1page.title=Security Enhancements in Android 5.0 2@jd:body 3 4<p>Every Android release includes dozens of security enhancements to protect 5users. Here are some of the major security enhancements available in Android 65.0:</p> 7 8<ul> 9 <li><strong>Encrypted by default.</strong> On devices that ship with L 10out-of-the-box, full disk encryption is enabled by default to improve 11protection of data on lost or stolen devices. Devices that 12update to L can be encrypted in <strong>Settings</strong> > <strong>Security</strong>. 13 <li><strong>Improved full disk encryption.</strong> The user password is 14protected against brute-force attacks using <code>scrypt</code> and, where 15available, the key is bound to the hardware keystore to prevent 16off-device attacks. As always, the Android screen lock secret and the device 17encryption key are not sent off the device or exposed to any application. 18 <li><strong>Android sandbox reinforced with SELinux</strong>. Android now 19requires SELinux in enforcing mode for all domains. SELinux is a 20mandatory access control (MAC) system in the Linux kernel used to augment the 21existing discretionary access control (DAC) security model. This new layer 22provides additional protection against potential security vulnerabilities. 23 <li><strong>Smart Lock. </strong>Android now includes trustlets that provide 24more flexibility for unlocking devices. For example, trustlets can allow 25devices to be unlocked automatically when close to another trusted device (via 26NFC, Bluetooth) or being used by someone with a trusted face. 27 <li><strong>Multi user, restricted profile, and guest modes for phones & 28tablets.</strong> Android now provides for multiple users on phones and 29includes a guest mode that can be used to provide easy temporary access to your 30device without granting access to your data and apps. 31 <li><strong>Updates to WebView without OTA. </strong> WebView can now be 32updated independent of the framework and without a system 33OTA. This will allow for faster response to potential security issues in 34WebView. 35 <li><strong>Updated cryptography for HTTPS and TLS/SSL.</strong> TLSv1.2 and 36TLSv1.1 is now enabled, Forward Secrecy is now preferred, AES-GCM 37is now enabled, and weak cipher suites (MD5, 3DES, and export cipher suites) 38are now disabled. See <a 39href="https://developer.android.com/reference/javax/net/ssl/SSLSocket.html">https://developer.android.com/reference/javax/net/ssl/SSLSocket.html</a> 40for more details. 41 <li><strong>non-PIE linker support removed.</strong> Android now requires all 42dynamically linked executables to support PIE 43(position-independent executables). This enhances Android’s address space 44layout randomization (ASLR) implementation. 45 <li><strong>FORTIFY_SOURCE improvements.</strong> The following libc 46functions now implement FORTIFY_SOURCE protections: <code>stpcpy()</code>, 47<code>stpncpy()</code>, <code>read()</code>, <code>recvfrom()</code>, 48<code>FD_CLR()</code>, <code>FD_SET()</code>, and <code>FD_ISSET()</code>. This 49provides protection against memory-corruption vulnerabilities involving 50those functions. 51 <li><strong>Security Fixes.</strong> Android 5.0 also includes fixes for 52Android-specific vulnerabilities. Information about these vulnerabilities has 53been provided to Open Handset Alliance members, and fixes are available in 54Android Open Source Project. To improve security, some devices with earlier 55versions of Android may also include these fixes. 56</ul> 57