jerdog · Jul 19, 2012 at 09:00 am

Jelly Bean Implements Higher Level of Security

A lot of hullabaloo has been made about the security of today’s mobile OS’s, and for good reason. BlackBerry for the longest time was considered to be the most secure, and was the smartphone of choice for the U.S. Government. This has changed in the last year, with the NSA even releasing it’s own white paper on an Enterprise Mobility Architecture focusing on securing Android 2.2.

Any OS tends to suffer from a single point of failure—the user. Sure you can lock down your device with a password, but the responsibility to have a strong password lies at the feet of the user, not the OS.

Android 4.0 implemented a feature widely used in desktop computing as far back as Windows XP called Address Space Layout Randomization (ASLR), which effectively rearranges the positions of key data in memory address space. This feature dramatically reduces the ability of a hacker to predict target memory address areas and seek out exploits. Security researcher Jon Oberheide had this to say about the challenges of implementing ASLR:

ASLR is commonly an all-or-nothing proposition. If ASLR is not applied to all areas of memory in a process, its effectiveness is often nullified. A single executable mapping that is mapped in a static location in the address space is often sufficient to construct a ROP payload.

He then went on to comment on the implementation of ASLR in Android 4.0:

Unfortunately, the ASLR support in Android 4.0 did not live up to expectations and is largely ineffective for mitigating real-world attacks, due to the lack of randomization of the executable and linker memory regions.

But with the release of Android 4.1, Jelly Bean, Google has upped the ante on security. Here’s what Google had to say about their ever-increasing emphasis on security:

Android 1.5+

  • ProPolice to prevent stack buffer overruns (-fstack-protector)
  • safe_iop to reduce integer overflows
  • Extensions to OpenBSD dlmalloc to prevent double free() vulnerabilities and to prevent chunk consolidation attacks. Chunk consolidation attacks are a common way to exploit heap corruption.
  • OpenBSD calloc to prevent integer overflows during memory allocation

Android 2.3+

  • Format string vulnerability protections (-Wformat-security -Werror=format-security)
  • Hardware-based No eXecute (NX) to prevent code execution on the stack and heap
  • Linux mmap_min_addr to mitigate null pointer dereference privilege escalation (further enhanced in Android 4.1)

Android 4.0+

  • Address Space Layout Randomization (ASLR) to randomize key locations in memory

Android 4.1+

  • PIE (Position Independent Executable) support
  • Read-only relocations / immediate binding (-Wl,-z,relro -Wl,-z,now)
  • dmesg_restrict enabled (avoid leaking kernel addresses)
  • kptr_restrict enabled (avoid leaking kernel addresses)

According to Oberheide, in his most recent analysis of the security of Android 4.1 and the above implementations Google has made:

While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovative exploit mitigation techniques, such as the in-kernel ASLR present in Apple’s iOS 6. One could claim that iOS is being proactive with such techniques, but in reality, they’re simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation by employing effective userspace mitigations such NX, ASLR, and mandatory code signing. Thankfully, Android is getting there, and Jelly Bean is a major step towards that goal.

It would seem that Google continues to move forward with their embrace of higher security for Android, but let us hope that their increased security does not come at the cost of reduced control and access for the development community, which in large part has contributed to the success of Android.

To read more about ASLR and mobile security check out Oberheide’s article.


_________
Want something on the XDA Portal? Send us a tip!
TAGS:

jerdog

jerdog is an editor on XDA-Developers, the largest community for Android users. Jeremy has been an XDA member since 2007, and has been involved in technology in one way or another, dating back to when he was 8 years old and was given his first PC in 1984 - which promptly got formatted. It was a match made in the stars, and he never looked back. He has owned, to date, over 60 mobile devices over the last 15 years and mobile technology just clicks with him. In addition to being a News Editor and OEM Relations Manager, he is a Senior Moderator and member of the Developer and Moderator Committees at XDA. View jerdog's posts and articles here.
Aamir Siddiqui · May 27, 2015 at 02:12 pm · 1 comment

Samsung Galaxy S6 To Receive Major Camera Update

When the Samsung Galaxy S6 and S6 Edge were launched, they became the prime focus for all discussions as Samsung took a break on their traditional design philosophy and opted for something that their flagship lineup hadn't seen before. But along with the design, a lot of Android enthusiasts were also impressed by another aspect of the flagship duo: their camera. Even traditionally, the primary camera on Samsung's flagship lineup has been one of its stronger points as compared to other...

XDA NEWS
Faiz Malkani · May 27, 2015 at 01:34 pm · 4 comments

Tactile: An Addicting Game with Beautiful Material Design

The game industry has been around for decades, catering to a wide spectrum of people, young gamers and elder ones, casual gamers and serious ones, and for an industry with such specifications, innovation isn't the only fuel for success. An increasingly large number of games draw inspiration from another and build on top of that idea, and Tactile is one such product, an excellently executed brainchild of a mashup between Tetris and 2048. For 2048 veterans, the game will come across as relatively familiar....

XDA NEWS
Mario Tomás Serrafero · May 27, 2015 at 12:27 pm · 3 comments

Android’s Consistency and The User Experience

This is a site of power users, and it is fair to say that most of us are more knowledgeable about Android than the average Joe. We tinker and tweak by customizing every corner for endless hours, until we arrive at a comfortable software configuration. In contrast, a large chunk of Android users don’t even use a different launcher - and many don’t know what a launcher is in the first place!   When we get so involved in our...

XDA NEWS
Share This