Google’s Project Mainline in Android Q will help speed up security updates
Android version fragmentation is one of the biggest challenges for Google to solve. While the Google Pixel smartphones are among the most secure smartphones on the market thanks to the incredible efforts of Pixel and AOSP engineers, many other smartphones are vulnerable to exploits due to running outdated OS versions or outdated security patch levels. The latest report from Gartner shows that Android 9 Pie is an incredibly secure OS, yet only approximately 10% of all smartphones are on the release.
Google is tackling version fragmentation with initiatives such as Project Treble, a major rearchitecting of Android resulting in a separation between the Android OS framework components and the vendor HAL components, extended Linux kernel LTS, mandatory security patch updates for 2 years, and Android Enterprise Recommended. At Google I/O 2019, the company announced its latest initiative to speed up security updates: Project Mainline for Android Q.
Project Mainline: Updating Android Q system modules through Google Play
For the past several months, we’ve tracked something called “APEX” in AOSP. APEX, or Android Pony EXpress, is a new package type that’s similar to an APK. Instead of housing an Android application, however, APEX is home to a native or class library, precompiled code that can be called by Android apps, Hardware Abstraction Layers (HAL), and the Android Runtime (ART). Like the APK, APEX packages can be served to users over traditional package installation methods in Android: the Google Play Store/package manager or ADB.
APEX modules can be used much earlier in the boot process than APK-based modules, and they’re also backed by dm-verity and Android Verified Boot for increased security. Mounting the payload images in the APEX package requires the Linux kernel’s loop driver, so devices need Linux kernel version 4.9+. Managing the APEX packages requires the new APEX daemon, introduced with Android Q. While it’s possible for devices upgrading to Android Q with Linux kernel 4.4 to support APEX (like the Google Pixel 3), OEMs need to merge additional patches to make it work. For the most part, only devices launching with Android Q will support Project Mainline.
GNU/Linux distributions have long been able to update system components independently of full system updates, but Android has always required a system update to update them. Google chose not to distribute these packages using traditional Linux package management systems like dpkg and rpm because they don’t protect packages post-installation using dm-verity.
Since it takes a long time for device makers to roll out updates, many devices may have outdated system components for days, weeks, or even months. By distributing these components as APEX packages, Google can bypass the long wait for OEMs to roll out a system update.
Google isn’t exerting total control over all system components, however. The company has worked with its OEM partners to select a set of system apps (as APKs) and system components (as APEX packages) to modularize so they can improve security, privacy, and consistency for all users with devices that launch with Android Q. Although Google hasn’t disclosed exactly how they came up with the initial set of system components, they have provided us the list of system components on devices launching with Android Q that will be updateable by Google:
- Security: Media Codecs, Media Framework Components, DNS Resolver, Conscrypt
- Privacy: Documents UI, Permission Controller, ExtServices
- Consistency: Timezone data, ANGLE (developers opt-in), Module Metadata, Networking components, Captive Portal Login, Network Permission Configuration
Immediate updates to Conscrypt, the Java security library, and the media components, which “accounted for nearly 40% of recently patched vulnerabilities,” will make Android devices safer. Updates to the Permission Controller will improve privacy. Standardizing the timezone data will be helpful to keep Android devices around the world on the same page whenever a country decides to change its timezone. Furthermore, game developers will benefit from the standardization of ANGLE.
Google is starting out with these system components but could add more in future Android releases. Of these 13 components, Conscrypt, Timezone data, Media Codecs, and Media Framework Components will be delivered as APEX packages. The other 9 components are system APKs. While both APEX and APKs are deliverable via Google Play, updating an APEX package will require a reboot. Google hasn’t shared the UI flow for how this will happen just yet, but once devices start launching with Android Q we’ll likely learn more information about Project Mainline and APEX packages.