Android Hacker: Jelly Bean Tougher To Crack

Expect some notable security improvements in Android 4.1, code-named Jelly Bean. In particular, it will be the first version of Android to properly implement address space layout randomization (ASLR), thus foiling would-be kernel attackers.

That observation comes via Android security researcher Jon Oberheide, CTO of DUO Security, who's been keeping an eye on the Google Android ASLR-related endeavors, as well as other security improvements.

Using ASLR randomizes memory on a device, which makes it more difficult for developers to craft malicious attacks, because they can't tell their software exactly which address spaces to call when attempting to exploit a device. But when ASLR was introduced in Android with 4.0, a.k.a. Ice Cream Sandwich, Oberheide found that it "did not live up to expectations and is largely ineffective for mitigating real-world attacks" due to it failing to actually randomize large parts of Android memory.

Still, he noted that prior to mid-2010, the Linux kernel hadn't even offered ASLR for the ARM architecture, which is the main hardware platform on which Android devices run. Accordingly, some growing pains were to be expected.

[ Read Android 4.1 Jelly Bean: Does It Measure Up? ]

With Android 4.1, however, when it comes to ASLR, "the deficiencies in [Ice Cream Sandwich] pointed out in our previous blog post have all been addressed," said Oberheide in a blog post. In addition, Jelly Bean also implements some information leakage prevention capabilities "inherited from the upstream Linux kernel," he said. "The end result is denying attackers information sources on the system that may aid in increasing the feasibility--or reliability--of a kernel exploit." That's desirable, because a successful kernel exploit will allow attackers to instruct a system to execute any supplied command.

Despite the ASLR improvements, however, there's still room for Android security improvements. "While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovative exploit mitigation techniques, such as the in-kernel ASLR present in Apple's iOS 6," said Oberheide. "One could claim that iOS is being proactive with such techniques, but in reality, they're simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation."

Beyond potentially adding ASLR to the Android kernel, what else could Google do to enhance Android security? According to Oberheide, Google could require--as Apple does--that all applications submitted to Google Play first be signed. That could help Google better spot malicious applications, instead of only relying on its Bouncer automated code-review tool.

Despite the security improvements on offer with Android Jelly Bean, the bad news is that smartphone and tablet users must wait to see the updated operating system. Although Google has promised to release Android 4.1 to developers later this month, industry watchers expect that mobile device manufacturers won't ship the first commercially available Jelly Bean products for another six months.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)