Google's new flagship Pixel 6 and 6 Pro smartphones have gotten solid reviews so far, thanks in part to the custom Tensor processor inside. Google designed the “system on a chip” in-house, giving it a speed and efficiency advantage similar to what Apple enjoys with its homegrown silicon. And while there's a lot to admire in the snappy performance and all-day battery life, Tensor offers another, less touted benefit: security.
Google's not alone in its push to make its own smartphone chips, a trend that has built across the industry over the past several years. By controlling every layer—hardware, firmware, and software—companies don't need to rely on the wherewithal of outside partners. As a result, the Pixel 6 and 6 Pro take some big steps, like guaranteeing security updates for five years, up from an industry standard three years. (Apple typically supports old iPhones for up to seven years, but it doesn't make promises up front.)
Some of the biggest security and privacy benefits on Pixel 6 and 6 Pro are less obvious, though, and relate to how Tensor and Google's additional Titan M2 security chip work to silo and defend sensitive data. Adding new transparency features and security protections from Android 12 on top of that, the Pixel team says its goal was to make the cost of hacking the 6 and 6 Pro as high as possible for attackers.
“It doesn’t mean there are no bugs ever, it doesn’t mean it’s impossible to hack, but the cost keeps rising,” says Dave Kleidermacher, vice president of engineering for Android security and privacy. “I think it's becoming more and more clear that the open source strategy is the winning strategy.”
That strategy is in contrast to Apple's closed iOS ecosystem, which has certainly had its security struggles in recent years. Then again, Android has as well, and it deals with the additional hurdle of manufacturers offering their own versions of the operating system on their hardware—meaning not all security and privacy updates make it to every device in a timely manner, if at all.
The Pixel 6 and 6 Pro have all the goods, though. Tensor is based on ARM technology and uses that company's isolation architecture, TrustZone, as one way to cordon off sensitive data and computations. On the Pixel 6 and 6 Plus, TrustZone runs a specialized, secure, open source Google operating system known as Trusty OS.
Android 12 was also the debut of an open source software sandbox known as Private Compute Core. It exists inside the regular operating system, but is specially isolated to run private data analysis that powers features like Live Caption and Smart Reply suggestions without storing or sharing any data with Google.
And the secure processing fun doesn't stop there. Tensor also has a dedicated physical area, Tensor Security Core, that handles the system on a chip's most sensitive data and communicates with the Titan M2 chip to protect vital processes like secure boot. Titan M2 is a totally separate custom chip that now has more memory, more storage, and more robust cryptography engines for things like encryption key management.
Secure enclaves like Titan are only as locked down as their connection to the outside world, though. Think of it like putting a drawbridge over a moat instead of a two-lane road. Rather than a free-for-all connection to Tensor, the special hardware region provides limited and controlled communication with Titan M2, to reduce the chance that a rival army can skip the siege and just drive right in.
“We’ve worked hard to bring user data protection and transparency to the center of what we’re building in silicon, too” says Jesse Seed, Google's product manager lead for silicon security. “And Titan M2 is now more resilient to advanced attacks. We've tested it with our internal red teams, but also independent security labs and hardware standards.”
On the software side, Pixel 6 and 6 Pro offer a Security Hub to manage settings and get tips in one central location, plus the Android 12 Privacy Dashboard, where you can see what your apps have been up to, which permissions you've granted them, and how to make changes if you want to. The phones also come with a toggle setting that lets you stop your Pixel phone from connecting to the 2G wireless data network. That way, if you don't need 2G service you can minimize the chance that a surveillance device like a "stingray" will trick your phone into connecting over 2G to exploit the old network's security vulnerabilities and grab your data.
The Pixel 6 and 6 Pro also come with on-device anti-phishing protections that locally scan potentially malicious phone calls, SMS text messages, emails, and even links sent through partner apps—like WhatsApp, Instagram DMs, and Facebook Messenger Lite—to warn you if something seems off. It does all of this on-device through Tensor's Private Compute Core—similar to how Google's Smart Reply feature sees everything you're typing so it can make suggestions, but it doesn't store or share the information.
Another new feature likely won't be used much by regular Android users, but could mark the beginning of an important trend in operating system security. Known as Google Binary Transparency, the service allows researchers or anyone with some technical capabilities to check whether the version of Android running on a Pixel is the verified version that Google intended. The idea is to be able to assess whether a phone has been compromised to run a backdoored or otherwise manipulated version of Android. The system stores signed hashes on a public ledger that should match hashes you can generate from your own device. If they don't match, it's an instant red flag. And if researchers discover that the hash of a known comprised phone does match the hash logged in Google Binary Transparency, it could reveal an insider threat within Google.
“It's a self-policing mechanism,” Kleidermacher says. “We're telling the world you don’t have to trust us, you can check this public database. It's an extra level of transparency.”
Mozilla offers a binary transparency mechanism for its Firefox browser, and certificate authorities on the web are designed similarly for verification. Adopting such transparency features for the world's major operating systems would create an extra integrity check and layer of accountability. For its part, Google hopes eventually to expand Binary Transparency across the Android ecosystem. Other Android phone makers could set up their own public logs, and security researchers could create “binary transparency witnesses” to act as independent monitors of Google and others' ledgers.
Even with all of this year's improvements, it's important to remember that Pixels still make up a tiny fraction of the billions of Android smartphones out in the world. The real impact will come if manufacturers make the latest security software features broadly available and invest heavily in their own hardware security. Even then, many of these features may not reach lower-cost devices for years, if ever.
Updated Wednesday October 27, 2021 at 8:45pm ET to include additional details about Google Binary Transparency and clarification about the role of Private Compute Core.