TL;DR I'm going to start sending out a quarterly summary of things the
major events going on in Android Security. Wow, did I pick a doozey of a
quarter to start doing this.


Below, I’ve compiled my top 10 android security events and activities from
the Q3, 2015. The last 3 months have been amazing -- any one of these
might have been the most important item for Android Security during most
quarters. But all of this really did happen in just the last three months.


    1.

    Monthly updates - Announced Nexus support policy with monthly security
    updates for Nexus
    <http://officialandroid.blogspot.com/2015/08/an-update-to-nexus-devices.html>.
    Pushed Samsung
    <http://www.androidcentral.com/samsung-plans-offer-new-security-updates-every-month-its-android-devices>
    and LG
    <http://www.engadget.com/2015/08/07/lg-stagefright-monthly-security-updates/>
    to make similar announcement (albeit still not realized). Shipped three
    updates <https://developers.google.com/android/nexus/images> to Nexus,
    GPE, Android One and published the corresponding security bulletins
    <https://groups.google.com/forum/#!forum/android-security-updates>.We
    also expanded to Kirkland team and began to grow the team to handle our
    increasing incident response needs <http://go/android-vulns-dashboard>.
    2.

    Unprecedented partner engagement in security - Executive meetings on
    security with all major US carriers and top 5 OEMs. Worked with APE / TAM /
    BD to build program for Ecosystem-wide Monthly Security updates
    <http://go/manic-monday-pitch>, rolled out our security program to all
    carriers, OEMs, and began to track rollouts
    <https://dashboards.corp.google.com/#/google::_45984543_fda2_458b_9a8a_3fe0c1130981>of
    security patches to devices. Here are highlights from a recent program
    review
    <https://docs.google.com/presentation/d/1c6xYbGkcIlHD-RPsv00U4vTMrzl4_CuOd-eJrU6Lf4M/edit#slide=id.g702e6832b_0_0>
    .
    3.

    Stagefright. Stagefright Code Yellow <http://go/stagefright-cy-track>.
    Media Server Bugs and Hackathon
    <https://docs.google.com/document/d/1icuQabxBlBBfjjP967YMLliIdSSm798BO20xdYA8q9Y/edit#heading=h.enzv5yxtjeu3>.
    Also, thanks to aarya@ of Chrome Security for driving that continued
    expansion of fuzzing efforts
    <https://docs.google.com/a/google.com/presentation/d/1docwgWwqZL0wEO5R0U5oRyMdnUhg9a3HMhmb-e5vyTM/edit?usp=drive_web>
    .
    4.

    Android M Security Enhancements
    <https://docs.google.com/presentation/d/1JfRZ5P-HmuaKJvN3SgZmXWhfoC3sirr8OVtDXPRBQZk/edit#slide=id.gaf51a6178_1_132>
    - I can’t believe this is #4. We shipped Verified Boot. Monthly Patch
    String. SeLinux IOCTL filtering. UsesClearTextTraffic. SELinux User
    separation. The broader Android team also shipped a major overhaul of
    permissions, fingerprint API, adoption of SD cards, protection for USB
    connections, and more.
    5.

    Results from Android Security Regards Program
    <https://www.google.com/about/appsecurity/android-rewards/> - Android
    Security Rewards launched on June 16
    <https://googleonlinesecurity.blogspot.com/2015/06/announcing-security-rewards-for-android.html>
    and by October 1, we’ve paid out over $100,000 for over 60 issues.
    6.

    Massive Increase in Public Outreach -- aludwig @ Blackhat (slides
    <https://docs.google.com/presentation/d/1U35ilLs3ca8AHNYXKZgl14VjS5Q-RSx3GNVQqCGQWkQ/edit>,
    press), jeffv@ about ioctl filter
    <https://docs.google.com/a/google.com/presentation/d/1_meUW-MtHdCQC2YuWnrtJ7W6WXh7CTxfHz_N0TksRY4/edit?usp=drive_web>
    at Linux Security Summit, paullawrence@ and mhalcrow@ about encryption
    <https://docs.google.com/a/google.com/presentation/d/1xD2Vs5hHkY8GZB4Y72QAxsPf5sraAAQmse_3IAS2UA4/edit?usp=drive_web>
    at Linux Security Summit, nnk@ Android Security Symposium in Vienna(
    slides
    <https://docs.google.com/a/google.com/presentation/d/1-BWUaMldBoTzd0Vx9BnjWFP69E3xF1Hk-52s2dFcioo/edit?usp=drive_web>),
    sporst@ on Russian Malware cleanup at Virus Bulletin (slides
    <https://docs.google.com/presentation/d/1CrqdAm7WKAXsMja1VHVXEVGbg1vUzvoyhC5qCrqiqsY/edit>,
    video, press
    <http://qz.com/514720/google-just-revealed-its-android-security-team-detected-and-defeated-a-steep-rise-in-mobile-banking-fraud-in-russia/>),
    cbrubaker@ on NoGotofail at University of Utah (slides
    <https://docs.google.com/a/google.com/presentation/d/12uJxPosU_dI-X4XUQZO2BwPXWl406ny-pGWN3xFC3JI/edit?usp=sharing>),
    smel@ spoke at Johns Hopkins (slides
    <https://docs.google.com/presentation/d/1dJWxs7GNUTSABYu08Yt-2eQXDaWBnTFA3DYIDGM1WDk/edit#slide=id.gca06805cf_17_22>
    )
    7.

    Operational Focus on Malware in Play - Monthly reviews of top PHA
    installs (July
    <https://docs.google.com/a/google.com/document/d/1vwTMvOwL4I08GrB9dyLC7ex9fg2ydeqLEg3UBh3XuT4/edit?usp=sharing>,
    August
    <https://docs.google.com/document/d/197_ELrS8zhZhGxglF2aSaQq2P_0YBdDhkrlgDG5m_x4/edit>,
    September
    <https://docs.google.com/document/d/1lcKEIc3JySPryR2YhlNmNdgquitfQWF9qO-aIaHUCRc/edit?ts=5612e47f>)
    have helped drive our goal of less than 1 million installs being a PHA.
    (currently, the number is ~500 per million <http://go/phastats>)
    8.

    Scale up of SafetyNet Attestation (including launch of Android Pay).
    See recent Program Review
    <https://docs.google.com/presentation/d/1SHeAt7bQX_OAoe99lwfn5IP9SSKyed7WJOWM-_B9v18/edit>
    for more details.
    9.

    Greenhat <http://go/greenhat> - 2 day, google-wide summit with the best
    of Android Security. All the content and recordings have been stored
    here
    <https://drive.google.com/a/google.com/folderview?id=0B47yL4yVz8b3flhxSkRiemUyQ1dHRDFZblloYm9hZ3doWmJOQzFDTHAwa1RFekdRVExEVXM&usp=sharing>
    .
    10.

    Last, but not least: Stinknet <http://go/stinknet>. Publicly known as Ghost
    Push
    <http://venturebeat.com/2015/09/18/cheetah-mobile-ghost-push-android-virus-infects-600k-users-a-day-with-unwanted-apps/>,
    (mostly) outside of Google Play we’re currently battling the largest
    coordinated rooting malware attack we’ve seen against Android. (We’re
    slowly winnning <http://go/stink>, but this will likely be a highlight
    again next quarter.)


Anyhow, those are just a few of the big things we've been up to recently.

Adrian

--
Adrian Ludwig
Android Security
aludwig@google.com

--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to android-security-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupandroid-security-discuss @
categoriesandroid
postedOct 16, '15 at 10:57p
activeOct 16, '15 at 10:57p
posts1
users1
websiteandroid.com

1 user in discussion

Adrian Ludwig: 1 post

People

Translate

site design / logo © 2019 Grokbase