Wednesday, July 20, 2016

What is Strictly Enforced Verified Boot in Android 7.0 Nougat?


As far as security is concerned, Google is going very strict with the newest version of its mobile operating system.

Until now, Google has not done more than just alerting you of the potential threats when your Android device runs the check as part of the boot process.

Android Marshmallow 6.0 does nothing more than just warning you that your device has been compromised, though it continues to let your device boot up.

1. Android Nougat 7.0 Getting Strictly Enforced 'Verified Boot'

In Android Nougat, Google has taken the security of its Android operating system to the next level by strictly enforcing verified boot on devices.

Among multiple layers of security protection, Android uses verified boot - since Android version 4.4 KitKat - that improves its device's security by using cryptographic integrity checking to detect if your device has been tampered with.

Now, Android Nougat will strictly enforce the boot check, giving you far more than just a warning.

2. Android 7.0 Verified Boot Protects Device from Rootkits and Malware

Enforcing verified boot on a device is a good idea.

If any malware or rootkit made its way onto your Android device and made deep system changes to critical kernel files, your device will either start in a limited-use mode (

presumably similar to safe mode

) or refuse to start at all, protecting your data.

In addition to strict verified boot, Android Nougat also features forward error correction that is capable of repairing some errors on devices without any user input.

And, of course, Nexus devices will be the first to get these features.

This will prevent your Android device from becoming a playground for malware and viruses, at least after you restart it.

That sounds really great. Right?

3. If Modified, Corrupt or Tampered, It won't let your phone Boot

For most users the strict verified boot would be helpful, however, for some, it's bad news.

According to Google, some non-malicious corruption of data could cause Android devices to fail to boot up because verified boot process runs into issues that it can not correct.

This data corruption could be the result of some software flaws or hardware issues.

Here's what the Android Developer blog explains: "This means that a device with a corrupt boot image or verified partition will not boot or will boot in a limited capacity with user consent. Such strict checking, though, means that non-malicious data corruption, which previously would be less visible, could now start affecting process functionality more."

Since corrupted data may not always be malicious, even a single-byte error could prevent the device from booting.

However, Android Nougat brings additional code designed to protect against data corruption.

"In the changes we made to dm-verity for Android 7.0, we used a technique called interleaving to allow us to recover not only from a loss of an entire 4 KiB source block, reads the blog, "but several consecutive blocks, while significantly reducing the space overhead required to achieve usable error correction capabilities compared to the naive implementation."

4. Verified Boot Has Made It Harder to Root Android 7.0 Nougat

Like I said, data corruption could not always be due to malicious reasons.

Strictly enforcing verified boot could also make it tougher for you to tweak your phone with custom firmware.

Since using custom firmware involves circumventing the locked bootloader, verified boot process will detect any changes, making it harder for users to play with their devices when Nougat rolls around.

The bottom line:

Enforcing strict verified boot in Android Nougat is a good idea, because most users root their devices with custom firmware but forget to take important security measures, which leaves their devices open to malicious software and rootkits.

What do you think of the additional security Google provides to the boot process in Android Nougat?

Let us know your views in the comments below!



from The Hacker News http://ift.tt/29Udyb9

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.