Android N comes with quite a few new changes to the system software, many of which have already been talked about and discussed at some length when Google initially released the first developer preview for the software out to the public. As always when it comes to new versions of the Android OS, Google has improved the security to better protect the system and its users. In particular, Google has done some extensive work to help strengthen the system with Android N so that they can help to prevent bugs from becoming vulnerabilities like the nefarious Stagefright bug which was launched last year that had the Android community at large in a huge uproar.
The Stagefright bug happened in the mediaserver which handled various tasks related to different media functions, and Google states that the bug was “found in code that was responsible for parsing file formats and media codecs.” The mediaserver was responsible for a handful of these different aspects of the system, but Android N changes things up by splitting the different permissions and the mediaserver into separate parts. Google notes that this will make it easier to prevent such attacks like Stagefright in the future and to cut down on the scale of the issue if something similar were to ever arise again.
In addition to splitting the mediaserver components up into separate parts, each component only has permissions to access the function that it is designed to handle tasks for, meaning the “cameraserver” wouldn’t be granted permissions to access things like Bluetooth or DRM. This approach is set up so that the system is able to better control any potential problems and security risks like Stagefright going forward, and Google is making sure they do what they can to also prevent things from transforming into such vulnerabilities in the first place. Google notes that with Android N, parsing code has been moved into sandboxes that either have no permissions at all, or have fewer permissions than they did before, or in this case than they do now as Android N has not yet been released outside of the developer preview state.