The state of mobile security seems to constantly be on the defensive side of the game. Half of the time, we’re checking threats against paid-for “research” that happens to be generated by one of the many companies selling protection for our device. But the truth is, if you’re installing apps only from the Google Play Store — and watching the permissions listing as you install — you should be safe from harm.
However, the court of public opinion demands much more in the realm of security. That is why Google is taking the issue very seriously, and with the release of Android 5.0 — Lollipop — the ecosystem will enjoy unheard of security in a mobile environment.
The new security system begins with the kernel and ends with the lock screen.
Yes, there are many sub-systems in place that lie under the hood. One such addition is Security Enhanced Linux (SELinux). If you’re unfamiliar with this system, SELinux is a kernel module that provides a mechanism for providing access control security policies. What this effectively does is migrate the security of the system to the kernel level. SELinux was developed by the National Security Agency and was released into the mainline Linux kernel in 2003. It does an outstanding job of limiting the privileges of applications to prevent security breaches on a system, and it has been a major factor in helping Linux to achieve a level of security no other platform has reached. Starting with Android 5, mobile users will enjoy a similarly secured platform.
Beyond SELinux, the next step in securing Android lies in encryption. For quite some time, encrypting an Android file system has been available, but it was buried in the system settings and disabled by default. Starting with Lollipop, on every first run of an Android device, the system will prompt the user to enable encryption. All users would be wise to turn this system on. That encryption is an important step in the road to security. If you have a device that is upgrading to Lollipop, I highly recommend you go through the process of encrypting your data.
The user will also see some major security enhancements — ones that try very hard to protect user data and make sure the additional security doesn’t get in the way of the experience. One way they achieve this is through Smart Lock, which will enable you to configure your device to unlock in the presence of a particular Bluetooth device, NFC tags, or Wi-Fi network. Google has taken a new approach to authentication and sees it as much as a service as it does a mechanism.
The endgame for this could easily make for one of the single most secure mobile platforms available. Imagine a device only unlocking with both a PIN and the presence of an NFC tag. This security will also work in conjunction with ChromeOS — a feature that has been reported on quite a bit. That type of dual-layer, cross-platform security is now more than a proof of concept, and Google will be the one to deliver a truly secure mobile experience like no other.
We now have proof that security innovation can occur without limiting the usability of a device. In the end, what this means is that the Android platform will be secure out of the box — no third-party software or service need apply. Honestly, these added layers of security come at the perfect time. With Android being the most widely-used platform on the planet, security issues are going to continue to rise. Fortunately, Google knows how to up the ante without adding barriers to entry for the user.
End users don’t want to have to concern themselves with securing their mobile platform. The more Google can do to remove users from the equation, the better off Android will be. SELinux will go a long way to enhance the security of the platform. However, users won’t be completely off the hook. A smartphone without a lock screen set up is nothing more than an invitation for data theft. So, even with all of the enhancements, the user will still have to take a few steps to secure their data… only with Android 5, those steps will be fewer and simpler.
What do you think? Is Google on the right path with Lollipop — or do you think the only possible route to a truly secure platform is completely removing the end user from the equation? Share your thoughts in the discussion thread below.