Google adds seven new security features to Android

by: Gary SimsAugust 6, 2013



In Unix-like operating systems, which include Linux and hence Android, a program may gain ‘root’ access because the binary has been marked with the setuid flag (or the setuid  bit as the system admins like to say). This means that a program run by a normal user can perform privileged operations. On a Linux system a program like passwd (which allows the user to change their password) has the setuid bit because changing passwords alters files at a system level. If a malicious program has the setuid bit set then that program can do almost whatever it likes. And one common way for hackers to exploit a system is to find a setuid program and somehow alter it to do their evil bidding.

With Android 4.3, the system area which holds many of the operating system programs (called the /system partition) is now configured in such a way that normal Android apps can no longer use the setuid functionality even if the flag is set. This reduces the ways in which malicious apps can exploit any potential security vulnerabilities.

Those interested in the precise technical terms – the The /system partition is now mounted nosuid for zygote-spawned processes, preventing Android applications from executing setuid programs.

WPA2-Enterprise networks

Android 4.3 now allows developers to create apps that configure the Wi-Fi credentials needed for connecting to WPA2 enterprise access points. These apps can access new Android system calls to configure Extensible Authentication Protocol (EAP) and Encapsulated EAP (Phase 2) credentials for authentication methods used in the enterprise. Previously configuring and connecting to such secured networks was not something third party apps could do.

Not just Android 4.3

The five security enhancements added by Google only apply to Android 4.3, however Google has also added two significant security features which are available for every Android device using Android 2.3 an upwards (in other words about 96% of all Android devices with access to Google Play).

First Google has moved the Verify Apps feature, which scans any apps that are being installed and blocks the harmful ones, from the OS (where is was added as part of Android 4.2) into the Google Play Services. The scanner checks all apps including those being installed directly from .apk files or from third-party app stores.

Second, Google is rolling out its new “find my phone” type app called the Android Device Manager. Android has long been criticized for not having a built-in lost phone app. The new service allows users to remotely manage, locate, block, or wipe their misplaced devices.

What it all means

For the average user what this all means is that under the hood Android is now even more secure and the internals are set to become even more secure as Google has put all the pieces into place to allow it to switch SELinux into enforcing mode. In terms of user interaction, all Android users (with Android 2.2 and up) can take advantage of the lost phone finder services and Android 2.3 an up users can sleep easy at night knowing that Google is automatically blocking any known malicious apps from being installed on their device, regardless from where it is installed.

  • mumusen

    First!!! And it SUCKS

    • Bravo, sir.

      • mumusen

        Haha. I was being sarcastic to people who post FIRST and feel the pride of posting the first comment. Just wanted to tell them it doesn’t matter to any one of us. But… to each, his own :)

        edit: aaah i just noticed stoian beat me to that lol :D

  • Stoian Alexx

    @Bogdan Petrovan: Romanian?

  • liberty addict

    They need to open source the entire stack before there is hope of some security. Google is mentioned as a partner with NSA’s Prism program to spy Google users.

    • ukjb

      there are no “partners” … just companies that were threatened if they didn’t help snoop… google was one of the first companies to attempt to go against the NSA

      • Peter

        Yeah, keep telling yourself that… Google went willingly as one of the first – just like Microsoft. You all praise Google as this “liberty angel” of free, open source products and services – but the truth is nothing from them is free, it just doesn’t cost you money – they collect and sell all your info, make tons of money of it and put ads even in you fkn private inbox. I’m saying goodbye to google once and for all.

        • ukjb

          i never once said Google is a “liberty angel” …

          do i pay for their services? no

          do they make a lot of really good products and champion open source development? yes

          do they collect personal info? yes

          do they put ads in my private inbox? there is one small advertisement in the top (sometimes it’s not even there) compared to yahoo, aol, and microsoft that blast you with advertising left and right, google has the LEAST intrusive ads of all of the email platforms… so i really think you are off your rocker on this one.

          you’re saying goodbye to google? whatever bro. good luck finding another email service that doesn’t shower you with advertising. Wake up. this is the 21st century. internet = advertising = data mining = free services. That’s what it’s all about.

          Look, the fact of the matter is, you can preach all you want. But you sir are taking things WAAAAY out of perspective. you _think_ we (myself and others) are portraying google in too good a light. You are portraying them as the sole source of all evil on earth. In all reality Google is somewhere in the middle. Exactly where I believe they are. They are a business after all. They have to earn money for investors. And, I don’t mind giving them some of my data in exchange for targeted advertising. I don’t care. But to claim Google is the most evil company in the world is testing the limits of your gullibility to all the FUD around the internet.

          • michael

            its called adblock plus dumbass

          • ukjb

            1) i know what adblock is
            2) what does that have anything to do with anything i said
            3) i don’t appreciate being called a dumbass when your statement makes absolutely no correlation to what i said.

          • michael

            sorry i pressed the wrong reply link

  • Omran Terro

    Great security features…

  • elder futhark

    good progress, but not enough.
    I mean not enough to give me a peace of mind.

    dunno, when I use blackberry years ago i have complete peace of mind that my phone will always secure no matter the way I abuse it, lol.. :D
    with my droid, I take utmost care to prevent it get stolen, hacked, or infected by something bad :(