Google has started to outline the security enhancements on offer in Android Nougat, known as Android 7.x when it started appearing as an upgrade for millions of current handsets from August 2016 onwards. These turn out to be significant, which makes Nougat the most significant security overhaul the platform has ever received in a single jump.

The catch is that not all handsets are marked to get it.  Those that will include Google’s own Nexus 5x, 6/6p plus Pixel C series. For other vendors, most handsets will get the upgrade as long as they aren’t more than a year old and run the necessary class of ARM microprocessors.

google android toys

In terms of security, Android 7.x tweaks some features that appeared on Android M (v6.x) in October 2015 but also adds a few new elements, especially for business users, one of Google’s big target markets. In the past, Google tended to leave some security innovation to partners such as Samsung, which came up with innovations such as Knox to ease BYOD but these days the music has changed. At some point Google decided that it needed to drive security in Android more rapidly than has been the case up to now.

Direct boot– faster access to basic functions

Booting an encrypted Android handset has hitherto been a slow and clunky business in which the user enters a PIN code to unlock the encryption during the boot process followed (if set) by a second screen lock PIN or unlock code or pattern. Only then is the phone ready to use.

The drawback was that access to apps was all or nothing. Android 7.x speeds access to basic functions such as phone and alarm clock by separating storage into two areas, ‘device protected’ storage and ‘credential protected’ storage. An app engineered to use the former can make some core functions available very rapidly without a PIN; apps accessing credential storage still require the decryption PIN as normal.

Direct boot also benefits the installation of updates – see below.

Encryption support

Mandatory encryption support was introduced with Android 5.x (Marshmallow) in 2014, which in Android 6.x added support for ARM’s Trustzone hardware integrated into recent ARM microprocessors to more securely store encryption keys in a way that ties them to the device and user. This hardware support is now mandatory for Android 7.x devices which is why some older ones won’t get the new OS.

Moving to file-based encryption from the full-disk encryption of older versions is a significant upgrade and makes direct boot possible (see previous section). However, one drawback is that most current handsets will need to install this from scratch, requiring a complete data and app reset.

Overhauled MediaServer – goodbye to StageFright

Remember the Android security flaws collectively dubbed Stagefright? Discovered by different researchers during 2015 these were serious remote execution vulnerabilities connected to the way Android the libStageFright mechanism from 2.2 onwards processes media content such as MMS messages and video as soon as messages are opened. 

Google has completely rewritten this part of Android using a mixture of sandboxing privileges, process modularisation and integer overflow detection, essentially a way of breaking down the playing of media into layers that are harder for attackers to undermine in sequence. 

Android 7.0: why Nougat is Google's biggest mobile security overhaul yet

System Updates

Over-the-Air (OTA) updating has received a timely revamp so that these install more rapidly (the lengthy app optimizing step is said to gone); system updates can also be installed in the background without interrupting the user or stopping them form using the device although this requires 2016 handsets with Nougat-specific firmware such the Google Pixel.

Given that Android is now patched on a monthly cycle, background updating should stop the whole process become a major labour for end users.

Integrated VPN security for Google handsets

Not strictly part of Android 7.0 but Google recently announced that Wi-Fi Assistant, a key feature of the firm’s Project Fi service, would be made available to all users of Nexus and Pixel smartphones (running Android 5.1 or later) across the UK, parts of Europe and the US.

Unfamiliar it might be to most users but WiFi Assistant is a big deal because it is in effect an integrated VPN that quietly directs connections through open WiFi hotspots through Google’s servers. This adds a layer of security that would normally cost users a monthly subscription fee and underlines the way that VPN technology is rapidly becoming a standard feature (Opera’s browser also integrates a free VPN).

Network admins managing in-house VPNs can opt out of WiFi assistant.  

App security tweaks

Apps face a lot more restrictions in what they can do. For example, Android 7.0 should make it impossible for apps to elevate privileges by tricking users using dialog overlays over legitimate permission requests.  Similarly, apps can no longer capture device identifiers such as hardware MAC addresses.

Ransomware apps that hijack the lockscreen should be a thing of the past as even apps with admin status will no longer be able to do this. Apps also face restrictions on the folders they can access.

Android 7.0: why Nougat is Google's biggest mobile security overhaul yet

Android for Work enhancements

Organisations subscribing to Android for Work will benefit from several new security features, including an ‘always-on’ VPN (i.e. one the end user can’t bypass), a special new ‘work’ mode which deactivates work-oriented apps after hours, and the ability to set different passcodes or PINs to protect work and personal data.

There is also better identification of work and personal calls based on improved business directory integration. The intention in future is that work and personal phone lines will be separated for VoIP applications.

Conclusion – is better good enough?

As good as many of these features look on paper, it remains the case that most Android users won’t benefit from them because their handsets aren’t recent enough. It’s a minor paradox. The more rapidly Google improves security, the more fragmented the whole platform’s security becomes across even recent versions which makes managing security harder for organisations looking after several versions at once.

But make no mistake, Android 7.0 represents a worthy step up. Someone at Google has been paying attention.

Android 7.0: why Nougat is Google's biggest mobile security overhaul yet