Google is committed to advancing racial equity for Black communities. See how.

Security Enhancements in Android 8.0

Every Android release includes dozens of security enhancements to protect users. Here are some of the major security enhancements available in Android 8.0:

  • Encryption. Added support to evict key in work profile.
  • Verified Boot. Added Android Verified Boot (AVB). Verified Boot codebase supporting rollback protection for use in boot loaders added to AOSP. Recommend bootloader support for rollback protection for the HLOS. Recommend boot loaders can only be unlocked by user physically interacting with the device.
  • Lock screen. Added support for using tamper-resistant hardware to verify lock screen credential.
  • KeyStore. Required key attestation for all devices that ship with Android 8.0+. Added ID attestation support to improve Zero Touch Enrollment.
  • Sandboxing. More tightly sandboxed many components using Project Treble's standard interface between framework and device-specific components. Applied seccomp filtering to all untrusted apps to reduce the kernel's attack surface. WebView is now run in an isolated process with very limited access to the rest of the system.
  • Kernel hardening. Implemented hardened usercopy, PAN emulation, read-only after init, and KASLR.
  • Userspace hardening. Implemented CFI for the media stack. App overlays can no longer cover system-critical windows and users have a way to dismiss them.
  • Streaming OS update. Enabled updates on devices that are are low on disk space.
  • Install unknown apps. Users must grant permission to install apps from a source that isn't a first-party app store.
  • Privacy. Android ID (SSAID) has a different value for each app and each user on the device. For web browser apps, Widevine Client ID returns a different value for each app package name and web origin. net.hostname is now empty and the dhcp client no longer sends a hostname. android.os.Build.SERIAL has been replaced with the Build.SERIAL API which is protected behind a user-controlled permission. Improved MAC address randomization in some chipsets.