This Android security risk is often overlooked. Google wants that to change

There's been an increase in cyberattacks targeting Android smartphone firmware. Google has a plan to improve defenses.
Written by Danny Palmer, Senior Writer
Image: Getty/SOPA Images

Google is working on improving the cybersecurity of Android smartphones and tablets by hardening the defenses of the entire ecosystem at the firmware level. 

Firmware is the computer software behind the configuration and control of a device's hardware. Because of this status, firmware is often the first code that runs when a device is switched on, making it the foundation everything else in the system is built upon.

This position means that firmware plays a major role in the security of your device and its operating system, including the configuration of hardware security settings. 

In Depth: These experts are racing to protect AI from hackers. Time is running out

The key role of firmware in managing all aspects of a device means that if an attacker can compromise a smartphone or tablet at a firmware level, they can gain persistent and almost completely secret access to the device, which could allow them to spy on everything you do, steal sensitive information, or even stop the device from working. 

Firmware attacks aren't widespread and are usually highly targeted -- but Google is reacting to what it describes as a rise in cybersecurity research that uncovers vulnerabilities in Android firmware. 

"As the security of the Android Platform has been steadily improved, some security researchers have shifted their focus towards other parts of the software stack, including firmware," researchers said in a Google Security Blog update. 

Also: Five easy steps to keep your smartphone safe from hackers

"Over the last decade there have been numerous publications, talks, Pwn2Own contest winners, and CVEs targeting exploitation of vulnerabilities in firmware running in these secondary processors." 

Some of these vulnerabilities have resulted in remote-code execution on devices, particularly after abusing Wi-Fi and cellular baseband bugs. 

Now Google says it will improve Android security by applying lessons learned from securing other areas of the code and hardening the firmware to protect it -- and users -- against potential cyber threats. 

Also: Inside the cybersecurity red team that keeps Google safe

This process will involve improvements to compiler-based sanitizers -- programming tool that detect computer program bugs -- and other exploit mitigations in the firmware, along with improvements to memory safety features. The improvements to memory will look to prevent attacks that directly target the memory of the firmware, such as buffer-overflow attacks.

There are challenges surrounding the implementation of this approach, as Google notes.

"Hardening firmware running on bare metal to materially increase the level of protection -- across more surfaces in Android -- is one of the priorities of Android Security," said Google Security, which also wants other Android device manufacturers to follow suit.

"Moving forward, our goal is to expand the use of these mitigation technologies for more bare metal targets, and we strongly encourage our partners to do the same. We stand ready to assist our ecosystem partners to harden bare metal firmware."

Editorial standards