Device manufacturers can add the protection to new devices to better safeguard user data.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- An Android Oreo feature called rollback protection prevents a device from turning on if it has been downgraded to an older version that might contain a security vulnerability.
- Android's security team recommends all device manufacturers add rollback protection to new devices.
Security has long been a sore point for enterprise Android users, but Google has taken steps to improve security in the OS with Android Oreo. In a Wednesday blog post, the firm detailed a feature called rollback protection, which prevents a device from starting up if it has been downgraded to an older OS version that may contain security vulnerabilities.
This means that if your business phone is stolen, it will be more difficult for a hacker to leverage security flaws found in a previous version of the OS and access your data. This could add piece of mind for IT professionals managing Android devices in the workplace.
While rollback protection is part of Android Oreo, it is up to the individual manufacturers of Android devices to enable the feature, as noted by our sister site ZDNet.
Rollback protection is part of Andriod Verified Boot 2.0 (AVB), designed to stop devices from starting up with software that has been altered by hackers, according to the blog post from security team member Gian G. Spicuzza. AVB runs with Project Treble, a "major re-architect" of the Android OS framework meant to make it easier for manufacturers to update to new versions of the OS.
SEE: Incident response policy (Tech Pro Research)
However, Project Treble is only supported on new devices, rather than those that are upgraded to Android Oreo, ZDNet noted.
"Pixel 2 and Pixel 2 XL come with this protection and we recommend all device manufacturers add this feature to their new devices," Spicuzza wrote in the post.
Android also explained a host of other security upgrades with Oreo, including some for enterprise-managed devices. Encryption keys in work profiles are now erased from RAM when the profile is off, or when a company administrator remotely locks the profile, to better secure company data.
Another feature, called OEM Lock Hardware Abstraction Layer (HAL), allows manufacturers to decide how they protect devices. For example, Spicuzza wrote, new Pixel phones use this HAL to send commands to a bootloader, which analyzes them the next time the device starts up to see if any changes to locks have occurred. "If your device is stolen, these safeguards are designed to prevent your device from being reset and to keep your data secure," Spicuzza wrote.
Reducing the risks of BYOD in the enterprise (TechRepublic)
Android Oreo: The smart person's guide (TechRepublic)
3 simple steps that help you avoid ransomware on Android (TechRepublic)