TL;DR I'm going to start sending out a quarterly summary of things the
major events going on in Android Security. Wow, did I pick a doozey of a
quarter to start doing this.

Below, I’ve compiled my top 10 android security events and activities from
the Q3, 2015. The last 3 months have been amazing -- any one of these
might have been the most important item for Android Security during most
quarters. But all of this really did happen in just the last three months.


    Monthly updates - Announced Nexus support policy with monthly security
    updates for Nexus
    Pushed Samsung
    and LG
    to make similar announcement (albeit still not realized). Shipped three
    updates <> to Nexus,
    GPE, Android One and published the corresponding security bulletins
    also expanded to Kirkland team and began to grow the team to handle our
    increasing incident response needs <http://go/android-vulns-dashboard>.

    Unprecedented partner engagement in security - Executive meetings on
    security with all major US carriers and top 5 OEMs. Worked with APE / TAM /
    BD to build program for Ecosystem-wide Monthly Security updates
    <http://go/manic-monday-pitch>, rolled out our security program to all
    carriers, OEMs, and began to track rollouts
    security patches to devices. Here are highlights from a recent program

    Stagefright. Stagefright Code Yellow <http://go/stagefright-cy-track>.
    Media Server Bugs and Hackathon
    Also, thanks to aarya@ of Chrome Security for driving that continued
    expansion of fuzzing efforts

    Android M Security Enhancements
    - I can’t believe this is #4. We shipped Verified Boot. Monthly Patch
    String. SeLinux IOCTL filtering. UsesClearTextTraffic. SELinux User
    separation. The broader Android team also shipped a major overhaul of
    permissions, fingerprint API, adoption of SD cards, protection for USB
    connections, and more.

    Results from Android Security Regards Program
    <> - Android
    Security Rewards launched on June 16
    and by October 1, we’ve paid out over $100,000 for over 60 issues.

    Massive Increase in Public Outreach -- aludwig @ Blackhat (slides
    press), jeffv@ about ioctl filter
    at Linux Security Summit, paullawrence@ and mhalcrow@ about encryption
    at Linux Security Summit, nnk@ Android Security Symposium in Vienna(
    sporst@ on Russian Malware cleanup at Virus Bulletin (slides
    video, press
    cbrubaker@ on NoGotofail at University of Utah (slides
    smel@ spoke at Johns Hopkins (slides

    Operational Focus on Malware in Play - Monthly reviews of top PHA
    installs (July
    have helped drive our goal of less than 1 million installs being a PHA.
    (currently, the number is ~500 per million <http://go/phastats>)

    Scale up of SafetyNet Attestation (including launch of Android Pay).
    See recent Program Review
    for more details.

    Greenhat <http://go/greenhat> - 2 day, google-wide summit with the best
    of Android Security. All the content and recordings have been stored

    Last, but not least: Stinknet <http://go/stinknet>. Publicly known as Ghost
    (mostly) outside of Google Play we’re currently battling the largest
    coordinated rooting malware attack we’ve seen against Android. (We’re
    slowly winnning <http://go/stink>, but this will likely be a highlight
    again next quarter.)

Anyhow, those are just a few of the big things we've been up to recently.


Adrian Ludwig
Android Security

You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupandroid-security-discuss @
postedOct 16, '15 at 10:57p
activeOct 16, '15 at 10:57p

1 user in discussion

Adrian Ludwig: 1 post



site design / logo © 2019 Grokbase