- Nov 30, 2015
Oreo is the most secure version of Android yet.
Every time Android gets an update, there are changes that we can't see. There is a lot going on behind the home screen and it takes an army of developers to keep a piece of software as intricate as Android running. With
As users, we are mostly concerned with what we can see or do ourselves; things like being mindful of installing random apps or not opening email attachments from people we don't know. But the heavy lifting goes on behind the scenes and work to prevent any of the malicious content we might run across from gaining a foothold is a priority. Oreo has a long list of changes and features on this front.
- Android Oreo no longer supports SSLv3 (Secure Sockets Layer version 3.0). SSLv3 is outdated and has been proven insecure, and at the
In addition, when you try to connect to a server that isn't correctly using TSL 1.2 Android Oreo will no longer attempt to fall back to a previous version as a workaround. Your phone running Oreo just won't connect to unsafe web servers, and that's awesome.
Android 8.0 applies a
WebView objects now run in multiprocess mode. Any apps that get content from the Web now show that content in its own isolated sandbox, where it has no access to any app data. A website that tries to steal your information will find no information to steal!
Apps that are running can no longer assume other apps are in a generic location and will need to ask the system itself to pass data along to their actual source directory. Not knowing where to find an app means it's much harder to exploit any vulnerabilities in it.
Android Oreo now handles your unique identifying data differently. Prior to Android 8.0, a unique Android ID was generated when a device was first set up. This ID was constant, and developers could use it to verify a user when retrieving data from the cloud. With Oreo, an ID based on the app developers signing key (a tool used to verify an app is original and hasn't been tampered with) our Android Advertising ID (a function of Play Services and something we can erase or opt out of) and the actual device ID. Every instance of the Android ID is now different and isolated to the app that generated it.
This ups the ante on user privacy, as a developer can't track users of one app with another app or share user data based on ID with any other apps.
This applies to every app, not just apps targeted to Android O. But there is a caveat: apps installed prior to an Android O system update will still use the old ID. You'll need to uninstall and reinstall them if you want to use a unique and safer way to verify your identity.
- The "unknown sources" system of installing apps from outside of Google Play has been completely revamped.
Google does other things to help cut down on malware and security scares, too. We've recently seen [Google Play Protect]https://www.androidcentral.com/google-play-protect-uses-machine-learning-detect-and-remove-harmful-apps) as a new branding for retail devices covered by Google's machine learning-enabled application scanning service, and
We still should be mindful of what we install, but it's good to know that the Android security team has our backs.