Three New Security Features in Android 4.1
Android 4.1 Jelly Bean isn't just the smoothest, best-performing Android experience yet, it's also the most secure thanks to a few new built-in features:
Android 4.1 Jelly Bean isn't just the smoothest, best-performing Android experience yet, it's also the most secure thanks to a few new built-in features:
1. Memory Obscura
Jelly Bean brings full ASLR (Address Space Layout Randomization) implementation to the operating system. ASLR simply randomizes where memory processes get mapped, so attackers can only guess where their malicious payloads will end up. As Jon Oberheide of Duo Security told Security Watch, their odds go from 1 in 2 to "maybe 1 in 1000." Every wrong guess could lead to the app crashing, and the user uninstalling the app, thus dramatically reducing the chances of a successful exploit.
Previously Android 4.0 didn't randomize stack, heap, and libs data areas. However "ASLR is an all or nothing thing, it has to be complete to be effective at all," Oberheide told SW. "In Jelly Bean Google finally hardened the system in that it has proper ASLR and proper NX support." Check Oberheide's blog post for more technical details.
NB. As far as we know, there have been no memory corruption attacks yet in Android. But it's promising to see Google closing up that possibility.
2. Lockscreen Message
What if you lose your phone and someone wants to return it to you, but can't because it's locked? This optimism is the most common reason I hear (after laziness) for not using a passlock.
In Jelly Bean, you don't have to choose between data security and your faith in humanity. You can add a message to the lockscreen, like the one below, which tells people how to return to owner. Simply go to Settings>Owner Info to enter a lockscreen message.
If you don't have 4.1, I've also seen customizable lockscreens in BitDefender Mobile Security (3.5 stars, $9.99/year for premium).
3. One Less Permission
In Jelly Bean, Google has also removed the "READ_LOGS" permission that let apps read low-level system log files. Essentially this prevents apps from being able to see each others' log catalogues, which could contain private information if a developer wasn't particularly security conscious.
"By removing this permission, it will no longer be possible for applications, including malware and rogue apps, to access any sensitive data that had been inadvertently logged," Dan Rosenberg, a researcher at Virtual Security Research, told Security Watch.
BUT...
I hate to be a Debbie Downer, but none of this matters unless you have Android 4.1. And at the moment only two—TWO!—devices have it: unlocked Galaxy Nexus smartphones and the Google Nexus 7 ($199, 4.5 stars) tablet. The Samsung Nexus S and Motorola Xoom (3.5 stars) are supposed to be getting Jelly Bean really soon, the carriers promise...
We've harped on Android's fragmentation problem for years, mostly from a performance standpoint, but the security implications are serious too. Keeping your software up to date is the number one way to prevent malware from seeping in, but on Android, patching isn't in your control. It's in your carrier's. So if you're among the 99 percent without Android 4.1 your devices are still vulnerable to everything I've described above.