Android Nougat Won't Boot If Your Phone's Software Is Corrupt Or Has Malware

An anonymous reader shares a report on Android Authority: In a bid to increase the security of the Android operating system, Google has introduced a new check for malware as part of the boot process in all Android devices. Until Marshmallow, Android devices ran the check as part of the boot process and in Marshmallow, the phone would warn you that it was compromised but would continue to let the phone boot up. In Nougat however, Google is taking this security check to the next level. On the Android Developer's blog, the company explains that Android Nougat strictly enforces that boot check, giving you far more than a warning. The good news is that if your phone is infected with types of malware, it will refuse to boot or will boot in a limited capacity mode (presumably akin to safe mode). The bad news however, is that some non-malicious corruption of data could also mean that your phone will refuse to boot up. Considering that corrupted data may not always be malicious -- even a single-byte error could cause your phone to refuse to boot up -- Android Nougat brings additional code to guard against corruption.

Liability

Has anyone at Google thought about the deaths that this might cause? If I need to dial 911 because I just severed my foot, I don't care about my phone having malware. I need to dial.

Re:Liability

[maorb]

Then hope that they decide to implement there limited-capacity safe-mode feature rather than completely refusing to boot the phone. If they do that then you won't have a problem dialing in the first place.

Also, how likely is it that you sever your foot in between the time that you find out that your phone won't turn on and you get your phone fixed. I doubt that you're only just now attempting to turning your phone on after severing your foot, so it's not like your phone will fail suddenly and unexpectedly as you're desperately trying to make a life-saving call before you bleed out.

Re:Liability

easy - download some material for week long backpacking trip - shutdown phone for battery life - sever foot doing *whatever* - bleed out because Google are dicks.

Re:Liability

[EvilSS]

If it's like most phones you'll bleed out waiting on it to boot up anyway.

Re:Liability

[JackieBrown]

I know people (my old in-laws for example) that only turned on their cell phone when they needed to make a call. After that, they turned it back off to save the battery. It was damn annoying since it made the phone only useful for them.

But they are an example of not knowing their phone wouldn't boot until they needed it.

Re:Liability

[Cro+Magnon]

Maybe I'm on my way to the store to get the phone fixed when I sever my foot!

Re:Liability

[Registered+Coward+v2]

Then hope that they decide to implement there limited-capacity safe-mode feature rather than completely refusing to boot the phone. If they do that then you won't have a problem dialing in the first place.

I would think that thy would still allow 911 calling and possibly other numbers as well. They could even boot into a special phone only OS that is sandboxed from all the apps et on the normal OS so at minimum you have a working phone. Of course, you won't be able to do a minute by minute twitter feed of you bleeding out...

Re:Liability

[Obfuscant]

It was damn annoying since it made the phone only useful for them.

Unless you were paying for your in-law's phone, I bet they didn't care that it wasn't useful for you. Why should they? I know I don't pay that much money to make other people's lives more convenient. They can pay for their own phones.

Re:Liability

[lister+king+of+smeg]

That's the only way to use a cellphone. They can be very convenient, but if you leave them on and not muted, it allows people to annoy you with calls at inappropriate times. Kids who have grown up always-connected may be fine with that, but many of us don't want to be reachable 24/7.

Or put it on vibrate. It is loud enough I can notice it ring when setting on the (counter || end table || desk || what have you), but quiet enough I can ignore it and go back to (reading || sleeping || gaming || fishing || not giving a f*ck) if its not my wife or a work emergency.

Re:Liability

[JustAnotherOldGuy]

It was damn annoying since it made the phone only useful for them

Yeah, it's so damn annoying when other people live their lives the way they want to and don't make themselves available to you on a whim, 24/7.

Seriously, who should the phone be useful to if not them? You sound outraged that they're doing what they want, the way they want.

Re:Liability

[JustAnotherOldGuy]

Unless you were paying for your in-law's phone, I bet they didn't care that it wasn't useful for you. Why should they?

Exactly. They bought the phone for themselves, not for other people, and certainly not for other people to tell them how they should use it.

Re:Liability

[Hylandr]

A more likely scenario would be a car accident in a remote location or breaking down in the desert with no water, stuck on a mountain in freezing weather. Can't call for help if the phone won't boot.

This could be costly in lives lost.

Re:Liability

[JackieBrown]

It was damn annoying since it made the phone only useful for them

Yeah, it's so damn annoying when other people live their lives the way they want to and don't make themselves available to you on a whim, 24/7.

Seriously, who should the phone be useful to if not them? You sound outraged that they're doing what they want, the way they want.

It was more that they expected us to answer our cell phones when they needed us but left their phones off so they couldn't be reached if they were needed.

Outrage is a bit strong especially and it helped me make the case that my wife's parents where just users of us and made it easier for me to have her eventually drop them from our lives.

Re:Liability

[JackieBrown]

As I posted below, it helped us weed them out of our lives.

When my wife died, it made it easy for me to justify to myself that it was ok to leave that info as a voicemail for them which was helpful since so much was going on by then and it was hard to stay focused on anything

Re:Liability

[Obfuscant]

As I posted below, it helped us weed them out of our lives.

No, it was a convenient excuse for "weed[ing] them out", but I doubt they bought the phone for that reason.

You couldn't have called them on their landline phone, of course.

Re:Liability

[Obfuscant]

It was more that they expected us to answer our cell phones when they needed us

Because you are using your phone as a way for everyone to contact you. Pity they expected you to use the phone in the way you were trying to use it.

but left their phones off so they couldn't be reached if they were needed.

Previously you told us they left it off to conserve battery. Which is it? They were deliberately trying to duck your calls, or they wanted the phone to be usable when they needed it, without having to worry about charging it every day?

If they're turning the mobile off, then it's a pretty good bet they have a landline that they expect people to call them on. Just guessing. That's how I expect people to contact me. And that's how my mother used to use her cell phone. It was there for HER to make calls when in need, and people who wanted to talk to her called the POTS line with the answering machine. I don't recall anyone being pissed that she was trying to duck their calls because the cell was for her convenience and not theirs. I certainly didn't care that I couldn't call her wherever she was at any moment of the day or night. I was much happier that she had a phone that she could forget to hook up to a charger every time she got home and forget to pick up on the way out the door when she left, instead leaving it in her purse for emergencies.

and it helped me make the case that my wife's parents where just users of us

You wanted to prove the result, and thus assumed the motives that would make you a winner of that argument.

Re:Liability

[JackieBrown]

OK. I'm not conveying myself correctly.

This was one of many things they did. The phone was part of many things (the way they treated the kids, my wife, etc. When my son died due to birth defects, my father in law said that on the plus side, I no longer had a defective kid. When my wife had her stroke, they told my daughter it was her fault for getting bad grades.) The phone was mentioned solo because the rest wasn't relevant

Re:Liability

[Obfuscant]

Yes, "my in-laws turned their cellphone off to save battery" is a bit different than "they turned their cellphone off because they were axe murderers." It sounds like it shouldn't have been annoying at all to you that they were unreachable; it was a Good Thing.

Re:Liability

[slimjim8094]

Considering you can dial 911 without even decrypting the flash or having a SIM card (just press the 'emergency' button), I'd say a relatively minor thing like "unverifiable image" won't have any effect.

Re:Liability

[Cochonou]

You can still call a landline.

Re:Liability

[TemporalBeing]

Has anyone at Google thought about the deaths that this might cause? If I need to dial 911 because I just severed my foot, I don't care about my phone having malware. I need to dial.

With as long as it takes most smart phones (including iOS) to boot, you'd bleed out before being able to call any way.

If it doesn't boot..

[DeVoh]

Then how do you fix it and remove the Malware/corruption?

Re:If it doesn't boot..

[myowntrueself]

Then how do you fix it and remove the Malware/corruption?

Maybe:
fastboot flash system system.img

I'm wondering what effect this will have on people building their own ROM!

Re:If it doesn't boot..

[Chalnoth]

Unless the most basic boot functionality is compromised, you could probably still boot into the FastBoot mode and re-flash the device image from there. This may have to be done by an OEM if it's a locked device.

Fixed it for you

[140Mandak262Jamuna]

Android Nougat Won't Boot If Your Phone's Software Is Corrupt Or Has Malware unapproved by google

Re:Fixed it for you

[swillden]

Android Nougat Won't Boot If Your Phone's Software Is Corrupt Or Has Malware unapproved by the device OEM

FTFY.

It's the device OEM's signature that's verified so it doesn't matter what Google thinks, unless it's a Nexus device. If it is a Nexus device you can unlock it and install whatever you like, of course. And you can even sign your own custom images. The bootloader will verify the signature and display the key fingerprint on the warning screen, so you can make sure that (a) the image is what was signed and (b) you are the one that signed it. If the verification of your self-signed image fails, the device won't boot.

Re: Fixed it for you

[fermion]

Which is what I was thinking. A warning with an offer to help is great. Disabling the phone because a user installed unauthorized software is bad. Apple approves all software which is wall garden which is where Google is heading, but in not so great a way

This sounds like a Catch-22

[CAOgdin]

If your phone won't boot, how will you get rid of the malware without losing all your data???

Re:This sounds like a Catch-22

[t8z5h3]

there should not be a way, at boot level that is effectively a root kit at that point google can't truest you or your phone so it must be wiped from a outside known good source i guess.

Re:This sounds like a Catch-22

[amRadioHed]

The phone can still boot into a limited recovery mode, just not a normal boot.

Re:This sounds like a Catch-22

Take it to the Google Store, head to the Google Bar, and hand it over to the Google Brainiacs for 3-5 business days.

Re:This sounds like a Catch-22

[ilsaloving]

it will refuse to boot or will boot in a limited capacity mode (presumably akin to safe mode)

It's right there in the summary... underlined no less.

I'm more concerned about the fact that I may not be able to replace the stock android with a custom firmware. Thanks to all the crapware that manufacturers insist on pre-installing on most handsets, and their refusal to provide updates, you're basically forced to use a custom firmware just to have a usable phone.

Yes, I know you could always just stick with a Nexus branded device, but then you'd miss out on potentially interesting innovations provided by another manufacturer.

Google should never have permitted the android ecosystem to become a dichotomy of "You can get updates, or you can get a cool device, but not both."

Re:This sounds like a Catch-22

[Calydor]

Like from orbit.

With a nuke.

It's the only way to be sure.

Re:This sounds like a Catch-22

[EmeraldBot]

it will refuse to boot or will boot in a limited capacity mode (presumably akin to safe mode)

It's right there in the summary... underlined no less.

I'm more concerned about the fact that I may not be able to replace the stock android with a custom firmware. Thanks to all the crapware that manufacturers insist on pre-installing on most handsets, and their refusal to provide updates, you're basically forced to use a custom firmware just to have a usable phone.

Yes, I know you could always just stick with a Nexus branded device, but then you'd miss out on potentially interesting innovations provided by another manufacturer.

Google should never have permitted the android ecosystem to become a dichotomy of "You can get updates, or you can get a cool device, but not both."

Err, you already can't replace stock Android with a custom firmware if the manufacturer doesn't support it. For example, I have an Asus Memopad, and because Asus doesn't allow it to be unlocked I can't reflash the OS. One of the only downsides to it :/

Though honestly, the bloat ware is actually sometimes useful for once, and that is a nice change of pace.

Re:This sounds like a Catch-22

[ilsaloving]

Fair point. My post assumes that have the ability to root the device in the first place.

S'why I gave up on android and went to Apple. If my choices are all companies that are going to treat me like an abusive control-freak boyfriend who teabags my wallet just for fun, then I may as well pick the ones that uses a condom while screwing me.

Re:This sounds like a Catch-22

[Miamicanes]

Well, actually, in quite a few cases, you CAN replace stock Android with custom firmware regardless of whether or not the manufacturer wants to allow it. As a practical matter, though, those devices usually end up with dysfunctional custom ROMs that can't run newer versions of Android (because Linux intentionally sucks at dealing with binary kernel modules... a policy that mostly worked as intended to keep Linux open on x86 and AMD64 architectures, but has been a complete consumer DISASTER within the Android realm).

The sad irony is, Windows Mobile 6 (back in 2007) was almost as "open" (in the sense of being able to extend it in ways neither envisioned nor blessed by Microsoft or the phone's manufacturer) as Android is in 2016. Obviously, you couldn't build Windows Mobile 6 from scratch... but fuck, you can't even independently build a copy of the NEXUS GODDAMN 6P's ROM from source. You can build your own AOSP-derived approximation of it, of course... but you'll never be able to independently build your own ROM image that's ultimately identical to Huawei's (and use its source as the starting point for later modifications & improvements).

Ten years ago, Windows Mobile users at XDA-developers.com ripped files from newer phones and used the .dll files to upgrade older phones to newer versions of Windows Mobile. Today, with Android phones, we're STILL stuck doing more or less the same thing. AOSP has been seriously eroded away by Google over the past few years compared to its golden age (the Galaxy S3... probably the most thoroughly reflashed and extended phone in Android history). Sure, you can build a ROM "for Android" -- but 95% of the things most people regard AS fundamental characteristics of Android (Google Play, Google Maps, and everything that depends upon them to run) are as closed and binary now as Windows Mobile EVER was.

IMHO, the single biggest fuckup Microsoft made with Windows (Phone) was insisting upon locking it down. It didn't win them a single iPhone customer, and antagonized millions of disillusioned Android owners who are only still with Android because it's the least-evil option we have left. Had Windows (Phone) been at least as open (both as an operating system, and for running "unapproved" software) as Windows Mobile 6 was, I'd argue that several million people who currently have Android phones would have jumped ship and tried Windows (especially if Microsoft quietly made sure there was a fully-working distro comparable to Cyanogenmod that could be flashed to it if the user changed his mind, making the phone's purchase a nearly risk-free experiment). Instead, Microsoft managed to create a phone OS that combined the worst limitations of both competitors & nothing to mitigate them.

Re:This sounds like a Catch-22

[eionmac]

Help! What is meaning of "teabags my wallet just for fun,". I am only a UK person with very limited USA dialect.

Re:This sounds like a Catch-22

[ilsaloving]

Google the term "teabagging"

Just be prepared to quickly close your browser window again.

How... useful.

They could be, you know, preventing the malware to get in in the first place, something they're reasonably well positioned for. That would welp ensure that you have a working device. Instead they're finding excuses to burn down your phone, leaving you bereft of service. This is not good service, google.

So we're back to the sad reality that if you want to have both your phone and the smarts it's sporting these days, you need two phones. One for function, and one for fancy shmancy smarts.

Re:How... useful.

[cdrudge]

Or even better, how about they do both? Try to close up any holes, bugs, or other vectors that malware may attack from. But also have protection in place for when a vulnerability is discovered, because one will. And when it does, be alerted to it and take appropriate measures before you continue to use a compromised phone.

This isn't the whole story

[LichtSpektren]

TFS is rather concerning but it seems to be conjecture and interpretation of a dev's blog. Presumably (well, I hope at least) there will be some documentation about what the procedure is for turning off the boot-lock or what ever.

Re:This isn't the whole story

[amRadioHed]

My understanding is that this only applies to locked bootloaders. Unlocked devices can still run whatever code you want.

DoS by design

[Henriok]

This sounds like an excellent complementary feature for malware to trigger for a DoS attack.

Re:DoS by design

[swillden]

This sounds like an excellent complementary feature for malware to trigger for a DoS attack.

If malware can mount the system partition as writable (which is far from trivial) so that it can write changes to the image, it can do much worse than a DoS attack. In particular, it can permanently pwn your device, which would be far more interesting to a malware author than maliciously bricking it.

Re:DoS by design

[swillden]

is there a reason you didn't type own like an adult?

Because "own" and "pwn" are different words, with different meanings. An attacker doesn't not gain ownership of your device in any legal sense or even most practical senses of the word. But the attacker does obtain control over the software running on it, and can use that to influence you in various ways and potentially extend that control to other devices. "Pwn" encapsulates those meanings, "own" does not. Yes, "pwn" started as a silly 733t-speak in-joke, but it has become a term of art in much of the security community (FYI, it's pronounced "pone").

Re:DoS by design

[Cochonou]

I would have never thought that the security community formally used the word pwn. I will have learned something today. Still, it looks like to me totally unnecessary to use pwn instead of own: words have different meanings in different contexts, and nobody would have understood "own" as "gaining ownership of the device in the legal sense" in your previous sentence.

Re:DoS by design

[GuB-42]

Formally, I don't think so, but pwn is clearly used by the security community.
A good example is the pwn2own competition where you need to "pwn" the system to "own" the prize.

AI

[110010001000]

Wow, this is like AI. I'll bet this is powered by a Deep Neural Net using Deep Learning.

when ?

[invictusvoyd]

Three of the most important industries of mankind will never be open

1 . Pharma
2. Petrochemicals & energy
3. Telecom

Re:when ?

[ArmoredDragon]

You forgot Agriculture w/ GMO foods

Interesting theory considering the nucleotide sequences are right there for anybody to look at.

Re:when ?

[Falos]

Half the garbage that goes through the patent office is shit we have and can look at.

Imaginary Property is, non-figuratively, the adult version of calling dibs.

Time to redefine "malware"

[fustakrakich]

This is not the way to do it. Give us a "safe mode" if you please, so we still have a phone.

Re:Time to redefine "malware"

[fustakrakich]

The print is too small...

How to make a Linux based system...

[Torp]

... be as unreliable as Windows.
Good job, Google.

911

[Dorianny]

As a primary communications device, instability in a cell-phone operating system is not a mere nuisance and frustration but can cost people dearly if not available for contacting Emergency Services when needed. A fail safe mode that instructs people to restore to a clean image or have the device checked out is what Apple's IOS has been doing all along and In my belief it is a big part of why Apple's IOS is perceived to be a more stable OS then Android

Re:911

[t8z5h3]

ios was always going to be more stable because it is tightly controlled to the point of not letting anything go with crash bugs.

Re:911

[I4ko]

Funny you should say that. Of all the 18 years of owning and using mobile phone devices, with no other then android have I ever experienced something in the lines of "Phone application crashed, device will reboot" and proceed to do so while the call is 2way connected and voice is exchanged. After the 4th such message I never bough an android based device again. It is broken by design, always has been.

Re:911

[I4ko]

This too. A mobile phone can be a preferred but not a primary communication device. It is a secondary device to a wired analog phone line (POTS)

Re:911

Never seen this happen. So as always, correlation does not equal causation. Stop spreading FUD.

Re:911

[Miamicanes]

The really fucked up and sad thing is, when Samsung developed Knox, they bent over backwards to ensure that its security didn't depend upon the user having never rooted or reflashed the phone. It had an immutable stage-one bootloader that could ALWAYS be used to boot into a secure & known state from which the second stage of the bootloader could be reflashed, then used to restore the phone to its virgin & secure state.

They ended up disabling it in favor of one-time bootloader fuses, because big corporate clients point-blank refused to adopt Knox unless it permanently exiled rooted and reflashed phones to eternal exile. I participated in calls with Samsung about it, and ended up having HUGE arguments with my own coworkers trying to convince them that Samsung was right. I tried to explain how ARM TrustZone worked, and how Samsung used it to make the stage-1 bootloader absolutely bulletproof. In the end, irrational fear prevailed over logic and design. A feature that could have been used for good ended up being used to cripple the phones of anyone who tried to chainload a better build of Android. RIP.

Making matters worse, Samsung and other manufacturers went a step further with the next generation of phones, and started designing them to be dysfunctional (at least, as far as their wireless functionality was concerned) if the user attempted to treat the locked-down Android as a de-facto bootloader & use it to chainload their own Android ROM (basically, shutting down all the kernel services, killing off all the system threads besides one, then launching the new Android from that final thread). It was never about security, but about asserting control over end users and limiting what they could do. I'm convinced that Samsung tried to do the right thing, but when the largest mobile operator in America (Verizon) threatens to quit allowing its customers to use your phones, it's hard to fight back. Then AT&T joined the lockdown party, knowing that even though they're technically a GSM network, forcing Samsung to lock down its devices would ultimately cause Sprint & T-Mobile devices to end up locked down too, because at that point it would cost more for Samsung to maintain unlocked phones than T-Mobile would have been willing to single-handedly subsidize (Sprint was ambivalently neutral... it didn't care either way, but absolutely wouldn't have paid a premium to maintain a feature they were unenthusiastic about anyway).

The Galaxy Note 4 is a perfect example of why the impact of carrier evil extends beyond the users of the evil carrier itself. The T-Mobile version had an unlocked bootloader. And ultimately, had maybe a half-dozen useful ROM distros for it that ever progressed beyond the "unstable experiment" stage. Why? The number of users capable of RUNNING those ROMs had diminished to a tiny subset of T-Mobile customers. Back when Sprint and AT&T phones were locked with the equivalent of a skeleton key hidden under the doormat (and Verizon's bootloader could be sidestepped via chainloading), there was a large, thriving developer community that took advantage of the fact that the Galaxy S3 was basically the same hardware on every network in America (even the CDMA ones). With the Note 4, that same community was eviscerated & almost completely dried up.

Re:911

[JohnFen]

Knox is a plague.

Re:Emergencies?

You mean after trying to evade arrest and waving a knife/gun/axe around? Or just when you get into an armed fight with a cop and lose? Or you decide to run at a cop, even though there's a gun pointing at you and you've been told to stop? Or you've just shot a cop and don't like bullets traveling in the opposite direction? Or you decided on assisted suicide, but didn't tell the cop he was assisting? Or you don't behave aggressively, comply with any lawful requests the officer makes, but still get shot? Because that last one happens all the time!

For varying definitions of malware...

[Opportunist]

Like, say, custom firmware that the manufacturer of the phone doesn't want you to install so you can't get rid of the shovelware he got paid to dump onto it and that you cannot deinstall?

Googles approach to malware

[drewsup]

Nuke it from orbit, its the only way to be sure....

Read TFA... not bricked

[jlv]

Ignoring the implied hype in TFA, they quote the original blog post:
"This means that a device with a corrupt boot image or verified partition will not boot
or
will boot in a limited capacity with user consent."
(line breaks added for clarity).

Re:Read TFA... not bricked

[sjames]

One wonders if that limited capacity includes the ability to make a phone call.

Re:Read TFA... not bricked

[cdsparrow]

I'm sure it will probably boot to a failsafe kernel and a limited interface similar to extreme power saving mode or something. You'll likely have phone and text but not much else til you reflash the system and bootloader parts. Shouldn't lose any data saved unless this breaks encryption or something, but I believe that is tied to hardware now, so probably wouldn't.

Re:Read TFA... not bricked

[sjames]

Not in evidence.

Eventually

[110010001000]

Eventually what will happen is your device will not boot if it detects "unapproved" code. That is coming.

Re:Eventually

[drinkypoo]

Eventually what will happen is your device will not boot if it detects "unapproved" code. That is coming.

Phones exist with and without unlocked bootloaders. You can expect that to continue for the immediate future, at least.

Error in article/summary

[swillden]

It's not true that a single byte error will cause verification to fail. Nougat also adds forward error correction (Reed-Solomon coding) to the image structure, so very, very few random errors can cause enough corruption to be unrecoverable and cause verification to fail. It's not impossible that this will happen, indeed given that there are billions of Android devices it probably *will* happen, once or twice. But it will be well below the threshold of other sorts of low-probability catastrophic hardware failures.

Re:Error in article/summary

[Chalnoth]

Also described in the blog post, the particular error correction method they use means that they can recover from up to 16-24MB of consecutive corrupted memory.

why not do this

[FudRucker]

if there is malware in it, make it so the android device boots up in safe mode, it only connects to a google server and installs a malware/virus cleaner app and runs it to wipe out all the malware & etc. then reboots your device and reconnects to google to confirm it is clean

Re:why not do this

[JackieBrown]

Would it connect to Google or Samsung/Moto/HTC, etc?

Re:why not do this

[JohnFen]

Because it assumes two things: that its malware identification never makes a mistake, and that the phone is allowed to talk to Google's servers. The former is obviously untrue, and the latter is not always true.

This is an incredibly intrusive move on Google's part. They should provide a means to disable it.

Re:why not do this

[swillden]

This is an incredibly intrusive move on Google's part. They should provide a means to disable it.

In what way is it intrusive? All it does is verify that your boot and system image are unmodified... and there's no reason they should ever be modified in a normal device. Now, if you want to get a device with an unlockable bootloader and install different software, that's perfectly fine, and Google supports you in doing it. In fact, in that case you can even sign your own boot and system images and the verified boot system will ensure that *those* aren't modified, that they're exactly what you signed.

Now, this is likely to create problems for people who buy devices that aren't intended to be unlocked, and who have in the past been able to break the OEMs crappy lockdown. That era is ending anyway, though, and I don't think Google's move is significantly accelerating it. And for the vast majority of users it's more important to be able to have certainty that the device they bought on ebay isn't modified in some malicious way.

Re:why not do this

[JohnFen]

Automatically preventing the device from booting is incredibly intrusive. I find that objectionable out of the gate -- a warning would be much preferable.

However, if Google is really allowing us to use unlocked devices and modify it without getting in our way, then my objection is removed.

Re:why not do this

[swillden]

Automatically preventing the device from booting is incredibly intrusive. I find that objectionable out of the gate -- a warning would be much preferable.

A warning is what we've had for several years now, and it's proven to be inadequate. People purchasing used devices just ignore it because they don't understand it. Supporting the tiny minority who use custom ROMs is good, but supporting the large majority who do not is essential.

However, if Google is really allowing us to use unlocked devices and modify it without getting in our way, then my objection is removed.

Google encourages OEMs to make bootloaders unlockable. Most don't, though, so be careful what you buy. Nexus devices have unlockable bootloaders.

Re:why not do this

[JohnFen]

A warning is what we've had for several years now, and it's proven to be inadequate.

I understand this. What I was saying is that there should be a way to disable the new behavior (perhaps a setting in the Developer Options, where ordinary users would never see it) for those who don't need such a muscular approach. But I'm just talking theoreticals now. If the new method really doesn't get in the way, all this is moot.

Google encourages OEMs to make bootloaders unlockable. Most don't, though, so be careful what you buy. Nexus devices have unlockable bootloaders.

Yes, that's been an issue for a long time, and I'm guessing most of us who care already select devices based on that criteria. At least I do. I won't buy a device that I can't do that with. I even once mistakenly bought a Galaxy from AT&T that was so new that no crack to unlock the bootloader existed yet, and brought it back to the AT&T store and exchanged it for an older Galaxy and told them why. The salesperson indicated that I wasn't the first to do that.

Re:why not do this

[swillden]

A warning is what we've had for several years now, and it's proven to be inadequate.

I understand this. What I was saying is that there should be a way to disable the new behavior (perhaps a setting in the Developer Options, where ordinary users would never see it) for those who don't need such a muscular approach.

The problem with that approach is that someone selling/giving you a pre-compromised phone would just flip that switch before they give it to you. If you're not going to be bothered by a big warning during bootup, you're definitely not the sort who will dig through the settings and find that problem... or factory reset the device to reset all of the switches.

If the new method really doesn't get in the way, all this is moot.

I think that's the case.

It won't be long....

[DidgetMaster]

...until just about any OS won't boot unless it is only running approved software (i.e. the software company has paid a big fat fee) or the user has turned off any features (telemetry, spyware by the OS vendor, ad blockers, etc.) that the manufacturer wants to force you to use. It'll be like those DVDs you BUY but won't let you skip over the ads at the front of the movie.

Re:It won't be long....

[JohnFen]

It'll be like those DVDs you BUY but won't let you skip over the ads at the front of the movie.

Lots of people rip the DVDs they own specifically to remove the unskippable stuff.

Re:Android Nougger vs. Windows RT

[xvan]

I can see why people would be less angry at Google for doing it than Microsoft given the differences in circumstance.

I can't. Most people don't that use custom ROMs, don't do it for the cool factor, but because there are things they want to do with their phone that otherwise can't because the crippled capabilities of Android/OEMs, or because they want an uniform experience across devices.

Locking the firmware ( with no way to disable this lock ) would enrage me (and a lot of people).

Recovery?

[mveloso]

So, if your device is stuck in this state how do you recover your stuff off of it?

Re:Recovery?

[Chalnoth]

It's really a good idea to have automatic backups off the device for anything important, independent of this issue. After all, your phone could become broken to the point it doesn't even boot, or it could be stolen.

Missing the point

[trampel]

Locked bootloaders are nothing new.

What the new feature in Android N is about is the ability to add cross-block redundancy to the system image so that a few defective flash blocks can be corrected. There was a posting on the official Android Developers blog that went into quite some details about how they reduced the storage overhead and prepared it for the typical failure scenario of Flash memory.

Why can't they just stop it happening first?

[wonkey_monkey]

I'm probably being ignorant, but if they can do this, why can't they stop said malware from installing in the first place?

Re:Why can't they just stop it happening first?

[Chalnoth]

For the most part, they do. It's not very easy to get past Android's protections and install malware that impacts the system image.

on att an unlocked phone = locked out

[Joe_Dragon]

on att an unlocked phone = locked out

Re:on att an unlocked phone = locked out

[JohnFen]

This not true. I've been using an unlocked and rooted phone with AT&T for years. They even sell special "developer phones" that don't lock the bootloader in the first place. They want a premium for those, though, so I just break the lock instead.

Re:Still Google

You must be new to Slashdot. You're supposed to get hysterical over an imagined outrage.

Google's priorities...

[emil]

...are not voice calls or text messages: it's search, and it shows.

Where is ublock for Chrome on Android? That says all you need to know about Google's intentions on mobile.

Re: Google's priorities...

https://adblockplus.org/en/android

https://adblockplus.org/android-faq

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Emergencies?

[Etcetera]

This might have been a troll, but it's a valid point. In the US, any phone that is turned on needs to be able to make an emergency 911 call, regardless of network access / bill payment / identity / SIM card / etc.

For a phone already turned on, you can do this from the lock screen. On my new LG G5 with PIN required on boot, you can do this from the PIN/boot entry screen.

It does raise the valid question: Is this a further check prior to the ... boot loader? PIN boot phase? If so, how much of the phone is and isn't running prior to the remainder of the OS load and what is or isn't "secure"... The meta has to bottom out somewhere, and unless the phone is actually broken, regs might require at least the phone connection to work.

Re:Still Google

[Hylandr]

Or be forward thinking and alert to possible ways new technologies might be exploited by big business to increase their profit margin at all costs.

Including the cost of fines, as long as profits from the action still outweigh the cost of legal defense.

Re:Android Nougger vs. Windows RT

[Hylandr]

No one cares about enraged, entitled douche-bags like you anymore. It's gotten old. Go ahead being a rage-monkey, but don't expect sympathy as you embarrass yourself by ranting like an entitled brat.

You really just identified yourself there. But you're right. We are tired of you, and don't care about the trash you bring to the table.

What me worry...

[argStyopa]

..as a proud owner of a TMobile Galaxy S3, I have exactly zero fear that Nougat (7.0) will brick my phone, as TMobile long ago stopped bothering to update such an ancient device.

I believe I'm still on 4.3, never to see Kit Kat.

A pattern emerges

[JohnFen]

Hmmm...

So Google released Marshmallow, which in my opinion was an overall step backwards for Android, now they're going to do this? It's almost like Google wants everyone to stop using Android.

Re:A pattern emerges

[The+Fat+Bastid]

I went from a lg optimus v (2.2) to a nexus 5x, missing everything in between. Why do you feel it is a step backwards from previous versions?

Re:A pattern emerges

[Voyager529]

Hmmm...

It's almost like Google wants everyone to stop using Android.

I don't think that's it. I think it is simply 'the pattern'...

1.) A company releases software or a device. It adheres to standards very well, and although it's a bit rough around the edges, it's open enough that an enthusiast community develops that picks up the slack for those willing to tinker with it. Thus, it requires a bit of understanding to become useful, and it may lack some polish, but the community picks up steam.
2.) The modding community recommends the item to others. The technologically illiterate will stick with 'what works' for now, but other enthusiasts come on board. A few forward thinking companies develop software/addons for the item, which help legitimize the platform.
3.) The item gets an iteration or two, implementing popular features from mods, squashing bugs, and improving its utility. The item is headed toward critical mass, and more companies leverage the item.
4.) Between a few malicious actors and a few technologically illiterate folks who have loud mouths and no patience, things get a bit more messy. Overall though, the item is still on the rise as step 3 continues to grow the item.
5.) As the item gains more legitimacy and experiences some mainstream success, more of step 4 happens, to the point where the manufacturer needs to do something about it. In many cases, the openness of the item has a number of avenues of attack for malice to be successful, so a few of the mods stop working in the name of security.
6.) As mainstream acceptance becomes the norm, the modding community becomes more of a liability than an asset. With mainstream acceptance comes lots of money, in contrast to the modding community's inherent DIY mentality.
7.) Protection of the revenue stream well exceeds the value of the modding community. Thus, protecting the item is a much bigger deal. Openness becomes more and more difficult to leverage; after a few iterations of progressively removing openness without revolt, the dev team is given less of a voice than the accountants. Frequently prices are increased, and sometimes the ability to export data is removed.
8.) Openness is formally removed. A few principled holdouts of the original modding community leave, but since the product has integrated into mainstream usage so effectively, many mainstream users require functions to be performed that only the item can perform, in either a primary or secondary capacity. In many cases, the item holds mission critical data, ensuring its continued usage for some time.
9.) Litigation of those who force openness begins.
10.) A company introduces an item....

Re:A pattern emerges

[swillden]

8.) Openness is formally removed.

Android is *not* removing openness. I'm a member of the Android security team, and worked around the edges of this feature. We (I'll use that pronoun for simplicity, but please note that I'm not claiming credit) put a great deal of additional effort into making sure that it supported modders who unlock their bootloaders and install custom software. We even made sure that they can use the verified boot feature to ensure that their self-signed images are not modified without their knowledge.

The goal is not to prevent modding, the goal is to improve security by ensuring that malicious images can't be installed.

Re:A pattern emerges

[JohnFen]

That's good to hear. Thanks!

Re:A pattern emerges

[JohnFen]

Primarily because the UI changes make tons of things a lot harder to use, and the UI gets in my way now where it didn't before.

This is a matter of taste, of course, but I've been using Marshmallow since its release, and I still find it painful and difficult.

Re:A pattern emerges

[swillden]

To be sure I'm not painting an overly rosy picture... keep in mind that what I said applies only to devices with unlockable bootloaders. OEMs can choose not to allow unlocking, and most don't. That's their choice. At least Google's design explicitly tells them how to go about allowing unlocking without compromising security, and it pushes SoC makers (who actually write the bootloaders, by and large) to implement support for it so that if OEMs decide to allow unlocking they can do it by flipping a switch.

Re:A pattern emerges

[Voyager529]

8.) Openness is formally removed.

Android is *not* removing openness.

Yet. Give it time. Android isn't at that step yet, but I have seen absolutely no indications that Android will not end up at step 8 in due course. At the very least, Google isn't defending openness very well, either. Google has done little (if anything) to discourage locking bootloader. Google not only failed to discourage Samsung's Knox e-Fuse, they integrated that feature, along with several others, into recent releases of Android. These are not steps to preserve the modding community.

I'm a member of the Android security team, and worked around the edges of this feature. We (I'll use that pronoun for simplicity, but please note that I'm not claiming credit) put a great deal of additional effort into making sure that it supported modders who unlock their bootloaders and install custom software. We even made sure that they can use the verified boot feature to ensure that their self-signed images are not modified without their knowledge.

I appreciate the consideration put into this. Sincerely, honestly, and genuinely - it is nice to hear that these cases are still a part of the development process. At the same time, Microsoft required that Windows 8 motherboards both had secure boot, as well as a user-facing option to disable it in the BIOS. Windows 10 certification kept the former, but not the latter. Do I blame Google for the tresspasses of Microsoft? Of course not...but given that the outcry over this was basically limited to a few strongly worded Slashdot comments, I do not see Google as a company so principled as to actively avoid step 8 when there was clearly no blowback.

The goal is not to prevent modding, the goal is to improve security by ensuring that malicious images can't be installed.

The goal isn't to prevent modding *now*. Android At Work's core features were a solved problem by Nitrodesk with Touchdown, which could be configured to require its own passcode and disable screenshots and respect Exchange wipes and determine if the device was rooted...and these were solved in the Froyo days. Google chose to deal with this in firmware. The switch has not been flipped, but the infrastructure went from "not being there" to "being there", changing the trust requirement from being "they can't" to "they won't"...and I'm very hard pressed to find a "they wouldn't" that didn't eventually become a "they did".

I understand where you're coming from, and I do appreciate your response. I hope you can understand my hesitance and concern.

Re:A pattern emerges

[swillden]

I understand the concern, but there's really no evidence for it. Your examples of what Samsung and Microsoft have done aren't evidence... and Google has little more control over Samsung than over Microsoft. Could Google decide that it no longer cares about openness? Sure. But we're actually working quite hard to push it the other direction, and I see no reason to expect that to change.

What is the thing you're saying Google has done "in firmware" for Android for Work, but hasn't "flipped the switch"? Android for Work does nothing in firmware, it's all in Android; the only thing remotely close to that is the use of TrustZone for authentication and crypto key management -- and I'm the engineer responsible for those TrustZone components, and I can't figure out what "switch" you're talking about.

Re:A pattern emerges

[Voyager529]

I understand the concern, but there's really no evidence for it. Your examples of what Samsung and Microsoft have done aren't evidence... and Google has little more control over Samsung than over Microsoft. Could Google decide that it no longer cares about openness? Sure. But we're actually working quite hard to push it the other direction, and I see no reason to expect that to change.

What is the thing you're saying Google has done "in firmware" for Android for Work, but hasn't "flipped the switch"? Android for Work does nothing in firmware, it's all in Android; the only thing remotely close to that is the use of TrustZone for authentication and crypto key management -- and I'm the engineer responsible for those TrustZone components, and I can't figure out what "switch" you're talking about.

I've been meaning to reply for some time; feel free to e-mail me as I know this discussion will be archived soon.

You're right that Google has relatively little control over Samsung. What they do have is control over the Android trademark, etc., and if Google can require that the Play Store be within one swipe's distance of the home screen when shipped, Google can make other requirements that reflect dedication to ensuring that devices are able to be flashed with AOSP software. Unless I misunderstand how the Nexus system works, Google *does* have say over how those function, and those have a locked bootloader

. However, in doing some research for this post, I will concede that the Knox components that rely on the eFuse and other hardware-based, root-resistant functions are still Samsung specific, so I certainly admit fault there.

I guess I feel like how Brutus must have felt. Julius Caesar had done nothing wrong, and was well liked by the people he served. Brutus saw Julius was doing the right thing completely out of self control, rather than any form of checks and balances, or other such accountability. Now, I'm certainly not looking to kill anybody, but if Google decides to mandate locked bootloaders or bring an end to the work done by the folks at XDA-Dev, there's just no reason whatsoever for them not to...and that does, in fact scare me.

Re:A pattern emerges

[swillden]

I've been meaning to reply for some time; feel free to e-mail me as I know this discussion will be archived soon.

You're right that Google has relatively little control over Samsung. What they do have is control over the Android trademark, etc., and if Google can require that the Play Store be within one swipe's distance of the home screen when shipped, Google can make other requirements that reflect dedication to ensuring that devices are able to be flashed with AOSP software.

Those requirements are subject to negotiation. Google has some power to push, not based on the Android trademark so much as on the permission to install the Google Apps -- and especially the Play store. The Play store is the big carrot/stick, actually, because an Android phone without the Play store is much, much less useful... at present. It wouldn't be that difficult for Samsung to set up their own app store, and app developers would absolutely upload their apps to it because Samsung is such a huge part of the Android ecosystem. If Samsung were to form an alliance with the top two or three other Android OEMs, their app store would very quickly replace Play as the dominant app store, particularly if they also set out to license all the videos and music they need to reach full parity with the content on Play. Or perhaps they'd take a shorter path: Team up with Amazon which has already done most of this work. If new Samsung, HTC, Motorola and LG phones all shipped with the Amazon store, Amazon would almost immediately match Play.

So Google has to walk a fine line. It has to keep all of the OEMs moving in the same direction, make sure that direction keeps the ecosystem competitive with Apple and Windows (not that Windows has much of the market at the moment) which means making sure the user experience is good and continues to improve, but it also has to allow OEMs enough freedom to innovate and manage their business models so they don't feel like being part of Google's ecosystem is more of a burden than a benefit.

I don't really understand why OEMs seem to feel so strongly that their devices should be locked down, but they do, and they're unwilling to negotiate on this point.

Unless I misunderstand how the Nexus system works, Google *does* have say over how those function, and those have a locked bootloader

So, I think your fundamental error here is that you're thinking locked bootloaders are a bad thing. They're not. They're a good thing.

Locked bootloaders (the way Nexus does them, at least) are there for user security. The purpose of the lock isn't to prevent users from flashing software that does what they want, it's to prevent attackers from flashing software that does what they want -- to give them access to data on the device, bypassing all of the protections built into the stock OS. So, the reason there is an "unlock" step is so that we have an opportunity to forcibly wipe all user data from the device. Someone who finds or steals your locked phone can unlock it (maybe; we made that a little harder in Lollipop), but the unlock process wipes all of your data.

This, BTW, is why I always tell modders that they should re-lock their bootloader after they flash their custom image. Not re-locking it allows anyone who gets hold of their device to flash a new system image that gives them full access to anything on the device (though we're tightening that down in Nougat as well).

That's the main purpose for a locked bootloader, but there are some other benefits as well. They protect devices against inadvertent as well as malicious modification, and they provide a good way to differentiate between a normal device that should implement the full boot chain of trust and those that are in a modifiable state. The vast majority of users never want or need to unlock, and we want to make things very secure for them. Developers (including Android engineers at Google!) and mo

Re:Emergencies?

[stephanruby]

What if you have to make an emergency phone call? Like, you've been shot by a police officer and you need to call 911?

Just ask kindly for a cell phone from the police. They'll send a robot to give you one.

the hackers have won

[micahraleigh]

of course when all software/hardware is shutdown what will the hackers have to do?