The feature, known as Verified Boot, has been present since Android 4.4 KitKat. Previously it has sat silently behind the scenes though, taking a passive approach to protecting the system. With Android 7.0, set to be released this summer, Google will switch to “strictly enforcing” Verified Boot, bringing better protection against malware but also the potential for non-malicious corruption to leave devices unusable.
In a technical blog post, Google explained how Verified Boot works. Some advanced forms of malware are able to modify the Android kernel, effectively becoming part of the operating system so they can’t be removed. To avoid this, Verified Boot checks Android’s components at startup to confirm they are the original versions. Any modification caused by malware will be flagged as an error.
Using cryptographic integrity checking, Android 7.0 works through each block on a phone’s storage, comparing its contents against the original version of the block stored in a signed hash tree. The process identifies any differences in the two versions. If anything out of the ordinary is detected, an error is raised and Verified Boot prevents the phone from starting.
While this can significantly hamper some of the most advanced malware, it could also inconvenience users. Even minor corruptions of a single byte of data could be flagged as errors by Verified Boot. It is unable to determine whether a corruption is caused by malware or a harmless bug occurring during regular use.
Google acknowledged that “non-malicious” data corruption could leave some devices blocked from booting even if they are not infected by malware. To help lower the risk of this occurring, Android 7.0 also includes advanced mechanisms to guard against data corruption in the first place. It is able to recover from the loss of an entire block of data on the filesystem, using error correction features to intelligently repair corrupt regions.
Google said that Verified Boot and the new data corruption guards will give users increased security in the long term. It noted that the feature can reduce reliability though, potentially leaving devices failing to boot because a software bug or hardware problem has inadvertently altered a system file.
“Android has alerted about system integrity since Marshmallow, but starting with devices first shipping with Android 7.0, we require verified boot to be strictly enforcing,” said Google. “This means that a device with a corrupt boot image or verified partition will not boot or will boot in a limited capacity with user consent. Such strict checking, though, means that non-malicious data corruption, which previously would be less visible, could now start affecting process functionality more.”
When strictly enforced Verified Boot does raise an error, the phone will alert the user. An option will be provided to boot into a limited functionality mode where only basic features are available, preventing a possible malware infection from running its code. User data will be protected, allowing you to retrieve your files and then reinstall Android from recovery mode.
Verified Boot is one of several security improvements coming with Android 7.0. While beneficial in the long run, the feature could cause problems initially if Google’s new error checking techniques fail to resolve the minor corruption caused by everyday use. Verified Boot will also make it harder for users to install customised Android versions onto phones. Devices with a locked bootloader will refuse to load the software, causing headaches for people who enjoy modding Android devices.
