Fragmentation in Android versions is the biggest challenge for Google to solve. While the Google Pixel line of smartphones is among the most secure Android-based smartphones out there, other smartphones suffer from huge vulnerabilities mainly due to running an older version of Android of missing the latest security patch. The latest report by Google on Android Pie rollout shows that less than 1% of all devices accessing the Google Play store are running on Android Pie. Another report shows us that less than 10% of devices accessing the Google Play store are sporting the latest Android security update.
Google is making a lot of efforts in order to tackle this fragmentation issue with things such as Project Treble, a major rearchitecting of Android resulting in a separation between the Android OS framework components and the vendor HAL components, extended Linux kernel LTS. It had also made security patch updates for 2 years a mandatory condition, and Android Enterprise Recommended program. At Google I/O 2019, the company announced its latest initiative to speed up security updates will be the Project Mainline rolling out with Android Q.
Project Mainline: Updating Android Q system modules through Google Play
For the past few months, developers have been tracking something known as “APEX” in the AOSP code. APEX, or the Android Pony EXpress, is a new package extension that is supposed to work just like an APK. Instead of housing an Android application, APEX is housing a native or class library. Which is basically a precompiled code that can be called by Android apps, Hardware Abstraction Layers (HAL), and the Android Runtime (ART). Just like an APK, the APEX packages can be served to users over traditional package installation methods in Android like the Google Play Store/package manager or ADB or can be downloaded and installed manually like an APK.
Unlike an APK, the APEX modules can be used much earlier in the boot process than APK-based modules. Also, they are backed by the dm-verity and Android Verified Boot for increased security. Mounting the payload images in the APEX package requires the Linux kernel’s loop driver, so devices need Linux kernel version 4.9+. Also, Managing the APEX packages requires the new APEX daemon, introduced with Android Q. While it is possible for Android devices upgrading to Android Q running on kernel version 4.4 like the Pixel 3 series, it will require a lot of additional work on the OEM side. This makes us doubt that only the devices launching with Android Q and Linux Kernel 4.9+ will be supporting Project Mainline.
GNU/Linux distributions have always able to update major components without a full system update, but Android has always lagged behind. This is because Google chose not to distribute these packages using traditional Linux package management systems like dpkg and rpm because they don't support post-installation security features like dm-verify.
Since it takes a considerable amount of time for device makers to roll out updates, we see many devices running the outdated components for as long as months and even years. By distributing these components like the security patches as APEX packages, Google can bring the smartphone to the latest security patch without waiting for the manufacturers to roll out the update.
Google won't exert total control over all system components. However. the company has worked with the OEM partners to select a certain set of system apps (as APKs) and some system components (as APEX packages) to modularize. This will help them to improve security, privacy, and consistency for all users running on Android Q with project Mainline. They have provided us the list of system components on devices launching with Android Q what will be updated using APEX packages, however, we still don't know how they finalized on that list.
Security: Media Codecs, Media Framework Components, DNS Resolver, Conscrypt
Privacy: Documents UI, Permission Controller, ExtServices
Consistency: Timezone data, ANGLE (developers opt-in), Module Metadata, Networking components, Captive Portal Login, Network Permission Configuration
Immediate updates to Conscrypt, the Java security library, and the media components, which accounts for nearly 40% of recently patched vulnerabilities will surely help make Android devices safer. Updates to documents UI, the permission controller will help implement privacy. Standardizing the timezone data will help keep all the devices on the same page and standardized ANGLE will help game developers a lot.
If the OEMs decide to go through with the Project Mainline, it will help improve the security on Android and decrease the fragmentation issue.