Android Jelly Bean: The Most Secure Android Version
Google has just unveiled the latest Android version which is Android 4.1 Jelly Bean which would bring about new and improved features. Aside from improved features, Googel also assures users that the Android Jelly Bean is the most secure version of Android they ever released.
Jon Oberheide, a security researcher, wrote an analysis which detailed the security features of Android 4.1 Jelly Bean. According to Mr Oberheide, "Android has stepped its game up mitigation-wise in the new Jelly Bean release." This means that Android Jelly Bean is able to defend its system against potential security risks such as hackers installing virus, malware, and other vicious software attacks.
One of the reasons identified as to why Android Jelly Bean is considered as "secure" is due to the use of Address Space Layout Randomisation (ASLR). ASLR works through randomising location in the memory function of the device. Aside from ASLR, Android Jelly Bean also utilised another security feature which is identified as date execution prevention (DEP). The combination of these two features is a good defense because hackers tend to break into handsets through the use of memory corruption bugs. The combination of ASLR and DEP would mean that hackers cannot locate the malicious code that can be found in the device's memory.
Charlie Miller, a veteran smartphone hacker and principal research consultant at Accuvant security firm, also supported this finding. According to Mr Miller, "As long as there's anything that's not randomised, then (ASLR) doesn't work, because as long as the attacker knows something is in the same spot, they can use that to break out of everything else. Jelly Bean is going to be the first version of Android that has full ASLR and DEP, so it's going to be pretty difficult to write exploits for that."
The report also revealed that aside from ASLR and DEP, Android Jelly Bean also has defenses against other attacks such as information leakage, buffer overflows, and additional memory vulnerabilities. Despite that, the non-inclusion of "code signing" was identified as a small weakness for Android Jelly Bean. Other OS, most specifically Apple's OS, has already incorporated the three functions (ASLR, DEP, and code signing) in their OS.
Mr Oberheide ended his analysis by writing his final thoughts on the matter:
"[Excerpt]" While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovation exploit mitigation techniques, such as the in-kernel ASLR present in Apple's iOS 6. One could claim that iOS is being proactive with such techniques, but in reality, they're simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation by employing effective userspace mitigations such NX, ASLR, and mandatory code signing. Thankfully, Android is getting there, and Jelly Bean is a major step towards that goal.