A Boon for Privacy: Android P will Prevent Idle Background Apps from Accessing the Camera
Android P, the next major version of Android, could be weeks away from an official unveiling, and although its core user-facing features are still unknown to us, we are discovering many little tidbits thanks to Android’s open source nature. We know that it’ll let carriers hide signal strength and define how they’re displayed in the status bar, for example, and we’ve uncovered evidence that Google may remove developer access to undocumented and hidden APIs. Bloomberg reported earlier this month that the next version of Android will support phones with “multiple screens” and “foldable displays”, and we also found signs of that the update would support a call recording tone feature.
But Android P’s improvements don’t stop there. According to an Android Open Source Project (AOSP) commit merged on January 19, new rule-sets in Android P will prevent idling background apps from accessing the camera. This will ensure that malicious apps running in the background when your screen is off can’t take potentially compromising pictures of you or your loved ones for blackmail.
What’s changing in Android P?
The rule change targets apps’ UIDs (User IDs), the identifiers Android assigns each application at install time. They’re unique to each app, and they don’t change—as long as an app remains installed on your phone or tablet, it’ll retain the same app ID.
In Android P, when the camera service detects that a UID is “idle”—that is to say, when the device is in the idle Doze state and background apps’ access to CPU and network-intensive services is restricted—Android will generate an error and close access to the camera. Subsequent camera requests from the inactive UID will immediately generate an error.
It builds on the foundation of camera service changes starting in Android 6.0 Marshmallow. In Lollipop and older versions of Android, apps were granted camera access on a “first come, first serve” basis. But with Marshmallow, the camera service strongly favors apps with foreground and user-visible activities. It’s sort of like a fast lane queue at an amusement park: High-priority apps in line for camera access get to jump ahead of low-priority apps.
Why does it matter?
Limits on background app camera access are long overdue. In 2014, Android developer Szymon Sidor published a blog post explaining how applications could surreptitiously take photos and record videos by cleverly manipulating Android’s camera permissions. By shrinking a camera app’s viewfinder to 1px, which made it virtually invisible, Mr. Sidor was able to gain access to a Nexus 5‘s camera without alerting users to the app’s activities—even when the app was running in the background and the phone’s screen was switched off.
With Android P‘s background camera limits in place, malicious apps like the one described in Mr. Sidor’s blog post would be easier to detect as such malicious apps would need to implement a foreground service to stay alive, and thanks to Android Oreo’s requirements, that would mean the the app would have to display a notification telling you the app is running (and also that the app is displaying on top of other apps). If such an app tried to remain hidden in the background, that would no longer work as it wouldn’t be able to access the camera in P.