A couple days ago I came across a security conscious user who was quick to point out why a particular feature had to be added to APS, but failed to realise the fact that the problem wouldn’t even exist if they were running the latest version of Android (we’ll talk about the behavior change that fixed it later here).
Android upgrades bring massive changes to the platform, improving security against both known and unknown threats. You sign off that benefit when you buy into an incompetent OEM’s cheap phones, and it has become a bit too ’normal’ than anybody would prefer.
That’s not what we’re going to talk about, though. This post is going to be purely about privacy, and how it has changed, nay, improved, over the years of Android. My apps support a minimum of Android 6, so I will begin with the next version, Android 7, and go through Google’s release notes, singling out privacy related changes.
Android 7
Android 7 had a very passing focus on privacy and thus did not have a lot of obvious or concrete changes around it. Background execution limits introduced in Android 6 were improved in Android 7 to apply even more restrictions after devices became stationary, which can be loosely interpreted as ‘bad’ for data exfiltration SDKs that apps ship but in reality didn’t do much.
Android 8
Locking down background location access
In Android 8, access to background location was severely throttled. Apps received less frequent updates for location and thus couldn’t track you in real time.
Introduction of Autofill
The Android Autofill framework was debuted, along with support for Web form Autofill. This paved the way for password managers to fill fields for you without relying on hacked up accessibility services or the Android clipboard. This was a major win!
Better HTTPS defaults
Android 8.0’s implementation of HttpsURLConnection did not perform insecure TLS/SSL protocol version fallback, which means connections that failed to negotiate a requested TLS version would now abort rather than fall back to an older version of TLS.
ANDROID_ID changes
Access to the ANDROID_ID
field was changed significantly. It is generated per-app and per-signature as opposed to the entire system making it harder to fingerprint users who have multiple apps installed with the same advertising-related SDKs.
Android 9
Limited access to sensors
Beginning Android 9, background access to device sensors was greatly reduced. Access to microphone and camera was completely denied, and so was the gyroscope, accelerometer and other sensors of that class.
Granular call log access
For apps that need to access the user’s call logs for any reason, a new permission group was introduced. Now, you don’t require granting access to all phone-related permissions to let an app back up your call logs.
Restricted access to phone numbers
There are multiple ways to monitor phone calls on Android, and with the introduction of the CALL_LOG
permission group, these were locked down to only expose phone numbers to apps that were allowed explicit access to call logs.
Making Wi-Fi and cellular networks less privacy invasive
A combination of changes to what permissions apps require to know about your WiFi and how much personally identifiable data is provided by these APIs further improves your privacy against rogue apps. Disabling device location now disables the ability to get information on cell towers your phone is connected to.
No more serials
Requesting access to the device serial number now requires phone state permissions making it more explicit when apps are trying to fingerprint you.
Android 10
Scoped Storage
Probably the most controversial change in 10, Scoped Storage segregated the device storage into scopes and gave apps access to them without needing extra permissions.
Explicit background permission access
Android 10 introduces the ACCESS_BACKGROUND_LOCATION
permission and completely disables background access for apps targeting SDK 29 that don’t declare it. For older apps, the framework treats granting location access as effectively background location access. When the app upgrades to target SDK 29, the background permission is revoked and must be explicitly requested again.
Removal of contacts affinity
Beginning Android 10, the system no longer keeps track of what contacts you interact with most and thus search results are not weighted anymore.
MAC randomization enabled by default
Connecting to a Wi-FI network now uses a randomized MAC address to prevent fingerprinting.
Removal of access to non-resettable identifiers
Access to identifiers such as IMEI and serial was restricted to privileged apps which means apps served by the Play Store can no longer see them.
Restriction on clipboard access
This is the problem we first talked about. Apps before Android 10 could monitor clipboard events and potentially exfil confidential data like passwords. In Android 10 this was completely disabled for apps that were not in foreground or not your active input method. This change was made with no compatibility changes, which means even older apps would not be able to access clipboard data out of turn.
More WiFi and location improvements
Apps can no longer toggle WiFi or read a list of configured networks, and getting access to methods that expose device location requires the ACCESS_FINE_LOCATION
permission to make it obvious that an app is doing it. The last change also affects telephony related APIs, a full list is available here.
Permissions controls
Apps no longer have silent access to screen contents, and the platform now prompts users to disallow permissions for legacy apps that target Android 5.1 or below that would earlier be granted at install time. Physical activity recognition is now given its own permission and common libraries for the purpose like Google’s Play Services APIs will now send empty data when an app requests activity without the permissions.
Android 11 (tentative)
Storage changes
-
Apps targeting Android 11 are no longer allowed to opt out of scoped storage.
-
All encompassing access to a large set of directories and files is completely disabled, including the root of the internal storage, the
Download
folder, and the data and obb subdirectories of theAndroid
folder.
Permission changes
-
Location, microphone and camera related permissions can now be granted on a one-off basis, meaning they’ll automatically get revoked when the app process exits.
-
Apps that are not used for a few months will have their permissions automatically revoked.
-
A new
READ_PHONE_NUMBERS
permission has been added to call certain APIs that expose phone numbers.
Location changes
-
One time access is now an option for location, allowing users to not grant persistent access when they don’t wish to.
-
Background location needs to be requested separately now and asking for it together with foreground location will throw an exception.
Data access auditing
To allow apps to audit their own usage of user data, a new callback is provided. Apps can implement it and then log all accesses to see if there’s any unexpected data use that needs to be resolved.
Redacted MAC addresses
Unpriviledged apps targeting SDK 30 will no longer be able to get the device’s real MAC address.
Closing notes
As you can tell, improving user privacy is a constant journey and Android is doing a better job of it with every new release. This makes it crucial that you stay up-to-date, either by buying phones from an OEM that delivers timely updates for a sufficiently long support period, or by using a trusted custom ROM like GrapheneOS or LineageOS.