Looking to up its security game, Google on Thursday introduced Android’s Private Compute Core in the beta version of Android 12.
In a blog post, Google described Private Compute Core as an open source, secure environment isolated from the rest of the operating system and applications — a move security researchers view as a potentially effective way to foil hackers.
For example, the caption, music, and messaging apps Google rolled out in this release of the Private Computer Core are managed by Private Compute Services, which lets the new features update over a private path.
According to Google, the Android OS will prevent any feature inside the Private Compute Core from having direct access to the network. Instead, features will communicate over a small set of open-source APIs to Private Compute Services, which then strips out identifying information and uses a set of privacy technologies to secure the apps, including Google’s Federated Learning and Federated Analytics, as well as private information retrieval, a protocol that encrypts a database query from a server.
By combining the Private Compute Core and Private Compute Services, Google has developed an innovative approach to augment the compute capability of Android-based devices in a secure manner, said Setu Kulkarni, vice president, strategy at NTT Application Security.
“This approach of open-sourcing the APIs and subjecting the Private Compute Services source code [to public scrutiny] is possibly the best way to beat the hackers,” Kulkarni said. “Harnessing the collective power of the security researchers on the right side of the equation is the only way to continuously outsmart those security criminals on the wrong side of the equation.”
Hank Schless, senior manager, security solutions at Lookout, viewed Google’s approach as a step in the right direction to keep certain personal data hidden from apps as a way to protect user privacy. Schless said there’s been a big push from both Google and Apple to provide more visibility into data sharing and implement default privacy protection capabilities in their mobile operating systems.
“However, as is the case on both iOS and Android, if someone can gain root access to the device, then any data on it is fair game — regardless of the default security features,” Schless explained. “It’s also encouraging to see Google opening up the source code of this new service so it can be reviewed by other security professionals. Collaboration between security organizations and individuals is key to ensuring protection against the myriad of cyber threats that put our personal and work-related data at risk every day.”