Pulser_G2 · Nov 2, 2013 at 02:30 pm

Android 4.4 KitKat Security Enhancements

In addition to the many user-facing improvements in the latest incarnation of Android announced yesterday, there are a number of interesting security improvements, which seem to indicate that Google have not totally neglected platform security in this new release. This article will run through what’s new, and what it means for you.

SELinux in Enforce Mode

In Android 4.4, SELinux has moved from running in permissive mode (which simply logs failures), into enforcing mode. SELinux, which was introduced in Android 4.3, is a mandatory access control system built into the Linux kernel, in order to help enforce the existing access control rights (i.e. permissions), and to attempt to prevent privilege escalation attacks (i.e. an app trying to gain root access on your device).

Support for Elliptic Curve Cryptography (ECDSA) Signing keys in AndroidKeyStore

The integrated Android keystore provider now includes support for Eliptic Curve signing keys. While Eliptic Curve Cryptography may have received some (unwarranted) bad publicity lately, ECC is a viable form of public key cryptography that can provide a good alternative to RSA and other such algorithms. While asymmetric cryptography will not withstand quantum computing developments, it is good to see that Android 4.4 is introducing more options for developers. For long-term data storage, symmetric encryption remains the best method.

SSL CA Certificate Warnings

Many corporate IT environments include SSL monitoring software, which adds a Certificate Authority (CA) to your computer and/or browser, to permit the corporate web filtering software to carry out a “man in the middle” attack on your HTTPS sessions for security and monitoring purposes. This has been possible with Android by adding an additional CA key to the device (which permits your company’s gateway server to “pretend” to be any website it chooses). Android 4.4 will warn users if their device has had such a CA certificate added, such that they are aware of the possibility of this happening.

Automated Buffer Overflow Detection

Android 4.4 now compiles with FORTIFY_SOURCE running at level 2, and ensures all C code is compiled with this protection. Code compiled with clang is also covered by this. FORTIFY_SOURCE is a security feature of the compiler, which attempts to identify some buffer overflow opportunities (which can be exploited by malicious software or users to gain arbitrary code execution on a device). While FORTIFY_SOURCE doesn’t eliminate all possibilities of buffer overflows, it certainly is better used than unused, to avoid any obvious oversights when allocating buffers.

Google Certificate Pinning

Expanding on the support for certificate pinning in earlier versions of Jellybean, Android 4.4 adds protection against certificate substitution for Google certificates. Certificate Pinning is the act of permitting only certain whitelisted SSL certificates to be used against a certain domain. This protects you from your provider substituting (for example) a certificate provided to it under an order by the government of your country. Without certificate pinning, your device would accept this valid SSL certificate (as SSL allows any trusted CA to issue any certificate). With certificate pinning, only the hard-coded valid certificate will be accepted by your phone, protecting you from a man-in-the-middle attack.

It certainly appears that Google have not been resting on their laurels with Android security. This is in addition to the inclusion of dm-verity, which could possibly have serious consequences for people who like to root and modify their devices with locked bootloaders (i.e. which enforce kernel signatures).


_________
Want something on the XDA Portal? Send us a tip!

Pulser_G2

Pulser_G2 is an editor on XDA-Developers, the largest community for Android users. Developer Admin at xda-developers, interested in everything in mobile and security. A developer and engineer, who would re-write everything in C or Assembler if the time was there. View Pulser_G2's posts and articles here.
Jimmy McGee · May 22, 2015 at 12:10 pm · 2 comments

YotaPhone 2 Pre-Order, Xperia Z1 Price Cut – XDA TV

Android Wear 5.1.1 OTA downloads are now available. That and much more news is covered by Jordan when he reviews all the important stories from this week. Included in this week's news is the announcement of Sony cutting the price of the Xperia Z1 and be sure to check out the article talking about the YotaPhone 2 Indiegogo pre-order. That's not all that's covered in today's video! Jordan talks about the other videos released this week on XDA TV. XDA...

XDA NEWS
TK · May 21, 2015 at 02:15 pm · 3 comments

Device Review: No.1 X1 Rugged Smartphone

We are almost at the end of Q2 for 2015, and we have seen most of the flagship phones for the year already. While flagship phones usually offer bleeding-edge specs and are the most sought after phones, there is a huge market for non-flagship phones. Some offer value, others offer unique differentiating features. Today, we are going to look at the X1 phone by a Chinese company named N0.1. The company promises a truly rugged IP68 Certified phone. The device has a Quad...

XDA NEWS
Emil Kako · May 21, 2015 at 01:10 pm · 4 comments

When a Friend or Family Member Asks for a Phone Recommendation, What Do You Tell Them?

The majority of us here at XDA would consider ourselves power users and Android enthusiasts. Thus, when a friend or family member has a question about which phone they should get, they usually come to us. However, this is where we all differ. While some will atomically recommend the Nexus line, others in the community will suggest an offering from Samsung or LG. When a friend or family member asks you for a phone recommendation, what do you say?

DISCUSS
Share This