Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Q Enables TLS 1.3 Support by Default

The latest Android iteration (Android Q) arrives with TLS 1.3 support enabled by default, as well as with other security improvements, Google announced this week. 

The latest Android iteration (Android Q) arrives with TLS 1.3 support enabled by default, as well as with other security improvements, Google announced this week. 

At Google I/O, the Internet search giant reiterated its commitment to building a more secure Android platform through better encryption, platform hardening, improved authentication, and more. 

Google has been requiring full-disk encryption on new devices since 2015, but only this year the company released a solution to enable storage encryption on all devices. Called Adiantum, it can run efficiently without specialized hardware, meaning that it can be used on a broader range of devices. 

Now, Google says that all compatible Android devices (including phones, tablets, televisions, and automotive devices) launching with Android Q will be forced to encrypt user data, to provide users with improved security. 

Additionally, the company is enabling TLS 1.3 support by default in Android Q. Finalized in August 2018, the latest major revision to the TLS standard is faster, more secure, and more private, as it removes support for weaker cryptographic algorithms and some insecure or obsolete features and encrypts more of the handshake.

Android Q will also arrive with a hardened platform, possible through applying defense-in-depth strategies to security critical areas such as media, Bluetooth, and the kernel, thus ensuring that attackers can’t use a single vulnerability to compromise the system. 

These strategies include process isolation, attack surface reduction, architectural decomposition, and exploit mitigations to render vulnerabilities more difficult or impossible to exploit. 

Advertisement. Scroll to continue reading.

Some of the improvements in Android Q include a constrained sandbox for software codecs, increased use of sanitizers during production to mitigate vulnerabilities in components that process untrusted content, and protecting Address Space Layout Randomization (ASLR) against leaks using eXecute-Only Memory (XOM).

Shadow Call Stack, which provides backward-edge Control Flow Integrity (CFI), will complement LLVM’s CFI, while the Scudo hardened allocator will make a number of heap related vulnerabilities more difficult to exploit, Google says. 

Building on the authentication options introduced in Android Pie with the BiometricPrompt API, which included support for face, fingerprint, and iris, Android Q updates the underlying framework with robust support for face and fingerprint and adds support for additional use-cases, including both implicit and explicit authentication.

The explicit flow requires the user to perform an action to proceed, such as tap their finger to the fingerprint sensor (the use of face or iris to authenticate requires clicking an additional button to proceed). 

“The explicit flow is the default flow and should be used for all high-value transactions such as payments,” Google says. 

The implicit flow does not require an additional user action and is used for a lighter-weight, more seamless experience for easily reversible transactions, such as sign-in and autofill.

BiometricPrompt also makes it possible to check if a device supports biometric authentication before invoking the API, and a new BiometricManager class has been added, to call the canAuthenticate() method and determine if the device supports biometric authentication and if the user is enrolled.

Beyond Android Q, Google plans to add Electronic ID support for mobile apps, thus allowing people to use their phones as IDs, such as a driver’s license. Such applications have a lot of security requirements and involve integration between the client on phone, a reader/verifier device, and issuing authority backend systems, Google points out. 

“This initiative requires expertise around cryptography and standardization from the ISO and is being led by the Android Security and Privacy team. We will be providing APIs and a reference implementation of HALs for Android devices in order to ensure the platform provides the building blocks for similar security and privacy sensitive applications,” the search giant notes.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.