Mobile
News
7/18/2012
03:53 PM
Connect Directly
RSS
E-Mail
50%
50%

Android Hacker: Jelly Bean Tougher To Crack

Android 4.1, code-named Jelly Bean, is first OS from Google to correctly randomize memory, making it tougher for attackers to get a foothold.

Samsung's Android Super Smartphone: Galaxy SIII
Samsung's Android Super Smartphone: Galaxy SIII
(click image for larger view and for slideshow)
Expect some notable security improvements in Android 4.1, code-named Jelly Bean. In particular, it will be the first version of Android to properly implement address space layout randomization (ASLR), thus foiling would-be kernel attackers.

That observation comes via Android security researcher Jon Oberheide, CTO of DUO Security, who's been keeping an eye on the Google Android ASLR-related endeavors, as well as other security improvements.

Using ASLR randomizes memory on a device, which makes it more difficult for developers to craft malicious attacks, because they can't tell their software exactly which address spaces to call when attempting to exploit a device. But when ASLR was introduced in Android with 4.0, a.k.a. Ice Cream Sandwich, Oberheide found that it "did not live up to expectations and is largely ineffective for mitigating real-world attacks" due to it failing to actually randomize large parts of Android memory.

Still, he noted that prior to mid-2010, the Linux kernel hadn't even offered ASLR for the ARM architecture, which is the main hardware platform on which Android devices run. Accordingly, some growing pains were to be expected.

[ Read Android 4.1 Jelly Bean: Does It Measure Up? ]

With Android 4.1, however, when it comes to ASLR, "the deficiencies in [Ice Cream Sandwich] pointed out in our previous blog post have all been addressed," said Oberheide in a blog post. In addition, Jelly Bean also implements some information leakage prevention capabilities "inherited from the upstream Linux kernel," he said. "The end result is denying attackers information sources on the system that may aid in increasing the feasibility--or reliability--of a kernel exploit." That's desirable, because a successful kernel exploit will allow attackers to instruct a system to execute any supplied command.

Despite the ASLR improvements, however, there's still room for Android security improvements. "While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovative exploit mitigation techniques, such as the in-kernel ASLR present in Apple's iOS 6," said Oberheide. "One could claim that iOS is being proactive with such techniques, but in reality, they're simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation."

Beyond potentially adding ASLR to the Android kernel, what else could Google do to enhance Android security? According to Oberheide, Google could require--as Apple does--that all applications submitted to Google Play first be signed. That could help Google better spot malicious applications, instead of only relying on its Bouncer automated code-review tool.

Despite the security improvements on offer with Android Jelly Bean, the bad news is that smartphone and tablet users must wait to see the updated operating system. Although Google has promised to release Android 4.1 to developers later this month, industry watchers expect that mobile device manufacturers won't ship the first commercially available Jelly Bean products for another six months.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MrAnders
50%
50%
MrAnders,
User Rank: Apprentice
7/21/2012 | 12:26:40 PM
re: Android Hacker: Jelly Bean Tougher To Crack
Now all we need to do is get the product developers to allow you to update your tablets/phones. The model of the vendor pushing the update is getting old as you end up sitting on an old OS if the gatekeeper won't send you the link. I know there are those who say - just root the device and update, but that's is a rather daunting task for many.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - June 10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.