1page.title=Security Enhancements in Android 7.0 2@jd:body 3<!-- 4 Copyright 2016 The Android Open Source Project 5 6 Licensed under the Apache License, Version 2.0 (the "License"); 7 you may not use this file except in compliance with the License. 8 You may obtain a copy of the License at 9 10 http://www.apache.org/licenses/LICENSE-2.0 11 12 Unless required by applicable law or agreed to in writing, software 13 distributed under the License is distributed on an "AS IS" BASIS, 14 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 See the License for the specific language governing permissions and 16 limitations under the License. 17--> 18 19<p>Every Android release includes dozens of security enhancements to protect 20users. Here are some of the major security enhancements available in Android 217.0:</p> 22 23<ul> 24 <li><strong>File-based encryption</strong>. Encrypting at the file level, 25 instead of encrypting the entire storage area as a single unit, better 26 isolates and protects individual users and profiles (such as personal and 27 work) on a device.</li> 28 <li><strong>Direct Boot</strong>. Enabled by file-based encryption, Direct 29 Boot allows certain apps such as alarm clock and accessibility features to 30 run when device is powered on but not unlocked.</li> 31 <li><strong>Verified Boot</strong>. Verified Boot is now strictly enforced to 32 prevent compromised devices from booting; it supports error correction to 33 improve reliability against non-malicious data corruption.</li> 34 <li><strong>SELinux</strong>. Updated SELinux configuration and increased 35 seccomp coverage further locks down the application sandbox and reduces attack 36 surface.</li> 37 <li><strong>Library load-order randomization and improved ASLR</strong>. 38 Increased randomness makes some code-reuse attacks less reliable.</li> 39 <li><strong>Kernel hardening</strong>. Added additional memory protection for 40 newer kernels by marking portions of kernel memory as read-only, restricting 41 kernel access to userspace addresses and further reducing the existing attack 42 surface.</li> 43 <li><strong>APK signature scheme v2</strong>. Introduced a whole-file signature 44 scheme that improves verification speed and strengthens integrity guarantees.</li> 45 <li><strong>Trusted CA store</strong>. To make it easier for apps to control 46 access to their secure network traffic, user-installed certificate authorities 47 and those installed through Device Admin APIs are no longer trusted by default 48 for apps targeting API Level 24+. Additionally, all new Android devices must 49 ship with the same trusted CA store.</li> 50 <li><strong>Network Security Config</strong>. Configure network security and TLS 51 through a declarative configuration file.</li> 52</ul> 53 54