Android Hacker: Jelly Bean Tougher To Crack - InformationWeek
03:53 PM

Android Hacker: Jelly Bean Tougher To Crack

Android 4.1, code-named Jelly Bean, is first OS from Google to correctly randomize memory, making it tougher for attackers to get a foothold.

Samsung's Android Super Smartphone: Galaxy SIII
Samsung's Android Super Smartphone: Galaxy SIII
(click image for larger view and for slideshow)
Expect some notable security improvements in Android 4.1, code-named Jelly Bean. In particular, it will be the first version of Android to properly implement address space layout randomization (ASLR), thus foiling would-be kernel attackers.

That observation comes via Android security researcher Jon Oberheide, CTO of DUO Security, who's been keeping an eye on the Google Android ASLR-related endeavors, as well as other security improvements.

Using ASLR randomizes memory on a device, which makes it more difficult for developers to craft malicious attacks, because they can't tell their software exactly which address spaces to call when attempting to exploit a device. But when ASLR was introduced in Android with 4.0, a.k.a. Ice Cream Sandwich, Oberheide found that it "did not live up to expectations and is largely ineffective for mitigating real-world attacks" due to it failing to actually randomize large parts of Android memory.

Still, he noted that prior to mid-2010, the Linux kernel hadn't even offered ASLR for the ARM architecture, which is the main hardware platform on which Android devices run. Accordingly, some growing pains were to be expected.

[ Read Android 4.1 Jelly Bean: Does It Measure Up? ]

With Android 4.1, however, when it comes to ASLR, "the deficiencies in [Ice Cream Sandwich] pointed out in our previous blog post have all been addressed," said Oberheide in a blog post. In addition, Jelly Bean also implements some information leakage prevention capabilities "inherited from the upstream Linux kernel," he said. "The end result is denying attackers information sources on the system that may aid in increasing the feasibility--or reliability--of a kernel exploit." That's desirable, because a successful kernel exploit will allow attackers to instruct a system to execute any supplied command.

Despite the ASLR improvements, however, there's still room for Android security improvements. "While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovative exploit mitigation techniques, such as the in-kernel ASLR present in Apple's iOS 6," said Oberheide. "One could claim that iOS is being proactive with such techniques, but in reality, they're simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation."

Beyond potentially adding ASLR to the Android kernel, what else could Google do to enhance Android security? According to Oberheide, Google could require--as Apple does--that all applications submitted to Google Play first be signed. That could help Google better spot malicious applications, instead of only relying on its Bouncer automated code-review tool.

Despite the security improvements on offer with Android Jelly Bean, the bad news is that smartphone and tablet users must wait to see the updated operating system. Although Google has promised to release Android 4.1 to developers later this month, industry watchers expect that mobile device manufacturers won't ship the first commercially available Jelly Bean products for another six months.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/21/2012 | 12:26:40 PM
re: Android Hacker: Jelly Bean Tougher To Crack
Now all we need to do is get the product developers to allow you to update your tablets/phones. The model of the vendor pushing the update is getting old as you end up sitting on an old OS if the gatekeeper won't send you the link. I know there are those who say - just root the device and update, but that's is a rather daunting task for many.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll