Similar to iOS lockdown mode, Android 16’s Advanced Protection feature is misguided. It adds security features exclusive to it which require using all of the other features. This prevents people using new security features if they need to avoid 1 feature.
https://security.googleblog.com/2025/05/advanced-protection-mobile-devices.html
Most of the features already existed. The new ones are cloud-based intrusion logging, inactivity reboot (hard-wired to 72 hours), a new mode of USB protection and disabling auto-connect to a small subset of insecure Wi-Fi networks. Production MTE support is also essentially new.
GrapheneOS added locked device auto-reboot in July 2021. We proposed it to Google for Android in January 2024 as part of reporting exploitation by forensic data extraction companies. They implemented several of our other proposals, but not this until iOS added it in October 2024.
Both GrapheneOS and iOS enabled lock device auto-reboot by default, at 18 and 72 hours respectively. It can be set between 10 minutes and 72 hours on GrapheneOS along with having an opt-out. Putting this behind a feature barely anyone will use makes the real world impact minimal.
The Advanced Protection mode support for the ARM Memory Tagging Extension (MTE) is misleading. It won’t be using it for the kernel, most of the base OS or 99.999999% of apps. It will only be enabled for certain base OS components and a tiny minority of apps explicitly enabling it.
Certain apps like Molly opt-in to MTE, but this doesn’t really do anything since so far Android isn’t providing any production MTE support. This tiny minority of apps enabling the feature will finally have it on certain devices for < 0.001% of users using Advanced Protection.
Chrome / Chromium provides a very misleading “V8 Optimizer” toggle which contrary to popular belief does not disable the Just-In-Time compiler and therefore cannot block dynamic code generation. It’s not a default JIT disable like iOS lockdown mode or default GrapheneOS.
Chrome’s “V8 Optimizer” toggle started out as a JIT toggle. However, Chromium’s WebAssembly support currently requires JIT and they quickly crippled the setting in an emergency update. It now only disables the highest 2 tiers of the JIT, so a lot of the security value is missing.
Microsoft implemented a simple WebAssembly interpreter for Microsoft Edge as part of their earlier JIT disable feature. Microsoft submitted their WebAssembly interpreter to Chromium and got it merged after a long time. Chrome / Chromium doesn’t use it, maintain it or test it.
Since they aren’t maintaining or testing it, other Chromium-based browsers can’t use this feature without taking on the responsibility of maintaining it. Google could easily start maintaining it to fix their very misleading “V8 Optimizer” toggle but so far has neglected to do so.
It’s entirely possible to provide the new security features standalone and then group them together in a mode enabling all of them, but with the option to disable certain features. That could then show up as a warning that the mode isn’t fully enabled. Instead, they copied iOS.
Part of enabling Android’s Advanced Protection feature is disallowing users from installing apps from outside of the Play Store. This can currently be bypassed using Android Debug Bridge via developer options, but that’s awful for security and they’ll likely crack down on it too.
Apps coming from the Play Store doesn’t make them trustworthy, safe or secure. Most malware apps on Google Mobile Services devices are installed from the Play Store. Similarly to the Play Integrity API, it’s Google reinforcing their monopolies with security as an excuse for it.
Google was already blocking competing app stores with their Advanced Protection Program required to properly secure a Google account, but now they’re tying Android device security to this. Want proper encryption security via inactivity reboot? You cannot use competing app stores.
Google has taken a similar path with the extraordinarily anti-competitive Play Integrity API, which disallows using any hardware or OS not licensing Google Mobile Services (GMS). Licensing GMS forces shipping Google apps with invasive access and limits allowed changes to the OS.
OEMs licensing GMS are blocked from including many features in GrapheneOS. They obviously can’t provide sandboxed Google Play, but less obviously can’t provide our Storage Scopes, Contact Scopes, Sensors toggle, Network toggle, much broader/better MTE integration and far more.