is to make users fully aware of the apps that use sensitive sensors on their devices.
“To better ensure privacy, Android P restricts access to mic, camera and all SensorManager sensors from apps that are idle. While your app’s UID is idle, the mic reports empty audio and sensors stop reporting events. Cameras used by your app are disconnected and will generate an error if the app tries to use them. In most cases, these restrictions should not introduce new issues for existing apps, but we recommend removing these requests from your apps,” wrote Dave Burke, VP of Engineering at Google in a blog post.
Tracking via unique device identifier
Apart from barring apps from spying on you, Google is also making it difficult for malicious apps from tracking you by using a unique device identifier. Essentially, Android phones have a unique permanent device identifier code number that stays despite factory resets. The access to this code allowed apps to track users. Google, however, has already begun withdrawing this feature through its current Android 8.0 Oreo iteration. With Android P, this feature will be completely blocked for applications.
Unified fingerprint authentication dialog
Android P comes with a system fingerprint authentication dialog on behalf of your app. “This functionality creates a standardised look, feel and placement for the dialog, giving users more confidence that they’re authenticating against a trusted fingerprint credential checker,” according to Google.
With Google’s growing focus on digital payments, the company is also ensuring that financial transactions on its platform are secure. Google recently unified all its payment services under one Google Pay umbrella. The unified platform will also feature the India-exclusive Google Tez.
“Supported devices that launch with Android P installed give you the ability to use the Protected Confirmation API. By using this new API, your app can use an instance of ConfirmationDialog to display a prompt to the user, asking them to approve a short statement. This statement allows the app to reaffirm that the user would like to complete a sensitive transaction, such as making a payment,” wrote Google.
“If the user accepts the statement, your app receives a cryptographic signature that’s protected by a keyed-hash message authentication code (HMAC). The signature is produced by the trusted execution environment (TEE) that protects the display of the confirmation dialog as well as user input. The signature indicates, with very high confidence, that the user has seen the statement and agreed to it.”