In Unix-like operating systems, which include Linux and hence Android, a program may gain ‘root’ access because the binary has been marked with the setuid flag (or the setuid bit as the system admins like to say). This means that a program run by a normal user can perform privileged operations. On a Linux system a program like passwd (which allows the user to change their password) has the setuid bit because changing passwords alters files at a system level. If a malicious program has the setuid bit set then that program can do almost whatever it likes. And one common way for hackers to exploit a system is to find a setuid program and somehow alter it to do their evil bidding.
With Android 4.3, the system area which holds many of the operating system programs (called the /system partition) is now configured in such a way that normal Android apps can no longer use the setuid functionality even if the flag is set. This reduces the ways in which malicious apps can exploit any potential security vulnerabilities.
Those interested in the precise technical terms – the The /system partition is now mounted nosuid for zygote-spawned processes, preventing Android applications from executing setuid programs.
Android 4.3 now allows developers to create apps that configure the Wi-Fi credentials needed for connecting to WPA2 enterprise access points. These apps can access new Android system calls to configure Extensible Authentication Protocol (EAP) and Encapsulated EAP (Phase 2) credentials for authentication methods used in the enterprise. Previously configuring and connecting to such secured networks was not something third party apps could do.
The five security enhancements added by Google only apply to Android 4.3, however Google has also added two significant security features which are available for every Android device using Android 2.3 an upwards (in other words about 96% of all Android devices with access to Google Play).
First Google has moved the Verify Apps feature, which scans any apps that are being installed and blocks the harmful ones, from the OS (where is was added as part of Android 4.2) into the Google Play Services. The scanner checks all apps including those being installed directly from .apk files or from third-party app stores.
Second, Google is rolling out its new “find my phone” type app called the Android Device Manager. Android has long been criticized for not having a built-in lost phone app. The new service allows users to remotely manage, locate, block, or wipe their misplaced devices.