Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Google Boosts Protection of Backups in Android

The latest Android iteration leverages Google Cloud’s Titan technology to better protect users’ backed-up application data, Google says.

The latest Android iteration leverages Google Cloud’s Titan technology to better protect users’ backed-up application data, Google says.

The functionality combines Android’s Backup Service and Google Cloud’s Titan technology, ensuring that user privacy is maintained, the Internet giant explains.

Backed-up application data in Android 9 can only be decrypted by a key generated at the client and encrypted using the user’s lock-screen PIN/pattern/passcode.

The passcode-protected key material is then encrypted to a Titan security chip on Google’s datacenter, which is configured to release the key only “when presented with a correct claim derived from the user’s passcode.”

“Because the Titan chip must authorize every access to the decryption key, it can permanently block access after too many incorrect attempts at guessing the user’s passcode, thus mitigating brute force attacks,” Google reveals.

The Internet search company also says that custom Titan firmware that cannot be updated without completely erasing the chip is in charge with strictly enforcing the limited number of incorrect attempts. This should prevent access to a user’s backed-up application data without the passcode.

The setup, Google says, was meant to prevent all unauthorized access to the data, including that of Google employees. The strong security stance this provides has been already verified through a security audit performed by the NCC Group.

The audit, which looked into the Google Cloud Key Vault as a whole, did find issues (including two critical ones in the firmware, both immediately addressed), but concluded that Google has implemented mitigations for a broad range of attack scenarios (including internal threats) right from the design phase.

“NCC Group was impressed by both the well-rounded design and the high-quality code which took security into consideration. Numerous possible avenues of achieving a compromise were investigated and most of these ended with a determination that the design and implementation were already taking the particular attack into account and had sufficient mitigations,” NCC Group notes in their report (PDF).

According to Google, it aims to maintain transparency and openness through external reviews of its security efforts, so that users could feel safe when it comes to their data.

Last week, however, the company proved that it isn’t always as transparent, when it publicly revealed that it learned in March of a vulnerability in one of its APIs that exposed Google+ user data to any application using that API. Google chose not to disclose the issue for over six months.

Related: Google Hardens Android Kernel

Related: U.S. Senators Demand Internal Memo Related to Google+ Incident

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.