Skip to content

ChromeOS Security Features

When ChromeOS was first released, it was seen as one of the most secure modern operating systems on the market. ChromeOS includes multiple layers of security to emphasize the computing principle of "defense in depth" to ensure that your sensitive content is safe - even if, in the unlikely event that a layer of security were to fail. 

This chapter will describe the security features that are included with ChromeOS; however, it is worth noting that the most important layer of security is the end user. Users should always be vigilant when it comes to following best-practices, as they can undermine all the built-in security features that ChromeOS offers.

ChromeOS Core Security Features

Automated Security Updates and Patching

One of the most common entry-points for malicious software is running outdated software. There are countless new exploits that are being discovered every single day, and the ChromeOS team is constantly working to ensure that ChromeOS is updated with the latest patches to prevent these exploits from being able to impact users of ChromeOS. Unlike other popular operating systems on the market, ChromeOS has a robust set of mechanisms to automatically update devices, without any user interaction aside from a reboot. 

In addition to security updates, a ChromeOS update may also introduce new features or enhance existing features. 

ChromeOS Devices do have a finite amount of time that they will receive automated security updates. This is normally between 5 and 10 years from the date that the model was initially released, not from the date that your specific model was purchased. It is strongly advised that all users refer to our ChromeOS Device Database to check their devices' "EUA Date" and avoid purchasing devices that are unable to recieve updates.

Verified (Signed) Boot Chain

ChromeOS uses a sophisticated boot sequence to prevent malicious code, known as root-kits, from being injected into the operating system's kernel. Root-kits are one of the most damaging forms of malware that a computer can be infected with as, unlike traditional malware, it can survive a complete re-installation of the operating system. All ChromeOS devices include custom firmware eUFI that manages the initial boot process and will refuse to boot operating systems that are not cryptographically signed by Google. Once the initial boot process has stated, each additional step of the ChromeOS boot process is also checked to ensure that the operating system has not been tampered with. Additionally, the kernel and all kernel modules are also signed. 

If you enable ChromeOS's Developer Mode, the ChromeOS Verified Boot Chain can be turned off, which will allow users to boot untrusted/modified operating systems or to run unsigned kernels. Turning developer mode on and disabling ChromeOS Verified Boot can introduce security vulnerabilities, as it could theoretically permit malicious software to tamper with the operating system or insert itself into the boot process. 

Immutable Operating System Images

User Data Encryption

Chrome Web Browser

Chrome Browser Sandboxing

Phishing and Known Malicious Site Protection

Certificate Revocation

Android Application Security

Android on ChromeOS is designed to be secure; however, there are a few practical security tips to ensure that your Android installation is kept secure.

Android Appllication Permissions

Android Application Isolation

Google Play Services

The Google Play Store

The Google Play Store is designed to be a effective first line of defense to ensure the applications are safe, however occasionally a fake or malicious application can make it onto The Google Play Store. These malicious and fake applications often masquerade as new "triple A" games that are popular on consoles to make users think the application is a Android port of the game. These malicious applications typically exist to spam users or collect data. It is important to read the reviews for any application you want to install if you are unsure of its legitimacy.

Sideloading Android Applications

By default, ChromeOS does not permit users to install Android applications from outside the Google Play Store; however, it is possible to bypass this restriction with some developer settings that will be discussed in the "Hacking and Modifications" chapter of this book. If you choose to install applications from outside the Google Play Store, you must ensure that you are getting your applications from a trusted source and validate that they are not malicious. It is not uncommon for pirated Android applications downloaded from websites to contain malware.

Linux Security