Android & Chrome Level Up Security with New Advanced Protection for High-Risk Users
Google has introduced a new security configuration on Android, tailored for users vulnerable to targeted cyberattacks. Known as Advanced Protection, this suite of features—once exclusive to individual Google Accounts—is now available at the device level on Android 16 and Chrome version 137 and above.
The system encompasses enhanced safeguards for connections, memory, and executable code, and is designed specifically for journalists, politicians, activists, and others for whom digital security is paramount.
Advanced Protection consolidates multiple settings that affect app behavior, including within Google Chrome, enabling centralized activation of measures capable of withstanding even the most sophisticated attacks. Core enhancements span three domains: enforced HTTPS usage, full site isolation, and mitigations for vulnerabilities in Chrome’s JavaScript engine, V8.
First and foremost, the system enforces “Always Use Secure Connections”, also known as HTTPS-First Mode or HTTPS-Only Mode. This feature mandates that connections be made over the secure HTTPS protocol, issuing warnings if a user attempts to access an HTTP-only site.
According to Google, fewer than 1% of page loads on Android currently occur over unsecured connections. However, even this minimal share remains exploitable—as evidenced by the 2023 Egyptian election cyberattacks, in which HTTP served as a conduit for malicious code injection.
Google offers two operating modes for this feature: one blocks or warns against all unsecured sites, while the other targets only public domains, excluding local addresses like 192.168.0.1 or internal names such as shortlink/. This ensures compatibility with local infrastructure, like router interfaces. Notably, from Chrome 127 onward, this protection is enabled by default in Incognito mode. Beginning in January 2025 with Chrome 133, the browser will block downgrades from HTTPS to HTTP if a secure connection has previously been established—using heuristics similar to HSTS.
Users can manually activate the setting under Chrome’s Privacy and Security menu and define which sites are subject to the filter. For enterprises, management policies such as HTTPSOnlyMode and HTTPAllowlist provide centralized enforcement across fleets of devices while allowing exceptions where necessary.
The second key feature is Full Site Isolation—a security architecture where each site operates in a dedicated process, entirely segregated from others, even when opened within the same browser window. This ensures that if a malicious site exploits a rendering vulnerability, it cannot access other tabs.
While Chrome on desktop has long supported full isolation, Android historically applied it only during login or form submissions. Now, devices with at least 4 GB of RAM will automatically enable full isolation for all sites under Advanced Protection.
This is especially crucial for mitigating side-channel attacks, in which malicious code analyzes CPU behavior to access sensitive data from other pages. Such attacks, like Spectre, were the impetus behind Chrome’s original implementation of Site Isolation on desktop.
The third enhancement involves disabling JavaScript optimizing compilers. Chrome’s V8 engine includes advanced compilers like TurboFan and Ignition to speed up web applications. However, these components are often the locus of critical vulnerabilities. Google estimates that disabling them could prevent up to half of all V8-related exploits.
With Advanced Protection, these compilers are disabled by default, sacrificing some performance for significant gains in security. As of Chrome 133, this setting is also exposed via a new JavaScript Optimization & Security category in the browser settings.
Users may toggle optimization globally or on a per-site basis. Enterprises can utilize policies such as DefaultJavaScriptOptimizerSetting, JavaScriptOptimizerAllowedForSites, and JavaScriptOptimizerBlockedForSites to curate permitted or blocked sites. It’s important to note that allowlisting is supported only on devices capable of full site isolation—namely, desktops and Android devices with at least 2 GB of RAM.
Additionally, Chrome is preparing to implement a V8 sandbox—a separate execution environment for JavaScript, isolated from the rest of the browser. This adds another layer of protection, reducing the impact of any potential exploit, even if it bypasses core defenses.
Google emphasizes that users face varying levels of risk, and a one-size-fits-all configuration is insufficient. For the average user, Chrome remains fast and convenient, while those in high-risk categories can now enable maximum security—whether individually or through managed enterprise solutions.
Advanced Protection also integrates deeply with Google Account security. Enrolled users must use hardware-based multi-factor authentication and gain access to additional protections, including synchronized settings across devices. Users are encouraged to enable automatic updates and maintain an up-to-date browser and OS.
In essence, Android and Chrome are becoming increasingly adaptive to evolving threats—offering both flexibility and scalability in security. Through Advanced Protection, everyone—from private individuals to global enterprises—can now leverage security mechanisms once reserved for high-assurance cybersecurity contexts.
