With 2.5 billion users worldwide, Google has a responsibility to make its Android operating system as secure as possible. But the company has at times struggled to adequately vet apps in the Google Play Store, allowing malicious programs through that thousands or millions of users go on to download. With Google’s release of the Android 11 Beta on Wednesday, though, the company is taking steps to make it more difficult for rogue apps to grab your data, even when they do slip by.
Google has worked for years to incrementally tighten Android security under the hood. And the release of Android 11 is particularly focused on expanding privacy improvements, to give you more control over what your apps can access, and providing more ways to distribute software updates across Android’s fragmented and disjointed device population.
Android 10 addressed some of this as well, requiring that app developers request permissions and then reaffirm user choices more often. Android 11 adds a feature that allows developer to request one-time permissions for things like the microphone, camera, or location as an alternative to all or nothing. You can share your location with a friend through a chat app once, for example, without granting indefinite location access or having to remember to wade back into settings to revoke the permission later.
“We can see that people are actually leveraging these features from Android 10 and thinking about their choices when they’re giving apps access to permissions,” says Charmaine D’Silva, an Android product manager who works on privacy. “So building on that this time, we’ve added even more controls.”
Android 11 will also rein in apps that you don’t use very often, automatically revoking permissions if you don’t open it for a still undetermined period of time. If you start using the app again, you can always reinstate its access, but the permission won’t be lurking forgotten. Google plans to experiment with different cutoffs after 60 to 90 days, with the goal of eliminating stray permissions without breaking functionality.
“We’ve seen in our data that people have a lot of apps on their devices that they may have used a couple of times and then forgot about,” D’Silva says. “They don’t uninstall it because they don’t have a need to, but the app still has permissions associated with it. So this new feature is a permissions auto-reset—sort of a hygiene check.”
Beginning with apps that debut after Android 11, the permission auto-reset feature will be on by default and something for developers to factor into their plans. Existing apps for Android 10 and below won’t have the feature on by default, but users will still be able to toggle a control to turn it on. Google says that eventually it wants to turn permission auto-reset on by default for almost every app, but the company wants to ease it in so the change doesn’t inadvertently break functionality for older apps.
Android 11 will also see an expansion of Google’s Project Mainline program, which uses Google Play Services to “mainline” software updates like critical security patches directly to users’ devices rather than having to wait for each individual manufacturer to tailor an update for their devices. Android’s decentralized, adaptable nature is one of its core and beloved attributes. But it has limited Google’s ability to centrally distribute important updates.
Project Mainline works by conceptually breaking the Android operating system into chunks and creating the infrastructure for each of those chunks to be updated through the Google Play Store. In Android 10, Google debuted 10 of these modules that could receive updates. Android 11 will add 12 more, including a permissions module, and one for Android’s Scoped Storage feature, which is becoming mandatory in Android 11 and limits the “scope” or extent of what data apps can access on a user’s device.
“On the surface, Project Mainline could appear mundane,” says Stephan Somogyi, product lead for Android platform security. “But the fact is, our ability to do that validates years’ worth of architectural contemplation. Mainline and our plumbing of Mainline is actually a big win.”
Somogyi says that Android’s stats on uptake of security patches in the previous 90 days are on a steady upward curve. There are now almost 1,000 Android device models that get security updates once a month or at least once a quarter. And those devices now make up about 90 percent of the total Android population.
Given that one of Apple’s biggest strengths for years with iOS has been centralized updates and widespread adoption of new releases, it’s certainly easy to feel that Project Mainline is coming far too late. But if the feature is a way for Android to balance its free and open source roots with better access to much needed protective updates, it could be a game changer for overall Android security.
Google’s Android Betas are open for anyone to try; you can access the Android 11 release here. Just keep in mind that betas aren’t the stable final release and could have bugs or cause problems. If you’re comfortable waiting a few months, the security and privacy improvements of Android 11 will officially debut in September.
Corrected June 10, 2020 at 4:30pm ET: This story originally misstated that the contact tracing update Google pushed in response to the Covid-19 pandemic came through Mainline, which is formally called Google Play System Updates. It was actually distributed through Google Mobile Services.
More Great WIRED Stories
- Tips to get the most out of Signal and encrypted chat
- Can’t go out and protest? Here’s how to help from home
- The pandemic is transforming the rental economy
- Covid-19 testing is expensive. It doesn’t have to be
- The NSA’s secret tool for mapping your social network
- ? Is the brain a useful model for AI? Plus: Get the latest AI news
- ? Things not sounding right? Check out our favorite wireless headphones, soundbars, and Bluetooth speakers