Skip to main content

How Android 16’s Advanced Protection secures Chrome

With Android 16, users can enable Advanced Protection to “activate Google’s strongest security for mobile devices.” The Chrome for Android team has now detailed how Advanced Protection works.

There are three main Advanced Protection features in Chrome 137+ on Android 16, starting with “Always use secure connections” — or HTTPS — being enabled. Before connecting to an insecure (HTTP) site, Chrome asks for explicit permission before loading. 

There may be attackers attempting to interpose on connections on any network, whether that network is a coffee shop, airport, or an Internet backbone. This setting protects users from these attackers reading confidential data and injecting malicious content into otherwise innocuous webpages.

This setting can be enabled independently of Advanced Protection from Chrome Settings > Privacy and security > Always use secure connection. 

The next feature disables the “higher-level optimizing Javascript compilers inside V8.” 

Advertisement - scroll for more content

V8 is Chrome’s high-performance Javascript and WebAssembly engine. The optimizing compilers in V8 make certain websites run faster, however they historically also have been a source of known exploitation of Chrome. Of all the patched security bugs in V8 with known exploitation, disabling the optimizers would have mitigated ~50%

This prevents a large category of exploits, but at the expense of “causing performance issues for some websites.” You can also enable this independent of Advanced Protection from Settings > Privacy and security > Javascript optimization & security, with the ability to add per-site exceptions if pages you frequently are heavily impacted.

Finally, Advanced Protection enables Site Isolation wherein Chrome “isolates each website into its own rendering OS process” in memory. 

This isolation prevents a malicious website from accessing data or code from another website, even if that malicious website manages to exploit a vulnerability in Chrome’s renderer—a second bug to escape the renderer sandbox is required to access other sites

Desktop Chrome enables Site Isolation by default, but mobile Android devices have memory constraints. Without Advanced Protection, “Chrome will only isolate a site if a user logs into that site, or if the user submits a form on that site.” 

Advanced Protection isolates all sites on devices with 4+ GB of RAM. 

FTC: We use income earning auto affiliate links. More.

You’re reading NewGeekGuide — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow NewGeekGuide on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com