Mishaal Rahman / Android Authority
Tl; DR
- Google adds an optional Android 16 functionality to deactivate USB data access when the phone is locked for improved safety.
- This protects against attackers against the use of USB devices to extract data or bypass the locking screen on lost or confiscated phones.
- Attached to the new advanced protection mode, it blocks the new USB peripherals until the device is unlocked and the USB is reintegrated.
If you are serious about security, you probably already avoid inserting random USB sticks into your personal devices. It is a good practice to be careful of unknown USB devices, especially since you do not know what types of useful loads they could contain. But if your Android device is lost or confiscated, you cannot prevent someone else from inserting a USB device. To protect itself against this, Google works on a new optional functionality in Android 16 which deactivates USB access when your phone is locked.
You read a Overview of the authority history. Discover the information of authority for more exclusive reports, demons, tears, leaks and in -depth technological coverage that you will not find anywhere else.
This may look like a paranoia, but there are valid reasons why you want to block USB devices when your Android phone is locked. If you are a journalist or activist who may be targeted by hackers, you will want to take all the precautions you can to prevent the contents of your phone. USB peripherals and keyboards can be used to force the Keyguard raw, while other devices can inject useful loads that use vulnerabilities to unlock the device. It is not hypothetical – the Amnesty International security laboratory recently documented A zero-day USB driver feat that was used to enter the phone of an activist student in Serbia.
The best way to stop these attacks is to deactivate the signaling of USB data, preventing USB devices from sending data to locked Android devices. This can be done in two ways: thanks to hardware or software checks. Disabling the signaling of USB data with a material level completely cuts USB data lines. The load will always work, of course, but all peripherals – including keyboards, mice, flash players and even external screens – will not be.
According to the Grapheneos team, the implementation of this material level functionality requires changes to USB pilots. On the other hand, the software approach involves deactivating high -level USB support, essentially blocking connections from new devices and gadgets when the device is locked. Although one or the other method would have thwarted the feat documented by Amnesty International, the material approach offers slightly stronger security.
With the release of Android 12 in 2021, Google introduced an API to deactivate the signaling of USB data in the software. This API has been made available to device administration applications, namely applications that manage business devices. It was not used in any other context before the release of Android 15 last year, which improved the operating system locking mode to also deactivate access to USB data. Now in Android 16, Google is looking to use this API to deactivate USB data access when your Android device is locked, but only if you activate the advanced protection mode.
Advanced Protection Mode is a new feature in Android 16 which allows additional security features for people who operate. It is based on Google’s advanced protection program, a security program that offers additional pirate protection in your Google account. When the advanced protection mode is activated in Android 16, applications cannot obtain the key download authorization, 2G access cannot be activated, the MTE is activated for compatible applications and WEP connections are blocked. In addition, applications can question the API of the advanced protection mode to find out when a user has opted, then activate their own set of security features. As Apk disassembly revealed, applications like Phone by Google and messages are about to support the advanced protection mode.
By searching in recent Android 16 betas, I found channels that suggest activating advanced protection mode will also deactivate USB data signaling when Android is locked. The titles of each chain contain “_apm_”, which represents the advanced protection mode internally. They also explicitly mention how new USB devices cannot be used when Android is locked. When a new USB device is connected, a notification will appear that will notify the user of “suspicious USB activity”. To use the device, you must first “unlock Android then reintegrate [the] USB device to use it. »»
Code
USB device is plugged in when Android is locked.
To use device, please unlock Android first and then reinsert USB device to use it.
USB device plugged in when locked
USB data signal has been disabled.
Suspicious USB activity Google has not yet deployed in a user-oriented manner to activate the advanced protection mode, but I was able to activate it manually in Android 16 Beta 4. After allowing it, I was able to operate the new protection of USB data, as indicated in the integrated video below.
As you can see in the video, Android rejects both the USB stick and the keyboard that I inserted into my pixel device when it was locked. It was only after having unlocked and reintegrated the two elements that I was able to use them. After having inserted them, then locked the device, they have not been disconnected – suggesting that Android will not disconnect USB devices with an active data connection.
Mishaal Rahman / Android Authority
This is a simple security change which should prevent cases like that described in the international report of Amnesty from reproducing. Hopefully Google is unrolling a way to soon tip over the new advanced Android 16 protection mode, as it will serve as a click to allow many features that users concerned about safety will appreciate.
