Adamya Sharma / Android Authority
TL;DR
- Google is working on an Intrusion Detection system for Android, according to a teardown of the Play Services app.
- The system will collect a log of your device/network activities that can be accessed if you notice suspicious activity across your account or devices.
- Google’s code suggests this log is end-to-end encrypted and can only be accessed with your Google account password and device authentication.
Security seems to be a major focus for the upcoming Android 16 release. The company is working on an Advanced Protection Mode, but it also looks like another major security feature is in the pipeline.
An APK teardown helps predict features that may arrive on a service in the future based on work-in-progress code. However, it is possible that such predicted features may not make it to a public release.
We sifted through a beta version of the Google Play Services app (version 25.18.31) and discovered plenty of strings related to a so-called Intrusion Detection system. This isn’t the first time we’ve seen this feature name pop up, but these new strings give us an idea of what to expect. Check them out below.
Code
Device protection helps keep your device and data safe, but there are some things to know about turning on the protections.
Only the primary user can change this setting
Your activity logs will be stored in a private and encrypted Google Drive. This logs can be used for forensic analysis in cases of suspicious activity.
Intrusion detection
You are agreeing to E2EE log collection, such events as USB events, network info such as browsing history, app installs, Bluetooth connections, lockscreen info, and wifi. Only you are able to decrypt this data with your account password and device lock screen.
Log collection
This Google Account will be used to encrypt your logs. Be sure you are selecting the right account.
Google Account
Activate Intrusion Detection
Setup Advanced Protection The Intrusion Detection feature effectively keeps a private, encrypted log of system and network activities that can be analyzed in the event of suspicious activity. Activities collected as part of this log include USB events, app installs, Bluetooth connections, lock screen info, Wi-Fi, and browsing history.
Some of these activities are very sensitive. After all, you don’t want your browsing history falling into the wrong hands. However, the strings also note that this log is end-to-end encrypted and stored on a “private and encrypted” Google Drive. Another string adds that only you can decrypt the log via your Google account password and device lock screen.
It’s unclear whether the Android OS will perform forensic analysis of this log once it’s decrypted or if Google is merely giving you access to it for your own analysis.
We’ve previously seen strings related to this feature in Android 16, suggesting that it might not be coming to older versions of Android just yet. The final Intrusion Detection string also mentions Android 16’s Advanced Protection mode. This suggests that Intrusion Detection is indeed part of Android 16 and its Advanced Protection Mode.
Nevertheless, this sounds like an intriguing idea, and we’re guessing the log could also make life a little easier if you work in a sensitive field or if you’re simply worried about your device being hacked.
