A couple days ago I tweeted this out, partly in response to a security conscious user who was quick to point out why a particular feature had to be added to APS, but failed to realise the fact that the problem wouldn’t even exist if they were running the latest version of Android (we’ll talk about the behavior change that fixed it later here).
Something that I shouldn't have to be saying: Being concerned about your security and then using a 4 year old version of Android can't really go hand in hand.— Harsh Shandilya (@msfjarvis) July 21, 2020
I completely stand by what I said, and for good reason. Android upgrades bring massive changes to the platform, improving security against both known and unknown threats. You sign off that benefit when you buy into an incompetent OEM’s cheap phones, and it has become a bit too ‘normal’ than anybody would prefer.
That’s not what we’re going to talk about, though. This post is going to be purely about privacy, and how it has changed, nay, improved, over the years of Android. My apps support a minimum of Android 6, so I will begin with the next version, Android 7, and go through Google’s release notes, singling out privacy related changes.
Android 7 had a very passing focus on privacy and thus did not have a lot of obvious or concrete changes around it. Background execution limits introduced in Android 6 were improved in Android 7 to apply even more restrictions after devices became stationary, which can be loosely interpreted as ‘bad’ for data exfiltration SDKs that apps ship but in reality didn’t do much.
In Android 8, access to background location was severely throttled. Apps received less frequent updates for location and thus couldn’t track you in real time.
The Android Autofill framework was debuted, along with support for Web form Autofill. This paved the way for password managers to fill fields for you without relying on hacked up accessibility services or the Android clipboard. This was a major win!
Android 8.0’s implementation of HttpsURLConnection did not perform insecure TLS/SSL protocol version fallback, which means connections that failed to negotiate a requested TLS version would now abort rather than fall back to an older version of TLS.
Access to the
ANDROID_ID field was changed significantly. It is generated per-app and per-signature as opposed to the entire system making it harder to fingerprint users who have multiple apps installed with the same advertising-related SDKs.
Beginning Android 9, background access to device sensors was greatly reduced. Access to microphone and camera was completely denied, and so was the gyroscope, accelerometer and other sensors of that class.
For apps that need to access the user’s call logs for any reason, a new permission group was introduced. Now, you don’t require granting access to all phone-related permissions to let an app back up your call logs.
There are multiple ways to monitor phone calls on Android, and with the introduction of the
CALL_LOG permission group, these were locked down to only expose phone numbers to apps that were allowed explicit access to call logs.
A combination of changes to what permissions apps require to know about your WiFi and how much personally identifiable data is provided by these APIs further improves your privacy against rogue apps. Disabling device location now disables the ability to get information on cell towers your phone is connected to.
Requesting access to the device serial number now requires phone state permissions making it more explicit when apps are trying to fingerprint you.
Probably the most controversial change in 10, Scoped Storage segregated the device storage into scopes and gave apps access to them without needing extra permissions.
Android 10 introduces the
ACCESS_BACKGROUND_LOCATION permission and completely disables background access for apps targeting SDK 29 that don’t declare it. For older apps, the framework treats granting location access as effectively background location access. When the app upgrades to target SDK 29, the background permission is revoked and must be explicitly requested again.
Beginning Android 10, the system no longer keeps track of what contacts you interact with most and thus search results are not weighted anymore.
Connecting to a Wi-FI network now uses a randomized MAC address to prevent fingerprinting.
Access to identifiers such as IMEI and serial was restricted to priviledged apps which means apps served by the Play Store can no longer see them.
This is the problem we first talked about. Apps before Android 10 could monitor clipboard events and potentially exfil confidential data like passwords. In Android 10 this was completely disabled for apps that were not in foreground or not your active input method. This change was made with no compatibility changes, which means even older apps would not be able to access clipboard data out of turn.
Apps can no longer toggle WiFi or read a list of configured networks, and getting access to methods that expose device location requires the
ACCESS_FINE_LOCATION permission to make it obvious that an app is doing it. The last change also affects telephony related APIs, a full list is available here.
Apps no longer have silent access to screen contents, and the platform now prompts users to disallow permissions for legacy apps that target Android 5.1 or below that would earlier be granted at install time. Physical activity recognition is now given its own permission and common libraries for the purpose like Google’s Play Services APIs will now send empty data when an app requests activity without the permissions.
Apps targeting Android 11 are no longer allowed to opt out of scoped storage.
All encompassing access to a large set of directories and files is completely disabled, including the root of the internal storage, the
Download folder, and the data and obb subdirectories of the
Location, microphone and camera related permissions can now be granted on a one-off basis, meaning they’ll automatically get revoked when the app process exits.
Apps that are not used for a few months will have their permissions automatically revoked.
READ_PHONE_NUMBERS permission has been added to call certain APIs that expose phone numbers.
One time access is now an option for location, allowing users to not grant persistent access when they don’t wish to.
Background location needs to be requested separately now and asking for it together with foreground location will throw an exception.
To allow apps to audit their own usage of user data, a new callback is provided. Apps can implement it and then log all accesses to see if there’s any unexpected data use that needs to be resolved.
Unpriviledged apps targetting SDK 30 will no longer be able to get the device’s real MAC address.
As you can tell, improving user privacy is a constant journey and Android is doing a better job of it with every new release. This makes it crucial that you stay up-to-date, either by buying phones from an OEM that delivers timely updates for a sufficiently long support period, or by using a trusted custom ROM like GrapheneOS or LineageOS.