- Android Oreo no longer supports SSLv3 (Secure Sockets Layer version 3.0). SSLv3 is outdated and has been proven insecure, and at the recommendation of the IETF (Internet Engineering Task Force; a group that sets a sort of standard for internet communication) it’s been completely dismantled in favor of a newer communication security method, TSL (Transport Security Layer) 1.2.
In addition, when you try to connect to a server that isn’t correctly using TSL 1.2 Android Oreo will no longer attempt to fall back to a previous version as a workaround. Your phone running Oreo just won’t connect to unsafe web servers, and that’s awesome.
- Android 8.0 applies a Secure Computing filter to all applications. The list of ways an app can directly communicate with the kernel has been reduced. These have traditionally been a popular method to attempt a kernel exploit to gain admin-level privileges. It’s harder than ever for any type of malware to get root.
- WebView objects now run in multiprocess mode. Any apps that get content from the Web now show that content in its own isolated sandbox, where it has no access to any app data. A website that tries to steal your information will find no information to steal!
- Apps that are running can no longer assume other apps are in a generic location and will need to ask the system itself to pass data along to their actual source directory. Not knowing where to find an app means it’s much harder to exploit any vulnerabilities in it.
- Android Oreo now handles your unique identifying data differently. Prior to Android 8.0, a unique Android ID was generated when a device was first set up. This ID was constant, and developers could use it to verify a user when retrieving data from the cloud. With Oreo, an ID based on the app developers signing key (a tool used to verify an app is original and hasn’t been tampered with) our Android Advertising ID (a function of Play Services and something we can erase or opt out of) and the actual device ID. Every instance of the Android ID is now different and isolated to the app that generated it.
This ups the ante on user privacy, as a developer can’t track users of one app with another app or share user data based on ID with any other apps.This applies to every app, not just apps targeted to Android O. But there is a caveat: apps installed prior to an Android O system update will still use the old ID. You’ll need to uninstall and reinstall them if you want to use a unique and safer way to verify your identity.
- The “unknown sources” system of installing apps from outside of Google Play has been completely revamped.
More: Here’s why sideloading apps is safer with Android OreoGoogle does other things to help cut down on malware and security scares, too. We’ve recently seen [Google Play Protect]http://ift.tt/2ra6K4V) as a new branding for retail devices covered by Google’s machine learning-enabled application scanning service, and monthly patches for security exploits help update Android itself against new security issues.We still should be mindful of what we install, but it’s good to know that the Android security team has our backs.