It’s no secret to Android fans that the security of their favorite mobile platform has been often questioned after various malware programs managed to bypass security measures and affect Android devices – quite a few malware-containing apps even made it to the Google Play store. In addition to that, the Android devices themselves were prone to being attacked by smart hackers that knew what to look for in order to trigger malicious actions on the device.
But that doesn’t mean Google hasn’t paid special attention to these exploits. In fact, it looks like Jelly Bean’s security has been significantly improved to prevent future malware attacks, according to Duo Security research. That doesn’t mean that Android is 100% secure from such attacks – no operating system is 100% safe from attacks as hackers will always find exploits to take advantage of – but that hackers will have a much tougher job getting access to your Android smartphones and tablets.
Ars Technica explains that Jelly Bean is the first Android version that offers a proper address space layout randomization, or ASLR, which makes it difficult for hackers to plan their attacks. As its name suggests, ASLR randomizes something, in this case the memory locations – “library, stack, heap and most other OS data structures” – and therefore hackers will have a hard time predicting where the malicious code they want to load on the device will be located in memory, a job that was much easier in previous Android versions.
In addition to ASLR, there’s also a data execution prevention, or DEP, system in place in Jelly Bean, which works together with ASLR to prevent such attacks. ASLR was available also in Ice Cream Sandwich, but it didn’t function properly, leaving doors open to unwanted attacks:
Although Android 4.0, aka Ice Cream Sandwich, was the first Android release to offer ASLR, the implementation was largely ineffective at mitigating real-world attacks. One of the chief reasons for the deficiency was Android’s executable region, heap, libraries, and linker were loaded at the same locations each time. This made it significantly easier for attackers designing exploits to predict where in memory their malicious code can be located.
“As long as there’s anything that’s not randomized, then it (ASLR) doesn’t work, because as long as the attacker knows something is in the same spot, they can use that to break out of everything else,” Charlie Miller, a veteran smartphone hacker and principal research consultant at security firm Accuvant, told Ars. “Jelly Bean is going to be the first version of Android that has full ASLR and DEP, so it’s going to be pretty difficult to write exploits for that.”
Ars also notes that Apple has had ASLR and DEP in iOS for the past 16 months. On top of these features, iOS also features another layer of security called code signing, “a protection designed to prevent unauthorized applications from running on the device by requiring code loaded into memory to carry a valid digital signature before it can be executed.”
It will be interesting to see whether code signing will come to Android in future OS versions, but in the mean time the good news is that Jelly Bean is much safer than its predecessors. Obviously, the bad news is that not all Android devices out there will get these security features, as not all of them will be upgradeable to Android 4.1. But that’s an entirely different story.
Have you been affected by any malware apps or malware-containing sites on your Android smartphone or tablet?