Google has recently revealed an advanced Android technology called Intrusion Logging. It will assist the detection of extremely sophisticated spy programs and assesses compromised smartphones. This system will automatically log encrypted device activity, which could be used for digital forensics.
This is now part of the Advanced Protection Mode and its target audience are journalists, activists, human rights defenders, etc. – people whose jobs put them at greater risk of being watched.
Google said that Intrusion Logging offers “endless, and secret forensic logging” to determine if your device has been hacked. They built it in collaboration with Amnesty International and Reporters Without Borders.
Each day the smartphone’s activity and network events will be logged. Some examples of data logged would be:
-
when an application was launched;
-
if an application was installed, updated or removed;
-
Wi-Fi, Bluetooth, DNS inquiries, and IP connections;
-
when transferring files via USB;
-
any changes to the systems certificates;
-
when locking/unlocking the phone.
All logs will be fully encrypted on the smartphone and then transferred to Google’s servers where they will again be encrypted using end-to-end encryption. Even though all logs are encrypted, Google said that there is still no way for anyone — including themselves — to get into those logs due to the use of both a Google account password and screen lock information to keep them locked.
Reporters Without Borders stated that this method allows users to protect their logs even once their smartphone has been infected with spyware.
“They (malware) won’t be able to read, remove or modify these logs regardless of how well they have infected your phone,” the group said.
Logs will be stored for 12 months after which they will be automatically deleted. There is nothing that can be done by the user to delete them sooner than that either. Logs can however be downloaded and saved locally.
There is one important detail to know — while the system runs at the Android operating system level, it does capture network traffic whether Chrome incognito is running or not. While this means you can view what websites were visited based off of DNS requests and IP addresses, individual page visits cannot be viewed.
As far as Google is concerned, the primary intention behind the feature is to give users who believe they are under surveillance or infected with spyware the ability to pass along the logs to outside experts for further examination.
The feature is accessible through “Settings” -> “Security & Privacy” -> “Advanced Protection” -> “Intrusion Logging” -> “Get Access Logs.” The feature should work on any device that has received the Android 16 Dec Update or later version.
According to Donncha O’Cerbhai, Head of Security Lab at Amnesty International, “this is the first major step taken by any manufacturer toward detecting and mitigating sophisticated attacks on mobile devices.”
Additionally to Intrusion Logging, Google has released several additional new Android security capabilities. These are:
-
spoofing attack checking for bank call functionality;
-
new fraud detection methods for chat functions;
-
Chrome-based checking of APK files before installing them;
-
preventing access to Accessibility API for questionable apps;
-
prohibiting SMS verification codes from appearing in the majority of apps;
-
enhancing brute force resistance to picking a PIN number;
-
adding support for post-quantum cryptography;
-
adding additional privacy options related to accessing location data and contact lists;
and enhancing Find My Device. Users can mark their phones as lost and set up biometric locks on them. Additionally, if someone tries to gain access to a phone that has been marked as lost, it will disable quick setting menus and prevent users from establishing new WiFi or Bluetooth connections.
Eugene Liderman, Android Security Director said that Google wants to create an environment where Android is “the safest platform,” using the new tools that provide consumers with additional protections from banking scams, spyware, and sophisticated attacks on mobile devices.
