During an hour-long Hangouts web chat for the media and select IT professionals, Google today provided a glimpse of some of the new security features in its upcoming mobile OS, Android 7.0 "Nougat," which should be available on Google Nexus devices "in a few weeks," according to the company.
The online briefing wasn't meant to be exhaustive. Instead, it provided a top-level look at a set of new security and management tools in Android Nougat and Android for Work. Here's a breakdown of some of the most notable security improvements in Nougat, for Android users and IT administrators.
Android Nougat 7.0 platform-security enhancements
1. Direct boot and stronger encryption
Android Nougat users who encrypt their phones will no longer have to enter a security code after a reboot and then wait for their devices to restart in order to use core native features. Google apps including the phone and alarm will work on encrypted phones after a reboot, but the passcode will be required to access data using those apps, such as a phone contact list.
New file-based encryption works at a more granular level to better isolate users and profiles in Android. And hardware-backed encryption keys are required for all new Android phones that run Nougat.
2. Stronger MediaServer and platform hardening
Google caught a lot of flack related to flaws in its Android MediaServer components that enabled the Stagefright attacks earlier this year, and it says it strengthened the MediaServer in many ways. For example, Android 7.0 Nougat gives attackers who might breach MediaServer access to fewer permissions, according to Google.
[Related: Android, iOS bug bounty biz is booming]
Android Nougat also requires that all devices support verified boot, so corrupt phones or tablets won't start at all, or will only grant access to "safe" apps and services after they start, Google says.
3. App security and abuse prevention
Apps on previous Android versions used to be able to share user-granted permissions with other apps much more easily, according to Google. In Nougat, the company cracked down on permission sharing between apps. And apps with device admin permissions in Android Nougat can no longer prevent users from uninstalling them or change users' PIN, passwords or codes to lock them out of their devices.
4. 'Seamless' Android updates
When Nougat software updates are available for new phones, users can choose to download and install them in a separate on-device partition, so they don't need to stop using their phones or tablets during the process. The next time they reboot their phones, the new software will auto-install much more quickly than in the past, according to the company. Unfortunately, only new phones optimized for Nougat will have access to this feature.
Google also says it removed the annoying "app optimization" step of the Android upgrade process, so Nougat devices won't be useless for 10 minutes or more after a new OS patch is applied, while apps optimize for the changes.
Android Nougat 7.0 corporate-security enhancements
Google didn't provide as many specifics about the IT security features in Nougat, but it did offer a glimpse of some of the most interesting improvements.
1. Nougat's 'always-on VPN'
An enhanced "always-on VPN" feature lets IT force certain business apps to use a VPN to connect to the web. If a VPN isn't available or can't connect, the apps won't work or share any data.
2. Android 'work security challenge'
A "work security challenge" feature lets IT set separate, complex passcodes on users' devices to protect specific work data, using Android profiles, and users can employ simpler PINs or codes to access their personal data. IT can set lock restrictions for specific apps, and admins can choose to use different looking login screens so users visually know when they log into corporate services.
3. 'Work mode' in Nougat
A new "work mode" icon in the Android Nougat dropdown menu, which looks like a briefcase, lets user disable all work related apps after hours or when they don't want to be distracted.
4. Nougat phone and dialer tweaks
The Android 7.0 Nougat dialer component further integrates with corporate systems and directories, according to Google, and users can search both work and personal contact lists from one place. If a business user receives a call from someone in their work directory, their caller ID can be set by admins to notify them that the call is likely work related. Call logs can be separated into business and personal lists. And other UX modifications aim to make it clear when calls or contacts are personal or work related.
Google also said many of the work-versus-personal changes are meant to serve as a "foundation for a second phone line for business" in addition to a personal line on a single device. In fact, APIs already exist that enable certain VoIP apps to create separate phones lines within a single dialer in Android Nougat, according to Google.
5. QR code provisioning in Nougat
A new Nougat feature lets IT admins provision devices that don't support the NFC "Android bump" feature, using a QR code.
6. New remote bug reports and process logging
Enhancements to Android's remote diagnostic tools in Nougat give admins more options to request remote bug reports, though in many cases, users must approve the requests for access to potentially sensitive information.
Google said it will provide additional details on Android 7.0 Nougat and Android for work when the new mobile OS is released in the coming weeks.