Folks, this is bad. Very, very bad. Hackers and/or malicious insiders have leaked the platform certificates of several vendors. These are used to sign system apps on Android builds, including the "android" app itself. These certs are being used to sign malicious Android apps!
Why is that a problem? Well, it lets malicious apps opt into Android's shared user ID mechanism and run with the same highly privileged user ID as "android" - android.uid.system. Basically, they have the same authority/level of access as the Android OS process!
The post on the Android Partner Vulnerability Initiative issue tracker shared SHA256 hashes of the platform signing certificates and correctly signed malware using those certificates. Thanks to sites like @virustotal and @APKMirror, it's trivial to see who is affected...
In any case, Google recommends that affected parties should rotate the platform certificate, conduct an investigation into how this leak happened, and minimize the number of apps signed with the platform certificate, so that future leaks won't be as devastating.
Okay, so what are the immediate implications/takeaways for users?
- You can't trust that an app has been signed by the legitimate vendor/OEM if their platform certificate was leaked. Do not sideload those apps from third-party sites/outside of Google Play or trusted OEM store.
- This may affect updates to apps that are delivered through app stores if the OEM rotates the signing key, depending on whether or not that app has a V3 signature or not. V3 signature scheme supports key rotation, older schemes do not.
OEMs are not required to sign system apps with V3 signatures. The minimum signature scheme version for apps targeting API level 30+ on the system partition is V2.
Affected OEMs can still rotate the cert used to sign their system apps that have V2 signatures and then push an OTA update to deliver the updated apps. Then they can push app updates with that new cert, but devices that haven't received OTAs won't receive those app updates.
The leaked platform signing certificates can't be used to install compromised OTA updates, thankfully.
Google Play Protect can indeed mitigate this issue somewhat. Play Protect could flag apps signed by the leaked platform certificate as a potentially harmful application. Google Play already has a database of legitimate app releases from the legitimate vendor, after all.
End-to-end encryption for 1:1 chats became available for everyone mid-2021. At their I/O 2022 keynote earlier this year, Google said that end-to-end encryption for group chats would be enabled later this year.
Google has announced that Android 13 is the first Android release where the majority of new code is written in a memory safe language. About 21% of all new native code added to Android 13 is written in Rust.
Support for Rust was introduced in Android 12. There is now approximately 1.5 million total lines of Rust code for new AOSP components such as Keystore2, the Ultra-wideband stack, DNS-over-HTTP/3, the Android Virtualization Framework, and more.
The drop in memory safety vulnerabilities (223 in 2019 to 85 in 2022) and the severity of vulnerabilities overall have been credited to Google's shift away from memory unsafe languages. 2022 is the first year where memory safety vulnerabilities aren't a majority of Android vulns.
For December 2022's Android Feature Drop, Google is bringing:
- New styles in Google Photos' collage editor
- New holiday-themed emoji in Gboard's Emoji Kitchen
- A dedicated Reading Mode app
- New YouTube home screen search widget
(cont)
- Select a device to cast to from within the Google TV app
- Share your digital car key within Google Wallet with other Pixel and iPhone users (and soon users on other select phones running Android 12+)
- New Wear OS tiles (favorite contacts, sunrise/sunset) & updated Keep app
"What's new in Google System Updates" has been updated with Dec. 2022 changes. Notably:
* Beta support for adding a mobile driver's license issued by select US states to Google Wallet
* Inform the user if a tablet they're trying to cast to needs user interaction
At I/O 2022, Google said it was working with state govts. in the U.S. and around the world to bring mobile driver's license support to Google Wallet. This feature is finally launching, though we still don't know which states will support it first.
Android has been ready for mobile driver's licenses for some time now (Identity Credential API was added in Android 11), so this has been a long time coming. The challenge has primarily been regulatory/political.
Android's Bluetooth stack supports A2DP source and sink roles, but not both simultaneously. Most Android devices (apart from Automotive) are A2DP sources to stream audio to BT headphones. If you want to also be able to stream audio via BT *to* an Android device, what can you do?
(For context, A2DP is the "Advanced Audio Distribution Profile", the standard Bluetooth Classic profile used for streaming audio to remote devices.
A "source" device is where the audio originates, while a "sink" device is where the audio is played.)
The other day, I spotted this patch in AOSP that modifies Android's Bluetooth stack to support simultaneous A2DP source/sink functionality.
Google is working on making OTA updates faster. A new set of patches has been submitted to AOSP that speed up OTAs on devices that use the virtual A/B with compression update mechanism. Combined, these improvements bring a full OTA install time from ~23 minutes to ~13 minutes!
Android's OTA update mechanisms can get a bit confusing, but this article I wrote a few weeks back explains all of them (including the newer virtual A/B with compression that's used on Pixels and is being improved here!)