Google is working with ecosystem partners to harden the security of firmware that interacts with Android. The Android operating system runs on the application processor (AP), but there are many other processors that handle tasks like cellular communications and multimedia processing.
"Securing the Android Platform requires going beyond the confines of the Application Processor," the Android team said. "Android's defense-in-depth strategy also applies to the firmware running on bare-metal environments in these microcontrollers, as they are a critical part of the attack surface of a device."
Google wants to make it harder to exploit vulnerabilities over the air to achieve remote code execution within the Wi-Fi SoC or the cellular baseband. To do this, they are exploring and enabling compiler-based sanitizers and turning on memory safety features in firmware as exploit mitigation measures. Given the resource constraints associated with bare-metal targets, the goal is to "harden the most exposed attack surface – while minimizing any performance/stability impact," the Mountain View-based company explained.
Another key area is the use of memory-safe programming languages like Rust for writing firmware code, continuing its efforts to expand its adoption across the platform.