Google Plans Hardening Firmware to Increase Android Ecosystem Security

Google is taking steps to strengthen the security of the Android ecosystem by reinforcing firmware, the digital cornerstone of many modern devices.

The Android operating system (Android OS) runs on a multi-core CPU, commonly referred to as an Application Processor (AP).

Although of critical importance, the AP is far from the only System on Chip (SoC) processor. Some SoC processors have more specialized roles, such as multimedia processing, ensuring the device’s security, and relaying cellular communications.

Firmware is the sum of all the software components that run on these secondary System on Chip (SoC) processors. Lately, security experts have shifted their focus toward less-visible software components, and Google seems to be on the same track.

“Over the last decade there have been numerous publications, talks, Pwn2Own contest winners, and CVEs targeting exploitation of vulnerabilities in firmware running in these secondary processors,” reads Google’s announcement. “Bugs remotely exploitable over the air (eg. WiFi and cellular baseband bugs) are of particular concern and, therefore, are popular within the security research community.”

The company says it’s building on top of previous achievements, such as strengthening Android’s AP by enabling compiler-based mitigations. These strategies aim to make it “harder to build reproducible exploits,” while preventing “certain types of bugs from becoming vulnerabilities.”

Google mentioned it’s collaborating with Android ecosystem partners to improve the security of Android firmware, focusing on relevant protection mechanisms, including:

• Compiler-based sanitizer (IntSan, BoundSan) exploration and activation; these components can detect memory safety flaws during code compilation
• Exploit mitigation mechanisms, including Control Flow Integrity (CFI), Kernel Control Flow Integrity (kCFI), ShadowCallStack and Stack Canaries
• Enabling memory safety features such as Auto-initialize Memory in firmware to prevent critical errors

The company recognizes that enabling exploit mitigation mechanisms on Android devices could impact their performance, but it highlights the importance of optimization. The goal, it says, is to “maximize impact — harden the most exposed attack surface — while minimizing any performance/stability impact.”

Google is on an arduous journey to boost the security of the Android platform. Recently, the company announced that its highly anticipated Android 14 operating system would boast a line-up of novel malware-blocking technologies.