major events going on in Android Security. Wow, did I pick a doozey of a
quarter to start doing this.
Below, I’ve compiled my top 10 android security events and activities from
the Q3, 2015. The last 3 months have been amazing -- any one of these
might have been the most important item for Android Security during most
quarters. But all of this really did happen in just the last three months.
Monthly updates - Announced Nexus support policy with monthly security
updates for Nexus
to make similar announcement (albeit still not realized). Shipped three
updates <https://developers.google.com/android/nexus/images> to Nexus,
GPE, Android One and published the corresponding security bulletins
also expanded to Kirkland team and began to grow the team to handle our
increasing incident response needs <http://go/android-vulns-dashboard>.
Unprecedented partner engagement in security - Executive meetings on
security with all major US carriers and top 5 OEMs. Worked with APE / TAM /
BD to build program for Ecosystem-wide Monthly Security updates
<http://go/manic-monday-pitch>, rolled out our security program to all
carriers, OEMs, and began to track rollouts
security patches to devices. Here are highlights from a recent program
Stagefright. Stagefright Code Yellow <http://go/stagefright-cy-track>.
Media Server Bugs and Hackathon
Also, thanks to aarya@ of Chrome Security for driving that continued
expansion of fuzzing efforts
Android M Security Enhancements
- I can’t believe this is #4. We shipped Verified Boot. Monthly Patch
String. SeLinux IOCTL filtering. UsesClearTextTraffic. SELinux User
separation. The broader Android team also shipped a major overhaul of
permissions, fingerprint API, adoption of SD cards, protection for USB
connections, and more.
Results from Android Security Regards Program
<https://www.google.com/about/appsecurity/android-rewards/> - Android
Security Rewards launched on June 16
and by October 1, we’ve paid out over $100,000 for over 60 issues.
Massive Increase in Public Outreach -- aludwig @ Blackhat (slides
press), jeffv@ about ioctl filter
at Linux Security Summit, paullawrence@ and mhalcrow@ about encryption
at Linux Security Summit, nnk@ Android Security Symposium in Vienna(
sporst@ on Russian Malware cleanup at Virus Bulletin (slides
cbrubaker@ on NoGotofail at University of Utah (slides
smel@ spoke at Johns Hopkins (slides
Operational Focus on Malware in Play - Monthly reviews of top PHA
have helped drive our goal of less than 1 million installs being a PHA.
(currently, the number is ~500 per million <http://go/phastats>)
Scale up of SafetyNet Attestation (including launch of Android Pay).
See recent Program Review
for more details.
Greenhat <http://go/greenhat> - 2 day, google-wide summit with the best
of Android Security. All the content and recordings have been stored
Last, but not least: Stinknet <http://go/stinknet>. Publicly known as Ghost
(mostly) outside of Google Play we’re currently battling the largest
coordinated rooting malware attack we’ve seen against Android. (We’re
slowly winnning <http://go/stink>, but this will likely be a highlight
again next quarter.)
Anyhow, those are just a few of the big things we've been up to recently.
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firstname.lastname@example.org.
To post to this group, send email to email@example.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.