Android Nougat Won't Boot If Your Phone's Software Is Corrupt Or Has Malware

An anonymous reader shares a report on Android Authority: In a bid to increase the security of the Android operating system, Google has introduced a new check for malware as part of the boot process in all Android devices. Until Marshmallow, Android devices ran the check as part of the boot process and in Marshmallow, the phone would warn you that it was compromised but would continue to let the phone boot up. In Nougat however, Google is taking this security check to the next level. On the Android Developer's blog, the company explains that Android Nougat strictly enforces that boot check, giving you far more than a warning. The good news is that if your phone is infected with types of malware, it will refuse to boot or will boot in a limited capacity mode (presumably akin to safe mode). The bad news however, is that some non-malicious corruption of data could also mean that your phone will refuse to boot up. Considering that corrupted data may not always be malicious -- even a single-byte error could cause your phone to refuse to boot up -- Android Nougat brings additional code to guard against corruption.

Liability

Has anyone at Google thought about the deaths that this might cause? If I need to dial 911 because I just severed my foot, I don't care about my phone having malware. I need to dial.

Re:Liability

[Obfuscant]

Yes, "my in-laws turned their cellphone off to save battery" is a bit different than "they turned their cellphone off because they were axe murderers." It sounds like it shouldn't have been annoying at all to you that they were unreachable; it was a Good Thing.

Fixed it for you

[140Mandak262Jamuna]

Android Nougat Won't Boot If Your Phone's Software Is Corrupt Or Has Malware unapproved by google

This isn't the whole story

[LichtSpektren]

TFS is rather concerning but it seems to be conjecture and interpretation of a dev's blog. Presumably (well, I hope at least) there will be some documentation about what the procedure is for turning off the boot-lock or what ever.

DoS by design

[Henriok]

This sounds like an excellent complementary feature for malware to trigger for a DoS attack.

911

[Dorianny]

As a primary communications device, instability in a cell-phone operating system is not a mere nuisance and frustration but can cost people dearly if not available for contacting Emergency Services when needed. A fail safe mode that instructs people to restore to a clean image or have the device checked out is what Apple's IOS has been doing all along and In my belief it is a big part of why Apple's IOS is perceived to be a more stable OS then Android

Re:911

[Miamicanes]

The really fucked up and sad thing is, when Samsung developed Knox, they bent over backwards to ensure that its security didn't depend upon the user having never rooted or reflashed the phone. It had an immutable stage-one bootloader that could ALWAYS be used to boot into a secure & known state from which the second stage of the bootloader could be reflashed, then used to restore the phone to its virgin & secure state.

They ended up disabling it in favor of one-time bootloader fuses, because big corporate clients point-blank refused to adopt Knox unless it permanently exiled rooted and reflashed phones to eternal exile. I participated in calls with Samsung about it, and ended up having HUGE arguments with my own coworkers trying to convince them that Samsung was right. I tried to explain how ARM TrustZone worked, and how Samsung used it to make the stage-1 bootloader absolutely bulletproof. In the end, irrational fear prevailed over logic and design. A feature that could have been used for good ended up being used to cripple the phones of anyone who tried to chainload a better build of Android. RIP.

Making matters worse, Samsung and other manufacturers went a step further with the next generation of phones, and started designing them to be dysfunctional (at least, as far as their wireless functionality was concerned) if the user attempted to treat the locked-down Android as a de-facto bootloader & use it to chainload their own Android ROM (basically, shutting down all the kernel services, killing off all the system threads besides one, then launching the new Android from that final thread). It was never about security, but about asserting control over end users and limiting what they could do. I'm convinced that Samsung tried to do the right thing, but when the largest mobile operator in America (Verizon) threatens to quit allowing its customers to use your phones, it's hard to fight back. Then AT&T joined the lockdown party, knowing that even though they're technically a GSM network, forcing Samsung to lock down its devices would ultimately cause Sprint & T-Mobile devices to end up locked down too, because at that point it would cost more for Samsung to maintain unlocked phones than T-Mobile would have been willing to single-handedly subsidize (Sprint was ambivalently neutral... it didn't care either way, but absolutely wouldn't have paid a premium to maintain a feature they were unenthusiastic about anyway).

The Galaxy Note 4 is a perfect example of why the impact of carrier evil extends beyond the users of the evil carrier itself. The T-Mobile version had an unlocked bootloader. And ultimately, had maybe a half-dozen useful ROM distros for it that ever progressed beyond the "unstable experiment" stage. Why? The number of users capable of RUNNING those ROMs had diminished to a tiny subset of T-Mobile customers. Back when Sprint and AT&T phones were locked with the equivalent of a skeleton key hidden under the doormat (and Verizon's bootloader could be sidestepped via chainloading), there was a large, thriving developer community that took advantage of the fact that the Galaxy S3 was basically the same hardware on every network in America (even the CDMA ones). With the Note 4, that same community was eviscerated & almost completely dried up.

Re:Emergencies?

You mean after trying to evade arrest and waving a knife/gun/axe around? Or just when you get into an armed fight with a cop and lose? Or you decide to run at a cop, even though there's a gun pointing at you and you've been told to stop? Or you've just shot a cop and don't like bullets traveling in the opposite direction? Or you decided on assisted suicide, but didn't tell the cop he was assisting? Or you don't behave aggressively, comply with any lawful requests the officer makes, but still get shot? Because that last one happens all the time!

For varying definitions of malware...

[Opportunist]

Like, say, custom firmware that the manufacturer of the phone doesn't want you to install so you can't get rid of the shovelware he got paid to dump onto it and that you cannot deinstall?

Read TFA... not bricked

[jlv]

Ignoring the implied hype in TFA, they quote the original blog post:
"This means that a device with a corrupt boot image or verified partition will not boot
or
will boot in a limited capacity with user consent."
(line breaks added for clarity).

Re:This sounds like a Catch-22

[ilsaloving]

it will refuse to boot or will boot in a limited capacity mode (presumably akin to safe mode)

It's right there in the summary... underlined no less.

I'm more concerned about the fact that I may not be able to replace the stock android with a custom firmware. Thanks to all the crapware that manufacturers insist on pre-installing on most handsets, and their refusal to provide updates, you're basically forced to use a custom firmware just to have a usable phone.

Yes, I know you could always just stick with a Nexus branded device, but then you'd miss out on potentially interesting innovations provided by another manufacturer.

Google should never have permitted the android ecosystem to become a dichotomy of "You can get updates, or you can get a cool device, but not both."

Re:Emergencies?

[Etcetera]

This might have been a troll, but it's a valid point. In the US, any phone that is turned on needs to be able to make an emergency 911 call, regardless of network access / bill payment / identity / SIM card / etc.

For a phone already turned on, you can do this from the lock screen. On my new LG G5 with PIN required on boot, you can do this from the PIN/boot entry screen.

It does raise the valid question: Is this a further check prior to the ... boot loader? PIN boot phase? If so, how much of the phone is and isn't running prior to the remainder of the OS load and what is or isn't "secure"... The meta has to bottom out somewhere, and unless the phone is actually broken, regs might require at least the phone connection to work.

Re:This sounds like a Catch-22

[ilsaloving]

Fair point. My post assumes that have the ability to root the device in the first place.

S'why I gave up on android and went to Apple. If my choices are all companies that are going to treat me like an abusive control-freak boyfriend who teabags my wallet just for fun, then I may as well pick the ones that uses a condom while screwing me.

Re:This sounds like a Catch-22

[Miamicanes]

Well, actually, in quite a few cases, you CAN replace stock Android with custom firmware regardless of whether or not the manufacturer wants to allow it. As a practical matter, though, those devices usually end up with dysfunctional custom ROMs that can't run newer versions of Android (because Linux intentionally sucks at dealing with binary kernel modules... a policy that mostly worked as intended to keep Linux open on x86 and AMD64 architectures, but has been a complete consumer DISASTER within the Android realm).

The sad irony is, Windows Mobile 6 (back in 2007) was almost as "open" (in the sense of being able to extend it in ways neither envisioned nor blessed by Microsoft or the phone's manufacturer) as Android is in 2016. Obviously, you couldn't build Windows Mobile 6 from scratch... but fuck, you can't even independently build a copy of the NEXUS GODDAMN 6P's ROM from source. You can build your own AOSP-derived approximation of it, of course... but you'll never be able to independently build your own ROM image that's ultimately identical to Huawei's (and use its source as the starting point for later modifications & improvements).

Ten years ago, Windows Mobile users at XDA-developers.com ripped files from newer phones and used the .dll files to upgrade older phones to newer versions of Windows Mobile. Today, with Android phones, we're STILL stuck doing more or less the same thing. AOSP has been seriously eroded away by Google over the past few years compared to its golden age (the Galaxy S3... probably the most thoroughly reflashed and extended phone in Android history). Sure, you can build a ROM "for Android" -- but 95% of the things most people regard AS fundamental characteristics of Android (Google Play, Google Maps, and everything that depends upon them to run) are as closed and binary now as Windows Mobile EVER was.

IMHO, the single biggest fuckup Microsoft made with Windows (Phone) was insisting upon locking it down. It didn't win them a single iPhone customer, and antagonized millions of disillusioned Android owners who are only still with Android because it's the least-evil option we have left. Had Windows (Phone) been at least as open (both as an operating system, and for running "unapproved" software) as Windows Mobile 6 was, I'd argue that several million people who currently have Android phones would have jumped ship and tried Windows (especially if Microsoft quietly made sure there was a fully-working distro comparable to Cyanogenmod that could be flashed to it if the user changed his mind, making the phone's purchase a nearly risk-free experiment). Instead, Microsoft managed to create a phone OS that combined the worst limitations of both competitors & nothing to mitigate them.

Re:Error in article/summary

[Chalnoth]

Also described in the blog post, the particular error correction method they use means that they can recover from up to 16-24MB of consecutive corrupted memory.

Re:A pattern emerges

[swillden]

8.) Openness is formally removed.

Android is *not* removing openness. I'm a member of the Android security team, and worked around the edges of this feature. We (I'll use that pronoun for simplicity, but please note that I'm not claiming credit) put a great deal of additional effort into making sure that it supported modders who unlock their bootloaders and install custom software. We even made sure that they can use the verified boot feature to ensure that their self-signed images are not modified without their knowledge.

The goal is not to prevent modding, the goal is to improve security by ensuring that malicious images can't be installed.