Google to roll out February Android Security Updates for Nexus Devices

Google made an announcement recently that they will be rolling out the February security OTA (Over-the-air) updates for its Nexus lines of phones, starting from Nexus 7, Nexus 5, Nexus 6, Nexus 5x and Nexus 6P.

security update nexus

Google addressed a critical security hole where one can enable remote code in an affected nexus device via email, web browser and MMS during media file processing. There was also a vulnerability with its Broadcom’s WiFi driver. The update fixes a total of five critical security vulnerabilities, two of which are for Android Media server. For High-level and one moderate-level security vulnerabilities have been patched via the update as well.

The moderate-level vulnerability is in the setup wizard where the attacker can bypass a factory reset protection and successfully gain control of the device. The only reason this is marked as moderate is because it requires the attacker to have a physical access with the Nexus device.

The update is to be identified as Android 6.0.1 Marshmallow build number MMB29Q. Google also assured that these vulnerabilities are not being exploited as of now, but seriously recommends to update the device.

Source: 1

Google makes secure boot and full-disk encryption mandatory for Android 6.0 devices

Google is really making some changes in its standards since Android 6.0 Marshmallow release. The first was the regulation for fingerprint sensors, now it requires all Android devices to have a secure boot and a full-disk encryption before it can be declared as an Android 6.0 compatible device.

Android Marshmallow

It is also mentioned that if the device has an Advanced Encryption Standard (AES) performance rating of 50MB/s and above, the full-disk encryption must be enabled by default at the time of initial setup. By doing so, the device can verify the integrity and the authenticity of the apps during device boot sequences and prevents boot-level attacks that bypass encryption. It also specifies on using 128-bit or higher AES keys, not storing keys on the storage and never transmitting encryption key off the Android 6.0 device.

The changes are now updated under the Android Compatibility Definition Document.

Google did try this with the previous generation Android 5.0 OS ‘Lollipop’, but decided to roll back due to performance issues with some Android devices.
If the potential Android devices do not pass 6.0 requirements, the device will not have any access to Google Play Store access or any of its apps. With a series of requirements for both software and hardware, this should help to keep innumerable phone manufacturers in check.

There is an exception, such as devices with less than 512MB RAM and no secure lock screen could opt out of full-disk encryption.

Source: 1

Google releases fingerprint sensor requirement for Android 6.0

The device we tested has a fingerprint sensor. Unless you’ve read the review, the sensor works pretty good and accurate. The Coolpad Note 3 didn’t come with a Marshmallow update as of yet, but Google release a new set of requirements for phone manufacturers to comply when it comes to the fingerprint sensor.

This is a part of the now updated Marshmallow Compatibility Definition Document (CDD).

android-marshmallow

They are as follows:

[highlight ]Device implementations with a secure lock screen SHOULD include a fingerprint sensor. If a device implementation includes a fingerprint sensor and has a corresponding API for third-party developers, it:

  • MUST declare support for the android.hardware.fingerprint feature.
  • MUST fully implement the corresponding API as described in the Android SDK documentation [Resources, 95].
  • MUST have a false acceptance rate not higher than 0.002%.
  • Is STRONGLY RECOMMENDED to have a false rejection rate not higher than 10%, and a latency from when the fingerprint sensor is touched until the screen is unlocked below 1 second, for 1 enrolled finger.
  • MUST rate limit attempts for at least 30 seconds after 5 false trials for fingerprint verification.
  • MUST have a hardware-backed keystore implementation, and perform the fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE.
  • MUST have all identifiable fingerprint data encrypted and cryptographically authenticated such that they cannot be acquired, read or altered outside of the Trusted Execution Environment (TEE) as documented in the implementation guidelines on the Android Open Source Project site [Resources, 96].
  • MUST prevent adding a fingerprint without first establishing a chain of trust by having the user confirm existing or add a new device credential (PIN/pattern/password) using the TEE as implemented in the Android Open Source project.
  • MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
  • MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.
  • MUST, when upgraded from a version earlier than Android 6.0, have the fingerprint data securely migrated to meet the above requirements or removed.
  • SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.

[/highlight]

Google Maps for Apple Watch rolled out

Thanks to Google, Apple Watch users have another choice for a map and navigation app. The company known for Android OS among many things released an update for its iOS Maps app which will add compatibility with the Apple Watch. This is the first release for the on-wrist product, and it should allow an easy to use and access flexibility.

Google Maps Apple Watch

Would Apple mind? As long as it gives proper directions, everybody goes home happy. But to be fair, Apple Maps seem to have been improved from time to time. As one would expect, the information displayed on the Apple Watch will be minimalist at best.

iOS google maps

There are changes for the Google Maps displayed on the phones, with a better navigational element along with other useful information such as expected time to your destination.