Mishaal Rahman / Android Authority
TL;DR
- Google is including an optionally available Android 16 function to disable USB knowledge entry when the telephone is locked for enhanced safety.
- This protects towards attackers from utilizing USB units to extract knowledge or bypass the lock display on misplaced or confiscated telephones.
- Tied to the brand new Superior Safety Mode, it blocks new USB peripherals till the system is unlocked and the USB is reinserted.
If you happen to’re severe about safety, then you definitely in all probability already keep away from inserting random USB sticks into your private units. It’s good observe to be cautious of unknown USB units, particularly because you don’t know what sorts of payloads they may include. But when your Android system is misplaced or confiscated, then you possibly can’t cease another person from inserting a USB system. To guard towards this, Google is engaged on a brand new, optionally available function in Android 16 that disables USB entry when your telephone is locked.
You’re studying an Authority Insights story. Uncover Authority Insights for extra unique experiences, app teardowns, leaks, and in-depth tech protection you gained’t discover wherever else.
It would sound like paranoia, however there are legitimate the reason why one may wish to block USB units when your Android telephone is locked. If you happen to’re a journalist or activist who’s liable to being focused by hackers, you’ll wish to take each precaution you possibly can to stop your telephone’s contents from being extracted. USB peripherals like keyboards can be utilized to brute power the keyguard, whereas different units can inject payloads that exploit vulnerabilities to unlock the system. This isn’t hypothetical — Amnesty Worldwide’s Safety Lab just lately documented a zero-day USB driver exploit that was used to interrupt into the telephone of a pupil activist in Serbia.
One of the best ways to cease these sorts of assaults is to disable USB knowledge signaling, stopping USB units from sending knowledge to locked Android units. This may be achieved in two methods: via {hardware} or software program controls. Disabling USB knowledge signaling on the {hardware} degree cuts off the USB knowledge strains completely. Charging will nonetheless work, after all, however all peripherals—together with keyboards, mice, flash drives, and even exterior shows—won’t.
In line with the GrapheneOS group, implementing this hardware-level function requires adjustments to USB drivers. In distinction, the software-level method includes disabling high-level USB help, basically blocking connections from new peripherals and devices when the system is locked. Whereas both technique would have thwarted the exploit documented by Amnesty Worldwide, the hardware-based method provides barely stronger safety.
With the discharge of Android 12 in 2021, Google launched an API for disabling USB knowledge signaling at a software program degree. This API was made out there to system admin apps, i.e. apps that handle enterprise units. It wasn’t utilized in every other context till the discharge of Android 15 final 12 months, which enhanced the working system’s lockdown mode to additionally disable USB knowledge entry. Now in Android 16, Google is trying to make use of this API to disable USB knowledge entry when your Android system is locked, however provided that you allow Superior Safety Mode.
Superior Safety Mode is a brand new function in Android 16 that permits further security measures for individuals who decide in. It builds upon Google’s Superior Safety Program, a safety program that gives further safety towards hackers stepping into your Google account. When Superior Safety Mode is enabled in Android 16, apps can’t be granted the sideloading permission, 2G entry can’t be enabled, MTE is enabled for appropriate apps, and WEP connections are blocked. As well as, apps can question the Superior Safety Mode API to know when a person has opted in after which allow their very own set of security measures. As revealed in an APK teardown, apps like Telephone by Google and Messages are poised to help Superior Safety Mode.
Whereas digging via the current Android 16 betas, I discovered strings that recommend enabling Superior Safety Mode will even disable USB knowledge signaling when Android is locked. The titles of every string have “_apm_” in them, which stands for Superior Safety Mode internally. In addition they explicitly point out how new USB units can’t be used when Android is locked. When a brand new USB system is plugged in, a notification will seem that warns the person of “suspicious USB exercise.” To make use of the system, it’s a must to “unlock Android first after which reinsert [the] USB system to make use of it.”
Code
USB system is plugged in when Android is locked.
To make use of system, please unlock Android first after which reinsert USB system to make use of it.
USB system plugged in when locked
USB knowledge sign has been disabled.
Suspicious USB exercise Google has but to roll out a user-facing strategy to allow Superior Safety Mode, however I used to be capable of manually allow it in Android 16 Beta 4. After enabling it, I used to be capable of get the brand new USB knowledge safety working, as proven within the video embedded beneath.
As you possibly can see within the video, Android rejects each the USB stick and the keyboard I inserted into my Pixel system when it was locked. Solely after unlocking and reinserting each gadgets was I in a position to make use of them. After inserting them after which locking the system, they weren’t disconnected—suggesting that Android gained’t forcibly disconnect USB units with an lively knowledge connection.
Mishaal Rahman / Android Authority
It is a easy safety change that ought to stop circumstances just like the one described within the Amnesty Worldwide report from occurring once more. Hopefully Google rolls out a strategy to toggle Android 16’s new Superior Safety Mode quickly, as a result of it’ll function a straightforward one-click toggle to allow a number of options that security-conscious customers will take pleasure in.
