Skip to main content

Pixel 4 and Pixel 4a get ioXt certification, which rates security of preloaded apps

The Pixel 4a was announced last Monday and still has over a week to go before becoming available. On the security front, it features a Titan M chip and three years of updates. Google today also revealed that the phone, along with the Pixel 4, is the first Android device to get ioXt certification at launch.

The Internet of Secure Things Alliance (ioXt) is behind a security compliance assessment program for connected devices, like smartphones, smart speakers, and lighting. It counts over 200 members and is meant to “enable users, enterprises, regulators, and other stakeholders to understand the security in connected products to drive better awareness towards how these products are protecting the security and privacy of users.”

The core focus of ioXt is “to set security standards that bring security, upgradability and transparency to the market and directly into the hands of consumers.” This is accomplished by assessing devices against a baseline set of requirements and relying on publicly available evidence. 

An ioXt Android Profile includes a number of factors with multiple rating levels (1-4): biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization.

One ‘criteria’ for the program is “Security by Default,” which “rates devices by cumulatively scoring the risk for all preloads on a particular device.” This has been an area of concern for some security researchers. Google and partners created an open source “Uraniborg” tool to analyze devices and generate a raw score.

For this particular measurement, we worked with a team of university experts from the University of Cambridge, University of Strathclyde, and Johannes Kepler University in Linz, who created a formula that considers the risk of platform signed apps, pregranted permissions on preloaded apps, and apps communicating using cleartext traffic.

For Google, getting this rating “provides increased trust in the security claims we make to our user.” All future Pixel phones will be submitted to get ioXt certification.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com