Android Pie Does System Security à la iOS

In its quest to improve the security of its mobile operating system, Google took a page out of Apple’s book. Namely, the company has made it impossible, even for itself, to push malicious software updates onto Android devices.

The latest version of Android, Pie, which ships with Google’s latest flagship phones, the Pixel 3, was changed so that Google itself would not be able to change the firmware to disable security features.

Now, if you feel that all of this somehow feels oddly familiar, it’s because of this old story:

In 2016, Apple and the FBI got embroiled in a public confrontation regarding the integrity of iOS’ security. At the time, the FBI was trying to gain access into a locked iPhone that belonged to the notorious San Bernardino terrorist and asked Apple to push an update containing a backdoor that they could then use to retrieve the data from the phone. Apple declined and said that in doing do it would be compromising the security of all iOS users.

Going the Apple Route

Google has put itself in a position where it can behave exactly like Apple did if it were in a similar situation. In Android Pie, Google simply cannot push a software update without the user agreeing to it with his passcode or unlocking pattern.

The changes were recently highlighted by Rene Mayrhofer, Google’s Director of Android Platform Security, during a talk at the USENIX Enigma conference in California.

“We want to make it impossible for insiders to get this kind of access for whatever reasons, whatever motivation,” Mayrhofer said. “And law enforcement is, I would say—the inability to react to legal requests here is an unintended side effect of this mitigation,” he said.

After his talk, Mayrhofer was asked by former FTC CTO Ashkan Soltani if Google was going “the Apple route”, alluding to the latter’s altercation with the FBI. Mayrhofer dismissed that type of incidents as a rare occurrence compared to Google’s bigger worries, saying: “The risk for insider attack in the long chain, in the whole ecosystem is—I think—currently bigger than the few cases where legitimate law enforcement access would happen to have to break the chain.”