Security Experts:

Google Details New Security Features in Android 5.0 Lollipop

The latest version of Google's Android operating system comes with some interesting new functionality features, but the company says it's also much more secure than its predecessors.

Google unveiled Android 5.0, called Lollipop, earlier this month when it presented the Nexus 9 tablet and the Nexus 6 smartphone. The mobile operating system will become available to consumers on November 3.

In a post published on Tuesday on the official Android blog, Google detailed some of the new security features in Android 5.0.

Android Lollipop security features

Android 5.0 Security FeaturesMany smartphone users haven't enabled PIN or password protection because they feel it takes too long to unlock the device. To address this issue, Android Lollipop introduces the Smart Lock, which allows users to unlock their phones using Bluetooth pairing, NFC, or gestures. Furthermore, the feature allows users to configure the phone so that certain notifications are accessible directly from the lock screen.

Recent events have demonstrated that data encryption has become highly important, which is why Google has decided to enable full device encryption by default on new devices running Android 5.0.

"Full device encryption occurs at first boot, using a unique key that never leaves the device," the Android team noted.

The company says the Security Enhanced Linux (SELinux) feature introduced last year has prevented multiple vulnerabilities, and now it has been strengthened even more to meet the needs of enterprise customers that have strict security requirements, such as government agencies.

"Security Enhanced Linux (SELinux) pushes enforcement of the Android security model further into the core of the OS and makes it easier to audit and monitor so there's less room for an attack. With Android 5.0, SELinux Enforcing mode is required for all applications on all devices," explained the Android team.

Another feature that's designed with enterprise customers in mind is support for multiple user accounts. Users who rely on their personal devices for work will be able to separate work-related tasks from personal activities by creating a corporate profile.

"The technology provides an elegant way of segmenting and managing corporate data without significantly impacting usability, and maintaining user privacy. For businesses, the separation of consumer and corporate profiles means much more control over corporate assets, stopping third-party apps from accessing corporate data, while letting the consumer profile act in the free environment that makes Android, well… Android," Aaron Cockerill, VP of enterprise at mobile security firm Lookout, said in a blog post.

The new Factory Reset Protection feature, which has been dubbed a "kill switch," is designed to make stolen devices unusable. The protection mechanism should discourage smartphone thieves because they will not be able to access the data on devices or perform a factor reset without knowing a password.

Experts comment on Android 5.0 security

Experts contacted by SecurityWeek all agree that the new features are a step in the right direction, but say there is still much work to be done.

Jeremy Linden, Senior Security Product Manager, Lookout: "On the whole, Android Lollipop has taken some great steps toward better security on Android. The new version of Google's mobile operating system makes more security features default, while, in true Android fashion, still allows people to customize those settings. In particular, we're glad to see full-device encryption and defaulted SELinux policies.

"These changes mean the everyday person using an Android device doesn't have to go hunting around to find what to them might be obscure security settings and instead are protected straight out of the box. Of course, there's still a lot that needs to be done to protect the mobile device -- from theft to malware. We believe it'll take industry collaboration to really hit on all of these issues and we're glad to see Google take this great security step."

Filip Chytry, Mobile Malware Analyst, Avast: "Lollipop is a big step forward in terms of security, making it easier for Android users to keep their data secure. Encryption, guest user mode, Smart Lock, and kill switch are all great new features to help users protect their data in cases where their phone is lost or stolen. However, users still need to proactively take advantage of these new features to really stay secure. For example, the encryption feature is not very useful if the user does not lock their device with a PIN or the new Smart Lock feature."

Bogdan Botezatu, Senior E-Threat Analyst, Bitdefender: "The features introduced in Lollipop are definitely taking security one step up. Screen pinning and SmartLock will surely make it easier for users  to share and safeguard their devices, while full device encryption will make it nearly impossible for an unauthorized party to extract device data without their owner’s consent.

"I also like the idea of the remote killswitch, also known as  'Factory Reset Protection', also it does not show up in the official spec sheet. This feature would not allow somebody to fully wipe the device unless they have the associated password, thus making stolen phones useless."

"But device theft or risks associated to sharing it are just one fraction of the Android threat landscape. In my opinion, the real risks associated with the regular use of Android are still unmitigated: adware-powered applications are still able to send whatever data they need from the user’s device once they have been installed on it and advertises are becoming ever greedier these days. As an Android user myself, I would have loved to see the introduction of a granular permission system per application – a system to allow users to selectively reject app permissions they are not comfortable with."

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.