Google Urges OEMs To Support Oreo’s ‘Rollback Protection’ Feature To Block Downgrading
With the advent of Android 8.0 Oreo, we have seen Google getting more serious about security issues on Android devices. The company has introduced numerous security features with Oreo such as Play Protect and a new security feature dubbed Rollback Protection.
This feature is pretty crucial for ensuring the safety of the device from hackers who often downgrade the Android version without user permission. Rollback Protection detects if a device has been downgraded to the previous version of the operating system. Unfortunately, it is not on every device that runs Oreo.
Rollback Protection adds another security layer to the Android ecosystem, it can come handy if the device gets lost or stolen. In such cases, the thief often rollbacks the software to the previous version of the OS to get access. With Rollback Protection, which is now a part of Verified Boot known as Android Verified Boot 2.0, stops the device from booting if the software has been tampered by third-party services like rootkit. Android Verified Boot 2.0 is a part of Oreo, and it runs hand-in-hand with Project Treble.
Regarding Rollback Protection, Google revealed limited details about the feature, which attracted a backlash from some Android users who downgrade their devices even though it poses a security risk.
Relies on Project Treble
Google states that Rollback Protection's functionality co-depends on Project Treble. But as we know, Project Treble support is kinda scarce at the moment, with just handful devices supporting it. The ones supporting Treble are Pixel 2 lineup and Sony Xperia XZ1 while devices like Nokia 8 do not support it. Google also says that Rollback Protection comes enabled in the Pixel 2 and Pixel 2 XL, and it depends on the Trusted Execution Environment signing the version of Android on the device. Now, Google wants OEMs to support the feature too.
In a statement, Google urges OEMs and writes:
Rollback protection is designed to prevent a device to boot if downgraded to an older OS version, which could be vulnerable to an exploit. To do this, the devices save the OS version using either special hardware or by having the Trusted Execution Environment (TEE) sign the data. Pixel 2 and Pixel 2 XL come with this protection and we recommend all device manufacturers add this feature to their new devices.
As appropriate as Rollback Protection feature comes across, it will ultimately depend on OEMs to include it in their phones running Oreo. Of course, this feature may not go down well with Android enthusiasts who engage in downgrading their Android devices.