Tuesday, 17 July 2012 14:41

Google's Jellybean To Be The Most Secure Version Of Android To-Date

Written by
Rate this item
(0 votes)

Reading time is around minutes.
android-jelly-bean 1

It looks like Google is finally stepping up to the plate when it comes to security in their Android Smartphone OS. For a number of years now opponents of Google’s desert themed mobile OS have complained Android does not have sufficient security. This makes it an unsuitable operating system. The fact that a large portion of these complaints come from the competition (Apple and Microsoft) meant that they were ignored by the large majority of people. It is also noteworthy that the openness of Android has allowed for mobile phone makers to highly individualize their Android offerings instead of relying on the stock version. Consumers have eaten this up and now you can see people defending their favorite version (HTC’s Sense UI over Samsung etc.) It is a great feature to the OS and one that has helped in in the market.

Well even with that Google did have to start getting serious about the security they HAVE to have in the OS. They started to work on this with version 4.0 where they put in a half-baked version of Address Space Layout Randomization (ASLR). Typically when this is implemented the OS randomizes where it loads items into active memory. This includes the Kernel and any other part of the OS. This helps to prevent attacks that involved memory overflows.   Unfortunately in Android 4.0 the core components of the OS were not randomized which meant that a malicious coder could predict where their code was in memory.

When you combine ASLR with Data Execution Prevention (DEP) you can quickly prevent a wide range of basic exploits. Of course these types of items do not guarantee security as even with ASLR and DEP there is still a chance of being exploited due to a poorly implemented app or other software in use on the system.

Apple has had this in their iOS for well over a year now and also includes a requirement for signed code (meaning that the developer has to have an installed digital certificate before the code can run). However, even with these in place Apple is finding that their mobile OS is not secure from all outside attacks. Just recently a flaw was found in the in-app purchase system that has allowed someone to make in-app purchases available for free. Although currently the person responsible for this is not looking to install malware and even says the requirement for a password is not really needed (he says put in something random) the opening has great potential as a vector for attack on iOS.

We have a feeling that Android may never include code signing as a requirement. If they did it would remove the open feel and nature of Android. Besides, there are plenty of security apps available that do a great job of keeping your phone safe some of them free, others that will cost you a little money. Still they are there; this is something that we cannot say for either Microsoft or Apple. They rely on their control to keep them safe; a move that did not help Apple with some rough malware that popped up at the end of 2011.

Discuss this in our Forum

Read 2992 times Last modified on Tuesday, 17 July 2012 16:15

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.