The latest iteration of the Android mobile operating system, version 4.3 “Jelly Bean”, was unveiled by Google on the 24th of July. Factory firmware images with Android 4.3 (for Nexus devices) have already been made available for download by Google. It probably won’t be too long before various Android device manufacturers and careers follow suit with their own updates to existing devices. In the near future new devices sporting Android 4.3 Jelly Bean will undoubtedly become commonplace in the market.
Let’s take a few minutes to examine the changes Android 4.3 Jelly Bean introduces from a security perspective. While ultimately, the specific nature of the Android 4.3 Jelly Bean firmware image from the device manufacturer (or career), including customizations, will determine the exact nature of the complete security environment for a particular device, the core Android platform security enhancements will still play a significant role.
Needless to say, Android 4.3 includes fixes that address vulnerabilities discovered in the Android operating system (some of these fixes may also be backported to previous Android versions to support existing devices). Here however, we will focus on the new platform security enhancements rather than such fixes.
One of the most significant security enhancements of the new Android release is that now, the Android application sandbox which restricts what an application can do on the system, thus mitigating the risk of potential damage to the entire system posed by malicious applications, is made even more robust by reinforcing it with the SELinux MAC (Mandatory Access Control) system implemented in the kernel. Google claims the integration with SELinux is invisible to the users and developers, even though as a safety precaution to ensure maximum compatibility with existing applications, the current release of Android will be enabling SELinux functionality only in a permissive mode, where any security policy violations are only recorded.
On the Android operating system, like with Unix, file system setuid and setgid permissions are supported, which allow applications with specific setuid and setgid permissions to execute under the security context of the specified system user and group. Privileged programs have these permissions set, so that they could execute under elevated privileges. However, such programs over the years have often shown to be a preferred target for attack by hackers, seeking privilege escalation. Android 4.3 removes all such privileged setuid/setgid programs thus significantly reducing the available attack surface for privilege escalation by exploiting such a program. Furthermore, the latest release of Android removes an application’s ability to execute setuid programs, reducing the attack surface and attack opportunities further.
Also Android 4.3 introduces what Google calls “Capability Bounding” which drops unnecessary capabilities (the ability of an application operating in a certain security context to perform certain tasks) when executing applications, such that applications launched from a GUI shell for example is unable to acquire privileged capabilities, again preventing privilege escalation attempts attempted this way. Also, applications are prevented from performing operations to escalate privileges via the execve() system call.
In a bid to provide greater security for applications using cryptographic mechanisms internally, Android now provides the means for applications to create and securely store cryptographic keys used in such mechanisms, providing protection from other applications attempting to gain access to these keys. This enhances the protection available to legitimate applications against malicious applications (such as a rogue application the user might have downloaded from an app store without knowing it is malicious) attempting to steal cryptographic key material (belonging to applications such as financial applications or privacy applications, for example). Furthermore, Android 4.3 introduces the ability for applications to ensure cryptographic keys used system-wide are bound to the device hardware giving the applications a place to create and store cryptographic keys that are resilient against being extracted off the device, even in cases where the device itself “rooted” (i.e. highest privilege level access to the device is enabled).
These changes improve the robustness of the Android operating system against malicious applications by restricting what a malicious application can do on the system further and also provides greater application isolation thus increasing protection legitimate applications may enjoy against malicious applications. However, there is likely to be significant impact upon privileged applications operating under higher privileges such as applications that only run on “rooted” devices.
Additionally, built in mitigation technologies against the exploitation of memory corruption vulnerabilities are further improved, by implementing read only relocation sections for statically linked binary executables and by removing all text relocations from Android code. For non-ARM platforms such as x86 and MIPS, technology (FORTIFY_SOURCE) that can prevent some buffer overflow conditions (commonly exploited vulnerability class) is enabled for hardend string handling library routines.
Last but not the least, there has been enthusiastic discussion on the web about a feature that some are considering a hidden feature, a new applications permissions manager (supposedly called “App Ops”) which allows fine grained application level permissions control. This allows users to restrict what an application can do (such as access the phone address book or the GPS location) any time rather than just being able to not install an application based on the permissions that application requires, which can be viewed prior to installing the application. This is very likely to be popular as this ability is very useful for users who are concerned about privacy implications of using certain applications.
In summary, Android 4.3 “Jelly Bean” release appears to have introduced significant security enhancements to the Android platform that is likely to enhance device security and user privacy.