Google is making your Android phone safer with hardened firmware

Android Police

By Manuel Vonau

Published Feb 22, 2023

Android has become so safe security researchers and hackers are increasingly focusing on chip firmware

Mobile operating systems are significantly safer than their desktop counterparts were in the past, thanks to an increasing focus on security and a more restrictive approach to what apps can do. In fact, Android has become so hard to crack that security researchers are often not even trying to attack the OS itself anymore. Google says that they’re instead focusing on a phone’s firmware — the software that runs on the “bare metal” within individual chips and controllers on an SoC. That’s where some new efforts come in that the company announced this week.

In a blog post, Google explains that it’s working with ecosystem partners to harden the security of firmware that interacts with Android. The company points at compiler-based sanitizers like BoundSan and IntSan as well as many more mitigations meant to protect against exploits. The company also wants to add more memory safety features to firmware, like auto-initialize memory.

The problem with firmware hardening is that it needs to strike the right balance so there aren’t too many performance hits, as Google explains. Since firmware is often working with significantly less memory and processing power than the Application Processor that hosts Android, security fixes can significantly increase memory usage and decrease performance. We’ve seen something like that in the wild with Intel’s 2018 Meltdown and Spectre vulnerabilities on desktop computers, which could only be fixed with major processor performance impacts. Google is focusing on the most exposed attack surfaces like cellular baseband and Wi-Fi chips, which are easily attacked without physical access to the device.

The other area Google is focusing on to create a safer environment is memory safety. The company has rewritten big chunks of Android 13 in Rust, a memory-safe programming language that is inherently safe from attacks using memory, and the company wants to keep at it with future versions of Android. As discovered by Mishaal Rahman writing for XDA, further changes to memory safety might be coming with Android 14.

Google further reiterates that it updated its Vulnerability Rewards Program’s severity guidelines with the launch of Android 13, putting more emphasis on remotely exploitable bugs. The company hopes that this will lead to more contributions from third-party researchers in these areas.

You might never notice all these enhancements in everyday usage, and that’s a good thing. As long as security measures work as intended, you shouldn’t notice any performance hits or security problems when you use your favorite Android phone.