
System Hardening in Android 11 - theafh
https://security.googleblog.com/2020/06/system-hardening-in-android-11.html
======
sitic
In addition on Android 11 API

* apps can't simply access the "external" storage (enforces scoped storage)

* apps can't get a list of all installed apps (package visibility, they can specify app names and intent signatures in the Manifest they want to query)

These are welcome changes in my view, but unfortunately they also seem intend
to fix SafetyNet and require hardware attestation that the bootloader is not
unlocked [1]. When this is enforced for all devices some apps, like the eBay
app, won't run on unlocked devices anymore. I've always trusted
CyanogenMod/LineageOS more then than a device manufacturer, but after >10
years of using Android I think it's finally time for me to switch to an
iPhone.

[1] [https://groups.google.com/forum/#!topic/safetynet-api-
client...](https://groups.google.com/forum/#!topic/safetynet-api-
clients/lpDXBNeV7Fg)

~~~
freedomben
You're upset about them requiring hardware attestation in SafetyNet (I am too)
so you move to a platform that is way less flexible and way more closed?

Not a troll, I'm really curious.

~~~
californical
I can give an anecdote.

I love most things about iOS design more than Android, and I've used both, but
have stuck with Android over the last 7-8ish years. Mainly because of the
amount that I could customize things, freely make little app projects, install
custom ROMs, etc. Over the last few years, it's gotten inconvenient to tinker,
and I just don't find myself bothering with it anymore. I've run into issues
where certain apps stop working because of root.

But also both OS's have gotten much better and need fewer (if any) tweaks
anyways to be used effectively. Especially with the upcoming change to allow
iOS to use a different default browser (finally).

If the main reason I've been drawn to Android is vanishing more every year,
I'd rather use the more elegant OS (Apple), regardless of how closed it is. I
have a Pixel 2 that's getting near EOL (only 2 years after buying it), and
I'll be getting an iPhone SE as soon as I can justify spending the money.

I guess something that helps too is I've been on a de-googling kick these last
few months where I've been switching off all their services because of
privacy, another benefit of iOS to me

~~~
homarp
iOS 14 does not let you use a different default browser engine. It's just the
skin that change. It's still Webkit under the hood

~~~
slipheen
As much as you and I may care about that, for many (most?) people the browser
chrome is the most important part.

Syncing bookmarks, UI, tab handling etc tend to be bigger pain points for
individuals, as opposed to the more dev-focused aspects such as supporting a
certain API in Javascript.

~~~
bad_user
If you're technologically illiterate, this might be true. Witness however
Firefox for Android (vs iOS), the most important differences for me being:

\- Extensions support, so uBlock Origin, Privacy Badger, the best ad-blocking
combination that far surpasses Safari's content blockers, which are pretty
shitty; and extensions are useful for more than ad-blocking — e.g. I have
another one on my tablet that turns all web pages to dark mode, whether they
support it or not

\- Web push notifications

\- (Up until very recently) webp format support

On Android I wouldn't even install many apps, like Facebook, or Twitter, or
Fastmail, I'd simply use them as PWAs (web apps), in Firefox with ads blocking
on, because I could.

I still use Firefox on iOS for the history / bookmarks syncing, but it's a
shadow of actual Firefox.

------
worried1872
This dumbing down and locking down on phones and computers, is really worring
me. I'm a power user which have been using computers as a tool which I have
been in control of (more or less), but now things are really turning. Todays
phones are in control of us as we lose more or more power of them. Living in
Sweden, I am almost forced to use proprietary phones and software, just to
live here. Any idea for what a free software enthusiast should do now that
things I've loved to use are slowly being taken away from me, and being
replaced by these devices contolled by these monopolies and governments?

~~~
lucb1e
> forced to use proprietary phones and software, just to live here

That sounds doubtful. What kind of "phones" and what kind of software does the
Swedish government require you to use?

Note that I agree with your general point of locking people and power users
out of the hardware they are supposed to be the owners of, it's just that part
that kind of detracts from the point (I'm going to go ahead and assume phones
and software are not actually required).

~~~
SahAssar
They are talking about BankID which is a national identification system that
only runs on recent proprietery systems (mostly used on iOS and Android, but
IIRC also supported in another version on MacOS and Windows).

There is no linux version available (there used to be a few years ago IIRC),
and using U2F or other security devices via open standards is not supported.

It's a pretty OK system (for most people) made much worse (for some people) by
not supporting standards they should have years ago. Yubikey is a swedish
company, BankID is a swedish company, they both deal with identity online, how
they have not actually managed to interoperate is beyond me.

Basically it's a system that caters to the masses and does a pretty good job
at that but it's very bad for the non-technical (who don't have a smartphone)
and the very technical (who might not use the OS'es that they support). I
expect more from a system that most people use to pay their taxes.

There are also any number of security questions from the above, but I'll
refrain from those.

------
saagarjha
> In Android 11, Scudo replaces jemalloc as the default native allocator for
> Android. Scudo is a hardened memory allocator designed to help detect and
> mitigate memory corruption bugs in the heap

This comment of mine did not age well:
[https://news.ycombinator.com/item?id=23560040](https://news.ycombinator.com/item?id=23560040).
I'm curious what the performance impact of the change was?

~~~
danudey
I think it aged fine. I certainly hadn't heard of it, and I bet most people
were in the same boat.

Really, you just asked a legitimate question, and now today you have a
legitimate answer. I'd call that a win!

~~~
saagarjha
Not knowing about the memory allocator in an upcoming release of an operating
system used by over a billion people is a bit of a lapse on my part ;)

------
tjoff
I'm mostly worried about Termux. I can't imagine a phone without a decent
terminal and I feel my options are going to be severely limited.

~~~
darksaints
What sorts of uses do you have on a phone where a terminal is useful?

~~~
yjftsjthsd-h
* youtube-dl single-handedly would justify installing termux

* rsync (backups, pulling audio files, pushing pictures)

* vim

* git/hg (all my notes live in a repo)

* random scripts (ex. When I was losing weight, I tracked calories with some shell scripts. I also have one that uses root and /system/bin/input to automate things.)

~~~
fomine3
No one made youtube-dl GUI wrapper app, is it really?

~~~
cercatrova
They did, it's called NewPipe

~~~
yjftsjthsd-h
Does NewPipe support all the sites that youtube-dl does? I know they cover
more than just YT itself, but youtube-dl's coverage is massive.

------
stephc_int13
"In Android 11, Scudo [1] replaces jemalloc as the default native allocator
for Android. Scudo is a hardened memory allocator designed to help detect and
mitigate memory corruption bugs in the heap"

I am curious about the performance impact of this change.

[1]
[https://source.android.com/devices/tech/debug/scudo](https://source.android.com/devices/tech/debug/scudo)

~~~
jhalstead
I found this [0] 2019 blog post from what looks to be one of the people
credited in the blog post (Kostya). It's not directly comparing
Android+jemalloc vs Android+Scudo, but it does compare the two allocators and
others.

[0] [http://expertmiami.blogspot.com/2019/05/what-is-scudo-
harden...](http://expertmiami.blogspot.com/2019/05/what-is-scudo-hardened-
allocator_10.html?m=1)

~~~
danudey
So according to these figures, scudo is the best allocator out of all the
options tested? That's pretty decent.

------
bitwize
Don't forget restricting the execution environment, breaking things like
Termux and partially obviating the advantages of having an Android device in
the first place!

------
LeoPanthera
I suppose this will kill multi-emulators like RetroArch. No-longer will they
be able to load arbitrary ROMs from a microSD card or other generic storage.

~~~
pjmlp
Sure they will, they just have to request a file picker for the user to select
the file on their own.

------
edm0nd
All I want them to do is bring back the option to use NFC as an authentication
method so I can unlock my phone with NFC.

------
chaostheory
This is nice and all, but bigger issue is when will Android phones reach
Android 11? Has fragmentation gotten better? Do most phone manufacturers
support upgrading to major versions of Android (it does not seem to be in
their interest)?

~~~
izacus
It's really no secret after all these years that you need to buy a Google
phone to get best support for their OS, just like you need to buy an Apple
hardware to get support for their OS.

~~~
antpls
I bought a Nokia 6.1 around 2 years ago, which is part of the Android One
program and it worked well! Had all security monthly updates, the system is
clean and stable, updated to major versions of Android smoothly without any
issue.

If I can, I will buy another Android One phone. There is an horror story about
an Android One Xiaomi phone, but Nokia delivered the promise with the 6.1,
according to my experience

~~~
m45t3r
> There is an horror story about an Android One Xiaomi phone

Which one? I had a Xiaomi Mi A1 and nowadays I have a A2, both are fine
Android One phones that still receives updates (in the case of A1, only
security ones, but the A2 received a Android 10 update).

Yeah, Xiaomi may take a while to update their phones in Android One program,
but otherwise it is fine.

~~~
antpls
It was the A3 : [https://www.themobileindian.com/news/xiaomi-rolls-out-
androi...](https://www.themobileindian.com/news/xiaomi-rolls-out-
android-10-update-for-mi-a3-for-the-fourth-time-30766)

They had to stop 3 or 4 times the Android 10 deployment because of bugs and
issues found by users after updating on their phones.

Good to know that it was an isolated case

------
Cactus2018
Dear Android Product Owner, I want to have control over which Android apps
'auto-run' on my device.

~~~
dstaley
This is largely due to a limitation of Android itself. If your app wants to do
any sort of background task that's not tied to Google Cloud Messaging, it
needs to setup those background tasks. When your phone reboots, those tasks
are cleared. Many apps use the "run at startup" permission to receive a
notification from the system when startup has completed. It doesn't actually
mean the app is running in the background.

~~~
Cactus2018
Oh, I see. I was under the impression that these "Run at startup" apps were
using the opportunity to check-in, report telemetry, and the evil ones to
start GPS tracking.

~~~
caf
At least for the last you can go into Settings->Location and either revoke
location permissions entirely or at least make sure they're set to "Allowed
only while in use".

------
classics2
I’m confused a bit, why would allowing a double free of memory ever be a
desirable behavior?

------
mtgx
> _Prior to the Release of Android 10 we announced a new constrained sandbox
> for software codecs. We’re really pleased with the results. Thus far,
> Android 10 is the first Android release since the infamous stagefright
> vulnerabilities in Android 5.0 with zero critical-severity vulnerabilities
> in the media frameworks._

It wasn't mediatized, but there must have been like a new stagefright-like
media library bug every 2-3 months since stagefright was first publicized.
Glad to see this news.

Also, how are they enabling memory tagging if it's an Arm v8.5 feature and new
Arm CPUs, except for Apple's own chips, don't seem to support newer than Arm
v8.2? Is it just the software version of memory tagging (with some expected
performance penalty)?

~~~
pjmlp
Modern ARM chips are required for Android 11 versions.

[https://security.googleblog.com/2019/08/adopting-arm-
memory-...](https://security.googleblog.com/2019/08/adopting-arm-memory-
tagging-extension.html)

[https://source.android.com/devices/tech/debug/tagged-
pointer...](https://source.android.com/devices/tech/debug/tagged-pointers)

~~~
saagarjha
You've mentioned this before but as far as I am aware there are no chips
shipping with MTE, and the links you provided don't support this point either.
Even if MTE somehow starts shipping tomorrow I cannot see Google dropping
support for every device that is older or cheaper than the one flagship
that'll use it.

~~~
pjmlp
The official statement, is from Google and ARM, not from me.

From my links above, the TL;DR; snippets are

> Google is committed to supporting MTE throughout the Android software stack.
> We are working with select Arm System On Chip (SoC) partners to test MTE
> support and look forward to wider deployment of MTE in the Android software
> and hardware ecosystem.

> Starting in Android R, for 64-bit processes, all heap allocations have an
> implementation defined tag set in the top byte of the pointer on devices
> with kernel support for ARM Top-byte Ignore (TBI). Any application that
> modifies this tag is terminated when the tag is checked during deallocation.
> This is necessary for future hardware with ARM Memory Tagging Extension
> (MTE) support.

And from [https://android-
developers.googleblog.com/2020/02/Android-11...](https://android-
developers.googleblog.com/2020/02/Android-11-developer-preview.html)

> We’re also enabling heap pointer tagging for apps targeting Android 11 or
> higher, to help apps catch memory issues in production. These hardening
> improvements may surface more repeatable/reproducible app crashes in your
> code, so please test your apps.

For the chips without MTE they plan to configure the kernel to randomly target
processes for fuzzing.

[https://android-
developers.googleblog.com/2020/04/android-11...](https://android-
developers.googleblog.com/2020/04/android-11-developer-preview-3.html)

[https://developer.android.com/ndk/guides/gwp-
asan](https://developer.android.com/ndk/guides/gwp-asan)

> GWP-ASan heap analysis - Android 11 uses a variety of tools to harden
> security-critical components in the platform and apps. In DP3, we’re adding
> GWP-ASan as another way to help developers find and fix memory safety
> issues. GWP-ASan is a sampling allocation tool that detects heap memory
> errors with minimal overhead or impact on performance. We’ve enabled GWP-
> ASan to run by default in platform binaries and system apps, and now you can
> now enable it for your apps as well. If your app uses native code or
> libraries, we recommend enabling GWP-ASan and testing as soon as possible.

> GWP-ASan is enabled on some randomly-selected system applications and
> platform executables upon process start-up (or when the zygote forks)

And from ARM official communication, [https://community.arm.com/developer/ip-
products/processors/b...](https://community.arm.com/developer/ip-
products/processors/b/processors-ip-blog/posts/enhancing-memory-safety)

> Only recently, Google announced that it is adopting Arm’s MTE in Android.
> This is exciting news, with Google showing its continued commitment to
> security in the Android ecosystem. It also shows the strength of our MTE
> offering, with the article stating that the technology makes “it very hard
> (if not impossible) to exploit memory bugs.” Alongside the security
> benefits, the disruption caused by not addressing memory safety bugs reduces
> user satisfaction and increases the cost of software development. With all
> these threats to the Android Ecosystem, you can understand why Google has
> made the commitment to MTE!

So those are the words from Google's Android team and ARM, whatever ARM CPU
are being shipped, or alternative CPUs that Android devices might still adopt
or be using.

~~~
saagarjha
Right, all those seem to point to greater MTE support and hardware tagging
when available. But I don’t think any claim that Android 11 _requires_ a new
chip to be supported?

~~~
pjmlp
Maybe it is my lack of native English understanding, but I read sentences like
this one "Only recently, Google announced that it is adopting Arm’s MTE in
Android." in another way as you do.

It doesn't make sense adopting support for non-existing hardware.

~~~
saagarjha
Ah, I see the confusion. I interpreted
[https://news.ycombinator.com/item?id=23695227](https://news.ycombinator.com/item?id=23695227)
as “this is a requirement of Android 11 and as such you can’t run the OS at
all if you don’t have the new hardware supporting it”.

~~~
pjmlp
That as well, from Android documentation I understand this,

> GWP-ASan is enabled on some randomly-selected system applications and
> platform executables upon process start-up (or when the zygote forks).
> Enable GWP-ASan in your own app to help you find memory-related bugs, and to
> prepare your app for ARM Memory Tagging Extension (MTE) support. The
> allocation sampling mechanisms also provide reliability against queries of
> death.

As stop gap solution until MTE is widespread across all Android devices.

------
mrbonner
I don’t pretty much like Apple ecosystem but I have to say that the best
decision I made technically was to switch to an iPhone 7 Plus 3 years ago
after years of Android (since T-Mobile G1, first android phone ever). I said
goodbye to a lot of customizations but at the same time regain my sanity from
battery life, slowness and absurd support timelines

~~~
lucb1e
> at the same time regain my sanity from battery life, slowness and absurd
> support timelines

If the phone had bad battery life or was slow to begin with, don't buy it. If
it doesn't and it suddenly appears while you're using it... that's user error.

Support: I'm really not sure what kind of support you're expecting, I assume
not "how do I take a screenshot" kind of support. I once returned a phone for
warranty but the support delay on that was the time it took me to look up a
few website pages if I remember correctly. Is that what you mean? Or maybe
it's about how long the warranty process takes: it took almost 2 weeks to
repair it for me (from the day of dropping off until the day I could use it
again), that is indeed quite long for a fairly essential device, but that
seems to be the standard for any laptop or phone (unless you bought a service
contract, which I guess one implicitly does with Apple given its pricing).

~~~
mrbonner
For the support I meant the security and OS patches X years after the phone
released. My wife iPhone 6s is still receiving iOS update at this time. Now
try that with most expensive Android flagship. I don’t care if it comes from
Samsung LG or Google I could always argue against you!

~~~
harpratap
But you also paid 2x more for it, so it evens out. For instance Pixel 4 is
74000JPY with 3 years of updates = 24667JPY/year Galaxy S20 is 78000JPY with 4
years of updates = 19500JPY/year iPhone 11 Pro is 120000JPY with 5 years of
updates = 24000JPY/year

------
gcbw3
> we did all that work on the OS but kept the GoogleService thing that is a
> sytemapp+kernelmodule+backdoor on top so we can continue to serve our users
> as they want, with more relevant ads.

~~~
tpush
Can we stop this 4chan style sarcastic comment with zero insight, please? I
really don't want to see HN turn into 4chan or reddit or whatever.

