Android 7.0 Nougat brought several new security features and enhancements from Google, including some complete re-tooling of certain systems and better encryption. There’s a ton to go over, so now that Nougat is officially out for some devices Google has written up a blog post detailing some of those new security features.
Some of the biggest changes come in the way that Android handles encryption in 7.0, which should mean a better experience for users, not just invisible under-the-hood tweaks. Direct Boot is a big feature that streamlines the encryption process to allow encrypted devices to reboot quicker and access core features (like your alarm clock or phone app) before decrypting the device. These features are available before you type your PIN in, so now your alarm won’t fail if your phone reboots in the middle of the night.
Google has also switched to file-based encryption instead of full-disk encryption, which means the system storage area and user data are encrypted separately instead of as one large encrypted block. This gives apps the ability to run in a core state without access to user data before decryption, pretty much identically to how Apple handles encryption on their iOS devices.
Nougat should also completely avoid the stagefright attacks that were prevalent in older versions of Android, too. Google has rebuilt mediaserver and incorporated things like integer overflow sanitization and modularized and sandboxed media stack components, which should make things much more difficult to attack.
We’ll also see some tweaks to Android’s permissions system, including some small tweaks to make things better for users but also some better guidelines for developers to guarantee that user privacy is secured. Apps won’t have access to persistent device identifiers like a WiFi MAC address anymore, and apps can no longer draw an interface box over Android’s permissions window. Apps can’t change your lock screen anymore, either.
System updates are much more streamlined in Nougat, working pretty similarly to how updates work on a Chromebook. OTA updates will downloaded in the background so you can continue to use your device until you reboot, at which point the update will be applied to the system partition. The process should be much smoother and quicker now, and thanks to the new JIT compiler you won’t have to sit through the “Android is upgrading” dialog on reboot.
Security is often overlooked in favor of design changes and new features, but it’s just as important as everything else in a major new operating system. All of these changes are welcome additions to Android and should hopefully keep newer devices running smoothly over the next few years.
source: Google Security Blog