Along with support for Bluetooth Smart and Restricted Profiles Google has added some stronger security features to the latest release of the Android mobile operating system. Android 4.3 Jelly Bean, which Google is calling “a sweeter Jelly Bean”, adds support for Wi-Fi configuration on WPA2-Enterprise networks as well as a variety of internal changes that make it more difficult for hackers (and the NSA) to exploit security vulnerabilities.
The seemingly most controversial change to Android 4.3 is the activation of SELinux. It is seen as a controversial move due to its links with the NSA. Since the NSA isn’t getting much good press at the moment, people are incorrectly linking the SELinux project, the NSA and fears about snooping. It is true that the NSA was the original and primary developer of SELinux but that is almost irrelevant today. Some key points to remember are that the SELinux patches are open source and not some secret code inserted by the U.S. government; that SELinux has been integrated into Linux since 2003 meaning it has been used by various Linux distributions for nearly a decade now; and that other companies such as Red Hat have made major contributions to SELinux. If you are still undecided you should read Yes, the NSA contributed code to Android. No, you don’t have to freak out about it and NSA? Break out the tinfoil hats for more background information.
Fear, uncertainty and doubt (FUD) aside, SELinux is designed to address the gaps in the Android’s security model and limit the damage that can be done by flawed or malicious apps. It does this by reinforcing Android’s existing UID based sandbox and guarantees separation between apps. It is however worth noting that as of Android 4.3 the SELinux implementation runs in ‘permissive mode’ rather than the more stringent enforcing mode. However Google will likely enable the enforcing mode somewhere later down the road.
Android 4.3 adds new system calls that allows developers to bind encryption keys to a certain piece of hardware. This means that a private store can be created to hold private keys which can not be exported to another device, even if the device is compromised. Along with the new KeyChain system calls, Google has added a functionality that allows apps to create exclusive-use keys that can only be used by that app and can’t be seen or used by other apps. These keys can also benefit from the same enhanced security features like binding them to a specific device.
What this means is that even if a security vulnerability is discoverer in Android and exploited, hackers can’t download and use any encryption keys stored on the device using these new system calls.
Like this post? Share it!
First!!! And it SUCKS
Haha. I was being sarcastic to people who post FIRST and feel the pride of posting the first comment. Just wanted to tell them it doesn’t matter to any one of us. But… to each, his own :)
edit: aaah i just noticed stoian beat me to that lol :D
@Bogdan Petrovan: Romanian?
hei frate .. Îmi place ceea ce scrie
They need to open source the entire stack before there is hope of some security. Google is mentioned as a partner with NSA’s Prism program to spy Google users.
there are no “partners” … just companies that were threatened if they didn’t help snoop… google was one of the first companies to attempt to go against the NSA
Yeah, keep telling yourself that… Google went willingly as one of the first – just like Microsoft. You all praise Google as this “liberty angel” of free, open source products and services – but the truth is nothing from them is free, it just doesn’t cost you money – they collect and sell all your info, make tons of money of it and put ads even in you fkn private inbox. I’m saying goodbye to google once and for all.
i never once said Google is a “liberty angel” …
do i pay for their services? no
do they make a lot of really good products and champion open source development? yes
do they collect personal info? yes
do they put ads in my private inbox? there is one small advertisement in the top (sometimes it’s not even there) compared to yahoo, aol, and microsoft that blast you with advertising left and right, google has the LEAST intrusive ads of all of the email platforms… so i really think you are off your rocker on this one.
you’re saying goodbye to google? whatever bro. good luck finding another email service that doesn’t shower you with advertising. Wake up. this is the 21st century. internet = advertising = data mining = free services. That’s what it’s all about.
Look, the fact of the matter is, you can preach all you want. But you sir are taking things WAAAAY out of perspective. you _think_ we (myself and others) are portraying google in too good a light. You are portraying them as the sole source of all evil on earth. In all reality Google is somewhere in the middle. Exactly where I believe they are. They are a business after all. They have to earn money for investors. And, I don’t mind giving them some of my data in exchange for targeted advertising. I don’t care. But to claim Google is the most evil company in the world is testing the limits of your gullibility to all the FUD around the internet.
its called adblock plus dumbass
1) i know what adblock is
2) what does that have anything to do with anything i said
3) i don’t appreciate being called a dumbass when your statement makes absolutely no correlation to what i said.
sorry i pressed the wrong reply link
Great security features…
good progress, but not enough.
I mean not enough to give me a peace of mind.
dunno, when I use blackberry years ago i have complete peace of mind that my phone will always secure no matter the way I abuse it, lol.. :D
with my droid, I take utmost care to prevent it get stolen, hacked, or infected by something bad :(