Ok Google, What’s New in Android Security?
A few weeks ago, Duo traveled to sunny Mountain View, California to explore everything new at Google’s annual developer conference, Google I/O. Engineers from our Mobile and Labs teams joined me and we spent the week evaluating all of the new technologies and features Google announced at I/O, including: the next major version of its Mobile Operating system Android P, advancements in cloud and on-device machine learning and much, much more.
Duo at Google I/O
Duo has been working with Google since late last year on the Android Protected Confirmation API, helping provide Google with early feedback as part of Google’s early technology preview program. We’ve prototyped an integration with this new security API in Duo Mobile to evaluate its capabilities and for potential inclusion in our product later this year when Android P and compatible hardware is released to the public. We’re also happy to announce we’ll have support for Android P when it is released later this year.
Android Protected Confirmation helps app developers ensure that a human is interacting with a phone to confirm sensitive transactions like: approving a Duo Push, sending money, or triggering a medical action like an insulin injection. This new security API provides cryptographic assurance of human presence and prevents on-screen prompts from being hijacked or clicked by malicious applications or man-in-the-middle attacks. Our Duo Labs and Engineering teams have written a technical blog post explaining how Android Protected Confirmations work in depth.
This collaboration with Google to preview early features is an example of Duo’s commitment to innovation and evaluating new security technologies, all while sharing our learnings with the wider security industry.
Other Security Improvements
Google announced many other security improvements that we are looking forward to working with, including:
- Better privacy protections with apps in the background losing access to Android sensor data
- Improvements to the Android Biometric Prompt, which will bring a more consistent experience for biometric auth on Android
- New secure hardware keystore module called strongbox, which corroborates a key's integrity with the Trusted Execution Environment (TEE)
- Security improvements that requires the Android screen to be unlocked before allowing decryption of any in-flight or stored data using the specified key.
These are just a few of the many things Google announced at I/O this year, checkout this Google blog post for a list of 100 things they announced at Google I/O.
Similar to our attendance at Google I/O, in early June, members of our mobile team and myself will be present at Apple’s Worldwide Developer Conference (WWDC) in San Jose, California. Be sure to check our blog in a few weeks for a write-up of what we’re excited about Apple releasing, and let us know if you’ll be at WWDC, we might just have some Duo swag for you.
Regardless if you attend these developer events or not, know that Duo has your back. We’re always keeping up with the latest features and improvements from platform developers like Google, Apple and Microsoft. We evaluate these new technologies for inclusion in our future product releases to ensure we’re providing you with the best security experience on these major platforms. Keep an eye on our blog for future feature announcements.