In Unix-like operating systems, which include Linux and hence Android, a program may gain ‘root’ access because the binary has been marked with the setuid flag (or the setuid  bit as the system admins like to say). This means that a program run by a normal user can perform privileged operations. On a Linux system a program like passwd (which allows the user to change their password) has the setuid bit because changing passwords alters files at a system level. If a malicious program has the setuid bit set then that program can do almost whatever it likes. And one common way for hackers to exploit a system is to find a setuid program and somehow alter it to do their evil bidding.

With Android 4.3, the system area which holds many of the operating system programs (called the /system partition) is now configured in such a way that normal Android apps can no longer use the setuid functionality even if the flag is set. This reduces the ways in which malicious apps can exploit any potential security vulnerabilities.

Those interested in the precise technical terms – the The /system partition is now mounted nosuid for zygote-spawned processes, preventing Android applications from executing setuid programs.

WPA2-Enterprise networks

Android 4.3 now allows developers to create apps that configure the Wi-Fi credentials needed for connecting to WPA2 enterprise access points. These apps can access new Android system calls to configure Extensible Authentication Protocol (EAP) and Encapsulated EAP (Phase 2) credentials for authentication methods used in the enterprise. Previously configuring and connecting to such secured networks was not something third party apps could do.

Not just Android 4.3

The five security enhancements added by Google only apply to Android 4.3, however Google has also added two significant security features which are available for every Android device using Android 2.3 an upwards (in other words about 96% of all Android devices with access to Google Play).

First Google has moved the Verify Apps feature, which scans any apps that are being installed and blocks the harmful ones, from the OS (where is was added as part of Android 4.2) into the Google Play Services. The scanner checks all apps including those being installed directly from .apk files or from third-party app stores.

Second, Google is rolling out its new “find my phone” type app called the Android Device Manager. Android has long been criticized for not having a built-in lost phone app. The new service allows users to remotely manage, locate, block, or wipe their misplaced devices.

What it all means

For the average user what this all means is that under the hood Android is now even more secure and the internals are set to become even more secure as Google has put all the pieces into place to allow it to switch SELinux into enforcing mode. In terms of user interaction, all Android users (with Android 2.2 and up) can take advantage of the lost phone finder services and Android 2.3 an up users can sleep easy at night knowing that Google is automatically blocking any known malicious apps from being installed on their device, regardless from where it is installed.

Gary Sims
Gary has been a tech writer for over a decade and specializes in open source systems. He has a Bachelor's degree in Business Information Systems. He has many years of experience in system design and development as well as system administration, system security and networking protocols. He also knows several programming languages, as he was previously a software engineer for 10 years.