Support our independent tech coverage. Chrome Unboxed is written by real people, for real people—not search algorithms. Join Chrome Unboxed Plus for just $2 a month to get an ad-free experience, access to our private Discord, and more. Learn more about membership here.
START FREE TRIAL (MONTHLY)START FREE TRIAL (ANNUAL)
As we continue to watch the development of Aluminium OS and the “desktop-ification” of Android, Google is taking clear steps to ensure that this new high-end hardware doesn’t compromise system security. The latest deep dive into Android 17 Beta 2 by Android Authority has revealed that Google is borrowing a key security feature from ChromeOS: the ability to restrict direct memory access for Thunderbolt and USB4 devices.
While this might sound like deep-level technical jargon, it is a significant move for anyone hoping to use their Android device as a serious desktop replacement.
Restricting Direct Memory Access
On ChromeOS, the system restricts devices connected via Thunderbolt or USB4 from accessing system memory directly by default. This Direct Memory Access (DMA) is great for performance, but it represents a major security vulnerability by essentially giving a physical cable a direct path to your most sensitive data.
In the Android 17 Beta 2 code, references have been found for a new setting called “Data access protection.” Just like on a Chromebook, this feature will allow users to decide whether they want to grant that deep level of access to a connected accessory. The setting even includes a warning note: “This poses a security risk, so only connect devices you trust.”
<string name="usb_pci_tunnel_title">Data access protection</string>
<string name="usb_pci_tunnel_control_summary">Allow USB and Thunderbolt devices to access system memory directly for maximum hardware speeds.
Note: This poses a security risk, so only connect devices you trust.</string>Integration with Advanced Protection Mode
This isn’t just a copy-paste of ChromeOS code; it’s being built directly into Android’s own security framework. The feature makes specific reference to Android 16’s Advanced Protection Mode.
If you have Advanced Protection active, the system may actually prevent you from overriding these restrictions entirely, prioritizing security over the maximum hardware speeds of your Thunderbolt dock or external SSD. Much like the recent WebGPU restrictions we saw, Google is clearly focused on creating an airtight environment for power users.
Enterprise Ready
Following the ChromeOS blueprint, Google is also preparing enterprise management tools for this feature according to another string of code Android Authority dug up. IT administrators will eventually be able to control this memory access across a whole fleet of managed devices, ensuring that company data stays protected even if an employee plugs into a shady third-party dock.
<string name="usb_pci_tunnel_control_disallowed_by_enterprise_summary">Disabled by your IT admin</string>When will we see it?
Right now, this feature is still hidden behind code flags. Even if you are running Android 17 Beta 2 on your Pixel, you won’t see the toggle just yet. However, its presence suggests that when Aluminium OS or the finalized Android 17 lands later this year, it will have a much higher “security ceiling” than we’ve ever seen on mobile. It’s another small but vital piece of the puzzle as Google prepares Android to handle the same professional-grade hardware and security demands as a traditional desktop.
SUBSCRIBE TO UPSTREAM
Get Chrome Unboxed delivered straight to your inbox
Upstream is our flagship, curated newsletter with the top stories, most click-worthy deals, giveaways, and trending articles from Chrome Unboxed sent directly to your inbox a few times a week. Join 31,000+ subscribers.
