Some of the privacy features that I developed in the past are now going to be standard Android features in the next major release. In some cases, the implementation that I worked on ended up being a direct inspiration for the upstream work. I also pushed them to enable permissions review by default, which may have had some influence on it finally shipping as enabled. It was seemingly implemented for some niche scenario and most of their privacy / security team didn't know about the feature existing when I talked to them about it in the past.
Most of my work has focused on improving security, and that focus will be somewhat increased in Android Q due to many of the privacy improvements being part of the baseline OS.
Android P had previously replaced some of the privacy features developed as part of the AndroidHardening project such as restricting access to the camera, microphone and sensors in the background.
Features that were not implemented by my past work:
- Scoped storage: This removes most shared storage access other than via the Storage Access Framework where the system provides a UI for the user to store/load files with explicit consent. This was planned as part of my work, but it would have been more awkward without the ability to force apps to adapt.
- Restrictions to background activity starts. This is mostly an anti-phishing mitigation.
- Contacts affinity removed
- No access to persistent identifiers like IMEI from non-system apps - rather than it being tied to the READ_PHONE_STATE part of the Phone permission group. Note that part of this was implemented in my past releases: removing serial number access from legacy apps without the READ_PHONE_STATE part of the Phone permission group.
- Access to all camera hardware information requires permission
- Fine location permission needed for telephony, Wi-Fi, Bluetooth APIs
- Wi-Fi network configuration restrictions
- Restricted access to screen contents
- Permission groups removed from UI
Features that were implemented by my past releases:
- Finer-grained user control over app access to device location. This will be nicer than the background location toggles though, due to having integration into the permission prompt.
- Connected MAC randomization
- Restriction of /proc/net access
- Only the default input method editor (IME) (keyboard) or app with focus can access the clipboard
- Access to USB serial requires user permission. In Android Q, this applies only to apps targeting Android Q, while my approach was for all apps so it won't be fully replaced by this.
- Restriction on enabling and disabling Wi-Fi
- User-facing permission check on legacy apps
- Physical activity recognition
Features that are still exclusive to the past AndroidHardening project work:
- Network permission toggle
- Sensors permission toggle
- No automatic grants of 'Display over other apps'
- More control over secondary user accounts (such as disallowing audio access or installing new apps to the profile)
- Minimal and documented set of default network connections (over-the-air updates, GPS almanac updates, connectivity checks, DNS)
- Keyboard personalized suggestions, etc. disabled by default
- Bluetooth and NFC disabled by default
- Other changes that are not listed here
Awesome Resource