TL;DR I'm going to start sending out a quarterly summary of things the major events going on in Android Security. Wow, did I pick a doozey of a quarter to start doing this.
Below, I’ve compiled my top 10 android security events and activities from the Q3, 2015. The last 3 months have been amazing -- any one of these might have been the most important item for Android Security during most quarters. But all of this really did happen in just the last three months. 1. Monthly updates - Announced Nexus support policy with monthly security updates for Nexus <http://officialandroid.blogspot.com/2015/08/an-update-to-nexus-devices.html>. Pushed Samsung <http://www.androidcentral.com/samsung-plans-offer-new-security-updates-every-month-its-android-devices> and LG <http://www.engadget.com/2015/08/07/lg-stagefright-monthly-security-updates/> to make similar announcement (albeit still not realized). Shipped three updates <https://developers.google.com/android/nexus/images> to Nexus, GPE, Android One and published the corresponding security bulletins <https://groups.google.com/forum/#!forum/android-security-updates>.We also expanded to Kirkland team and began to grow the team to handle our increasing incident response needs <http://go/android-vulns-dashboard>. 2. Unprecedented partner engagement in security - Executive meetings on security with all major US carriers and top 5 OEMs. Worked with APE / TAM / BD to build program for Ecosystem-wide Monthly Security updates <http://go/manic-monday-pitch>, rolled out our security program to all carriers, OEMs, and began to track rollouts <https://dashboards.corp.google.com/#/google::_45984543_fda2_458b_9a8a_3fe0c1130981>of security patches to devices. Here are highlights from a recent program review <https://docs.google.com/presentation/d/1c6xYbGkcIlHD-RPsv00U4vTMrzl4_CuOd-eJrU6Lf4M/edit#slide=id.g702e6832b_0_0> . 3. Stagefright. Stagefright Code Yellow <http://go/stagefright-cy-track>. Media Server Bugs and Hackathon <https://docs.google.com/document/d/1icuQabxBlBBfjjP967YMLliIdSSm798BO20xdYA8q9Y/edit#heading=h.enzv5yxtjeu3>. Also, thanks to aarya@ of Chrome Security for driving that continued expansion of fuzzing efforts <https://docs.google.com/a/google.com/presentation/d/1docwgWwqZL0wEO5R0U5oRyMdnUhg9a3HMhmb-e5vyTM/edit?usp=drive_web> . 4. Android M Security Enhancements <https://docs.google.com/presentation/d/1JfRZ5P-HmuaKJvN3SgZmXWhfoC3sirr8OVtDXPRBQZk/edit#slide=id.gaf51a6178_1_132> - I can’t believe this is #4. We shipped Verified Boot. Monthly Patch String. SeLinux IOCTL filtering. UsesClearTextTraffic. SELinux User separation. The broader Android team also shipped a major overhaul of permissions, fingerprint API, adoption of SD cards, protection for USB connections, and more. 5. Results from Android Security Regards Program <https://www.google.com/about/appsecurity/android-rewards/> - Android Security Rewards launched on June 16 <https://googleonlinesecurity.blogspot.com/2015/06/announcing-security-rewards-for-android.html> and by October 1, we’ve paid out over $100,000 for over 60 issues. 6. Massive Increase in Public Outreach -- aludwig @ Blackhat (slides <https://docs.google.com/presentation/d/1U35ilLs3ca8AHNYXKZgl14VjS5Q-RSx3GNVQqCGQWkQ/edit>, press), jeffv@ about ioctl filter <https://docs.google.com/a/google.com/presentation/d/1_meUW-MtHdCQC2YuWnrtJ7W6WXh7CTxfHz_N0TksRY4/edit?usp=drive_web> at Linux Security Summit, paullawrence@ and mhalcrow@ about encryption <https://docs.google.com/a/google.com/presentation/d/1xD2Vs5hHkY8GZB4Y72QAxsPf5sraAAQmse_3IAS2UA4/edit?usp=drive_web> at Linux Security Summit, nnk@ Android Security Symposium in Vienna( slides <https://docs.google.com/a/google.com/presentation/d/1-BWUaMldBoTzd0Vx9BnjWFP69E3xF1Hk-52s2dFcioo/edit?usp=drive_web>), sporst@ on Russian Malware cleanup at Virus Bulletin (slides <https://docs.google.com/presentation/d/1CrqdAm7WKAXsMja1VHVXEVGbg1vUzvoyhC5qCrqiqsY/edit>, video, press <http://qz.com/514720/google-just-revealed-its-android-security-team-detected-and-defeated-a-steep-rise-in-mobile-banking-fraud-in-russia/>), cbrubaker@ on NoGotofail at University of Utah (slides <https://docs.google.com/a/google.com/presentation/d/12uJxPosU_dI-X4XUQZO2BwPXWl406ny-pGWN3xFC3JI/edit?usp=sharing>), smel@ spoke at Johns Hopkins (slides <https://docs.google.com/presentation/d/1dJWxs7GNUTSABYu08Yt-2eQXDaWBnTFA3DYIDGM1WDk/edit#slide=id.gca06805cf_17_22> ) 7. Operational Focus on Malware in Play - Monthly reviews of top PHA installs (July <https://docs.google.com/a/google.com/document/d/1vwTMvOwL4I08GrB9dyLC7ex9fg2ydeqLEg3UBh3XuT4/edit?usp=sharing>, August <https://docs.google.com/document/d/197_ELrS8zhZhGxglF2aSaQq2P_0YBdDhkrlgDG5m_x4/edit>, September <https://docs.google.com/document/d/1lcKEIc3JySPryR2YhlNmNdgquitfQWF9qO-aIaHUCRc/edit?ts=5612e47f>) have helped drive our goal of less than 1 million installs being a PHA. (currently, the number is ~500 per million <http://go/phastats>) 8. Scale up of SafetyNet Attestation (including launch of Android Pay). See recent Program Review <https://docs.google.com/presentation/d/1SHeAt7bQX_OAoe99lwfn5IP9SSKyed7WJOWM-_B9v18/edit> for more details. 9. Greenhat <http://go/greenhat> - 2 day, google-wide summit with the best of Android Security. All the content and recordings have been stored here <https://drive.google.com/a/google.com/folderview?id=0B47yL4yVz8b3flhxSkRiemUyQ1dHRDFZblloYm9hZ3doWmJOQzFDTHAwa1RFekdRVExEVXM&usp=sharing> . 10. Last, but not least: Stinknet <http://go/stinknet>. Publicly known as Ghost Push <http://venturebeat.com/2015/09/18/cheetah-mobile-ghost-push-android-virus-infects-600k-users-a-day-with-unwanted-apps/>, (mostly) outside of Google Play we’re currently battling the largest coordinated rooting malware attack we’ve seen against Android. (We’re slowly winnning <http://go/stink>, but this will likely be a highlight again next quarter.) Anyhow, those are just a few of the big things we've been up to recently. Adrian -- Adrian Ludwig Android Security [email protected] -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
