Android 16: A New Era of Security and a Return to Old Dilemmas

With the rollout of Android 16, Google has once again demonstrated a strong commitment to user safety and digital security. The new operating system introduces a suite of robust security features, many of which build on the "Advanced Protection" concept to provide a more secure mobile experience. Google's efforts to protect users from modern threats are commendable, but a closer look at the implementation reveals a "dilemma of enforcement" and a puzzling step back in user experience that may, paradoxically, introduce new security risks.

Android 16's security architecture is designed to be proactive, tackling threats before they can take hold. Many of the features, previously available as optional settings, are now part of a more integrated and enforced system. These include:

• Blocking apps from unknown sources: A standard feature that has been fortified to prevent the installation of apps from unverified stores.
• Disabling 2G connectivity: A crucial security measure that blocks connections to insecure 2G networks, which are highly vulnerable to downgrade attacks from IMSI catchers.
• Enhanced app and web protection: Built-in features in apps like Google Messages and Phone to protect against spam and scams.
• Theft detection features: A suite of anti-theft and anti-fraud measures, such as remote lock and locate, that can be configured in your device's security settings.

The most significant security advancement is the "Mandatory Enforcement of all security settings." This feature automatically enables a suite of protective settings and, critically, prevents the user from disabling them individually. The goal is to provide a comprehensive, tamper-resistant shield for those at the highest risk, such as journalists and activists. This "all-or-nothing" approach ensures that a user cannot inadvertently weaken their security posture by disabling a single, critical protection.

Google's intentions are to be applauded, but a closer look at the implementation of these security features reveals a practical dilemma with its "all-or-nothing" approach.

The enforced disabling of 2G/3G connectivity presents a significant challenge. In Germany, while major network providers have largely decommissioned 3G and are working to phase out 2G, this older network still serves as a crucial fallback in many rural areas. For users on specific low-cost tariffs or with certain providers, this issue is even more pronounced. Despite widespread 4G/5G availability for internet access, these tariffs may not yet support Voice over LTE (VoLTE). As a result, phone calls are forced to fall back to the insecure 2G network, which is precisely what the "Advanced Protection" is designed to block.

A user with the "Advanced Protection" enabled must therefore choose between two undesirable options: maximum security with the potential to be unreachable, or full connectivity with significantly reduced security. To make a non-emergency call, they are forced to disable the entire security package, thereby losing not just the 2G/3G block, but also enhanced web protection, advanced anti-theft measures, and other critical security features. The user is left to choose between maximum security or any connectivity, with no middle ground.

A second critical aspect of this programme is the rigid restriction on app installations. The Advanced Protection Programme (APP) is designed to only allow apps from the Google Play Store, a foundational pillar of its security model that is considered to drastically reduce the risk of malware and spyware from unverified sources. However, this poses a significant challenge for the very high-risk users it is designed to protect. Journalists and activists may rely on open-source, privacy-focused apps from repositories like F-Droid, or specialised tools for secure document submission and metadata removal. These applications might not be available on the Google Play Store for different reasons.

While a cumbersome workaround exists - deactivating APP, sideloading the app, and then re-enrolling - this process defeats the purpose of the programme. It leaves a window of vulnerability during the deactivation period, complicates app updates, and can lead to friction with Google Play Protect scanning. This highlights an inherent trade-off: the programme's strict "walled garden" approach, while enhancing security by reducing a major attack surface, may be counterproductive for a specific subset of the target group who rely on non-mainstream, highly secure applications for their work.

This "all-or-nothing" principle respectively usability-design-approach finds a surprising and counter-indicative echo in a different corner of the user experience, specifically on Google's Pixel phones: the lack of a native NFC toggle in the Quick Settings menu. The ability to quickly activate or deactivate NFC (Near-Field Communication) with a single tap was a convenient and secure feature, and is still common on many other Android devices. Its removal on Pixels now forces users to navigate deep into the settings menu to manage this function.

Online forums show that users are frustrated by this change and are seeking shortcuts to restore this functionality. The proposed solution is often to install a third-party NFC toggle app. While this may seem like a minor inconvenience, it represents a step backward in the user experience and, more importantly, a potential security risk. It harks back to the old days where "torch apps" and other simple utility apps were used by malicious actors to scrape contact details and other sensitive data. By forcing users to seek out and install third-party apps for basic, built-in functionality, Google risks re-introducing a vector for potential attacks that their security features were designed to prevent. This approach was also once reasearched by a publicly-funded research programme; the final report is publicly available (German). 

Keeping your phone's Near-Field Communication (NFC) deactivated when not in use offers a simple yet effective defence against a number of potential security and privacy risks. By default, NFC-enabled devices are constantly listening for a signal, making them susceptible to unwanted interactions. This can include fraudulent payment requests from a "skimming" device held in close proximity, where a scammer could potentially initiate an unapproved transaction without your knowledge. Furthermore, deactivating NFC helps protect your privacy by preventing passive tracking. The technology can be used by NFC-beacons in public spaces to identify or log a device as you pass by, compiling data on your movements. Therefore, keeping NFC turned off until you specifically need it for a secure action, such as a mobile payment, helps mitigate both financial security risks and unwanted digital surveillance.

The challenges posed by these security and usability trade-offs, while significant, do not seem insurmountable. The re-integration of a native NFC toggle in the Quick Settings menu appears a relatively easy fix that would be welcomed by the user community and would eliminate the security risk of third-party workarounds as well as by keeping NFC unnecessarily activated.

Similarly, the "all-or-nothing" approach of the Advanced Protection Programme could be refined to offer more user-centric flexibility without sacrificing its core purpose. A more adjustable system could incorporate safeguards against unintentional deactivation, such as clear warning messages and confirmation via biometrics or a PIN. Furthermore, a time-limited deactivation option (e.g., 10 minutes, 1 hour, or a customised duration) for specific features like the 2G/3G block would allow users to handle an emergency connectivity need without permanently compromising their overall security. By adopting such refinements, Google could solidify its position as a leader in both digital security and thoughtful, user-centric design.

With the rollout of Android 16, Google has once again demonstrated its apparent commitment to user safety and digital security. The new operating system introduces a suite of robust security features, many of which build on the "Advanced Protection" concept to provide a more secure mobile experience. Google's efforts to protect users from modern threats are commendable, but a closer look at the implementation reveals a "dilemma of enforcement" and a puzzling step back in user experience that may, paradoxically, introduce new security risks. Trade-Offs are also recognised by professional associations, such as Freedom of Press Association, who welcome the improvements, acknowledging their - current - limitations. 

The imagery and the article has been created using artificial intelligence services; here Gemini.