Cover photo
Adrian Ludwig
Worked at Google


Adrian Ludwig

Shared publicly  - 
I'm really excited about the progress we've made helping Android developers write more secure applications.
Posted by Rahul Mishra, Android Security Program Manager In April 2016, the Android Security team described how the Google Play App Sec...
Add a comment...

Adrian Ludwig

Shared publicly  - 
I've been told "you look like a boyband gone bad", which sounds about right.
Heather Adkins's profile photoEdward Morbius's profile photoDaniel Koman's profile photo
third guy looks like Gilfoyle
Add a comment...

Adrian Ludwig

Shared publicly  - 
It's exciting to see Coolpad start 2016 by confirming that they are providing monthly security updates for three of their popular Android phones (Coolpad Y90-G00, T2-00, and ivvi SS1-03) with more coming soon.

Yesterday, the Nexus team began to rollout the first monthly security update of 2016. And Samsung has been in the news repeatedly this week as they deliver the December monthly update to the Galaxy S6, S6+, Note 5 and other devices.

The new Android Security Patch Level has made it much easier for everyone (including those of us on the Android team at Google) to see how updates like these are getting delivered through the ecosystem. One of my New Year's resolutions is to make this information even more broadly available -- and we're already hard at work to make that happen.

Congrats to all the people that are making this happen.

 ·  Translate
Add a comment...

Adrian Ludwig

Shared publicly  - 
I read a few articles today that said "75% of Android devices can be remotely unlocked by Google" and I immediately thought "wait, that doesn't sound right."  The articles relied on some inaccurate assumptions.

Here are the facts, which can be independently confirmed via the source code that has been published in AOSP:

Google has no ability to facilitate unlocking any device that has been protected with a PIN, Password, or fingerprint. This is the case whether or not the device is encrypted,  and for all versions of Android. 

Google also does not have any mechanism to facilitate access to devices that have been encrypted (whether encrypted by the user, as has been available since Android 3.0 for all Android devices, or encrypted by default, as has been available since Android 5.0 on select devices).

There are some devices (far fewer than 75%, although we don't have an exact number) that have been configured to use a "pattern" to unlock.  Until Android L, "pattern" unlock did provide a recovery option with the Google account.  This recovery feature was discontinued with Android L.

Also, the lost pattern recovery feature never applied to PIN or Password so if you are on an earlier model device and don't want to use the pattern recovery feature, you can switch to a PIN or Password and it will be disabled.

Please let me know if you have any questions.
Henny Roggy's profile photoDominik Frizel's profile photoBen “an3k” Humpert's profile photoWill Hill's profile photo
The point of software freedom, +Andreas Proschofsky, is that you don't have to trust software, the community can verify it and remove malicious features.  We should own our devices and no one should be able to betray us this way.  That's different in both principle and practice from non free software.  

That is why copyleft is important.  That Android comes from an open source project does the user no security good if it's impossible or impractical to replace what you get from a vendor.  It also does the user little good if they load it up with non free spyware loaded applications like Angry Birds.  
Add a comment...

Adrian Ludwig

Shared publicly  - 
Exciting to see that Samsung began to roll out monthly security updates for a bunch of their most popular models on October 12.

The models they are supporting include Galaxy S6 Edge+, S6, S6+, S6 Edge, Note 5, Note 4, Note Edge, Tab S, and Tab S2.

More details are here:
At Samsung, we take security and privacy issues very seriously and we are doing our best to respond as quickly as possible. Securing your device and maintaining the trust you place in us is our top priority. Background: In order to meet your expectations and continue to keep our products secure, ...
Dan Hirsch's profile photoDennis Stöckmann's profile photoAdrian Ludwig's profile photoJose Chung's profile photo
So not my regular Tab then?
Add a comment...

Adrian Ludwig

Shared publicly  - 
Here are the slides from my talk at Blackhat last week:

At the conference, we announced that Nexus devices will receive monthly security updates and bulletins. So, if you're looking for more information about what's in the current update for Nexus devices the Nexus Security Bulletin has all the details.  Here's the link:

(We posted them in a Google Group so you can also sign up to receive these via email in the future.)
Google Groups allows you to create and participate in online forums and email-based groups with a rich experience for community conversations.
SUBHAJIT DEUTY's profile photo
Subhajit Deuty 
Add a comment...

Adrian Ludwig

Shared publicly  - 
The fight against Ghost Push continues

Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware.

Ghost Push has continued to evolve since we began to track it. As we explained in last year's Android Security report [], in 2015 alone, we found more than 40,000 apps associated with Ghost Push. Our actions have continued at this increasingly large scale: our systems now detect and prevent installation of over 150,000 variants of Ghost Push.

Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point [], a cyber security company, to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps. This morning, Check Point detailed those findings on their blog.

As always, we take these investigations very seriously and we wanted to share details about our findings and the actions we've taken so far.


- No evidence of user data access: In addition to rolling back the application installs created by Ghost Push, we used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found. The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.
- No evidence of targeting: We used automated tools to evaluate whether specific users or groups of users were targeted. We found no evidence of targeting of specific users or enterprises, and less than 0.1% of affected accounts were GSuite customers. Ghost Push is opportunistically installing apps on older devices.
- Device integrity-checks can help: We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push.
- Device updates can help: Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected. Also, if a system image is available (such as those we provide for Nexus and Pixel devices[]) a reinstall of the system software can completely remove the malware.


- Strengthening Android ecosystem security: We’ve deployed Verify Apps [] improvements to protect users from these apps in the future. Even if a user tries to install an offending app from outside of Play, Verify Apps has been updated to notify them and stop these installations.
- Removing apps from Play: We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future. Downloading apps from Google Play, rather than from unknown sources [], is a good practice and will help reduce the threat of installing one of these malicious apps in the future.
- Protecting Google Accounts: We revoked affected users’ Google Account tokens and provided simple instructions so they can sign back in securely. We have already contacted all users that we know are affected.
- Teaming-up with Internet service providers: We are working with the Shadowserver Foundation and multiple major ISPs that provided infrastructure used to host and control the malware. Taking down this infrastructure has disrupted the existing malware, and will slow the future efforts.


We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall. These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.

This was a team effort within Google, across the Android security, Google Accounts, and the Counter-Abuse Technology teams. It also required close coordination with research firms, OEMs, and hosting companies. We want to thank those teams for their assistance and commitment during our ongoing efforts to fight Ghost Push and keep users safe.
technical App's profile photoSteve Nordquist's profile photo
+technical App Mentions Lucky Patcher, gives no revision, scope etc.
Add a comment...

Adrian Ludwig

Shared publicly  - 
Excited to see LG launch a new security site with security news and security bulletins for their Android devices.

(Spiffy logo, too, btw.)
LGE Logo PRODUCTSECURITY. LG Product Security Response Team. menu. HOME. Introduction; Product Security Info. LG SECURITY NEWS · LG RESPONSE PROCESS · LG SECURITY BULLETINS. Android Mobile; webOS. SECURITY ISSUE REPORTING ...
Madan Ankapura's profile photoMarco Giglio's profile photofaplin handoko's profile photo
Samsung has security patch oktober LG still stuck on April
Add a comment...

Adrian Ludwig

Shared publicly  - 
On January 19th, 2016, Perception Point and Red Hat announced a security issue (CVE-2016-0728) in the mainline linux kernel that affects some Android devices. We have received some questions, so I want to quickly provide an update.

We have prepared a patch, which has been released to open source and provided to partners today. This patch will be required on all devices with a security patch level of March 1 2016 or greater.

In addition, since this issue was released without prior notice to the Android Security Team,  we are now investigating the claims made about the significance of this issue to the Android ecosystem.  We believe that the number of Android devices affected is significantly smaller than initially reported. 

We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications.  Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code. Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions not common on older Android devices.
Laurence Marks's profile photothomas lint's profile photoMatthew Karlsson's profile photoPaul Eubanks's profile photo
+Matthew Karlsson "Google and Microsoft are not in the same position to make these demands, unfortunately."

I call shenanigans.  Android makes up a much bigger marketshare than iPhones for carriers, so they absolutely could.  MS maybe not, but Google could.  They choose not to, and subsequently their users get the current awful predicament.  
Add a comment...

Adrian Ludwig

Shared publicly  - 
I'm very excited to see HTC starting to OTA the December security update to the HTC One (A9) at the same time it's going out to Nexus devices.

Congrats to the HTC team!
As promised, HTC has quickly been updating its One A9 smartphone with the December version of Android’s latest security patches and US carrier AT&T has this week begun rolling the update out to consumers. The announcement was made yesterday by HTC’s Vice President of Product Management, Mo Versi. AT&T HTC One A9 customers may have already spotted an OTA update notification come through, or can expect to see one in the coming days. If not, you ...
Jérôme de Bretagne's profile photoStéphane Raulin's profile photo
according to the release note, this patch includes the November Security Update.

Android security patch level: 2015-11-01
Add a comment...

Adrian Ludwig

Shared publicly  - 
I'm very excited to see that Blackberry is also going to be providing monthly security updates for their new Android device, Blackberry PRIV.
Matthew Garbett's profile photoRobert Kaiser's profile photo
I'm excited about the technology behind this new device. If only blackberry was smart enough to realize that the market demands more than one type of Android phone. Honestly they only have one model that cost $750?

Motorola has good phones that cost $129 up to $600, just a few basic models but covering a wide range of user's needs in financial price points.

Most of us simply can't justify spending that huge amount of money that Blackberry is demanding. They really need somebody who understands the market if they ever want to sell phones again
Add a comment...

Adrian Ludwig

Shared publicly  - 
There’s common, mistaken assumption that any software bug can be turned into a security exploit.  In fact, most bugs aren’t exploitable and there are many things Android has done to improve those odds. We’ve spent the last 4 years investing heavily in technologies focused on one type of bug -- memory corruption bugs -- and trying to make those bugs more difficult to exploit. 

A list of some of those technologies that have been introduced since since Ice Cream Sandwich (Android 4.0) are listed here:  The most well known of these is called Address Space Layout Randomization (‘ASLR’), which was fully completed in Android 4.1 with support for PIE (Position Independent Executables) and is now on over 85% of Android devices. This technology makes it more difficult for an attacker to guess the location of code, which is required for them to build a successful exploit.  (For the layperson — ASLR makes writing an exploit like trying to get across a foreign city without access to Google Maps, any previous knowledge of the city, any knowledge of local landmarks, or even the local language.  Depending on what city you are in and where you’re trying to go, it might be possible but it’s certainly much more difficult.)  But we didn’t stop with ASLR, we’ve also added NX, FortifySource, Read-Only-Relocations, Stack Canaries, and more.

Like most advanced security technologies, we’re always assessing the effectiveness of these new approaches, and looking for ways to refine them to better protect users. We know that some bugs are simply not exploitable, even without exploit mitigation.  We know these technologies make exploitation more difficult — and that in some instances that they make exploitation impossible.  But the research community today is incentivized to find lots of bugs rather than to test exploit mitigation technologies, so it can be difficult to know if exploitation of bugs is actually possible.

So, to help test these technologies, we designed the Android Security Rewards [ ] program to strongly incentivize researchers to actually prove that an issue is exploitable.  We will pay up to $30,000 for developers that provide working remote exploits against current Nexus devices.  So far we have had a few issues filed as security bugs, but haven’t had anyone submit an exploit in an attempt to be paid via Android Security Rewards.  (Some people warn me that it’s tempting fate to make that statement.  But that’s not true: this is an intentional request for researchers to start testing those defenses. We want to know about when Android’s exploitation mitigation works, and when it doesn’t work. So I hope this will result in an exploit being presented. The sooner we know about it, the sooner Android users will get better protections.)

Of course, if there is any chance that an issue might be exploitable, we’ll quickly provide a patch for the issue to our partners, to our Android devices, and to the public via the Android Open Source Project.

But updates are truly a last resort.  They should be neither the first nor the only step in a multi-layered stack of security technology. I’m optimistic that advanced exploitation mitigation technology in Android will help us to move beyond the period of time when fast patching was the only solution available to secure devices.  And I look forward to more research into how these technologies can be used to prevent exploitation on Android and other platforms.
Charanyan Iyengar's profile photoJeremy Collins's profile photoJoshua J. Drake's profile photoPasqualino maganuco's profile photo
+Autonoleggio Alghero Aeroporto - Aiguarentacar Stagefright exploits  thank
Add a comment...
  • Google
    Android Security
  • Adobe Systems
    Secure Software Engineering
  • Macromedia
    Product Security
  • NSA
  • @stake
    Security Architect
Basic Information