Android Hacker: Jelly Bean Tougher To Crack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Hacker: Jelly Bean Tougher To Crack

Android 4.1, code-named Jelly Bean, is first OS from Google to correctly randomize memory, making it tougher for attackers to get a foothold.

Samsung's Android Super Smartphone: Galaxy SIII
Samsung's Android Super Smartphone: Galaxy SIII
(click image for larger view and for slideshow)
Expect some notable security improvements in Android 4.1, code-named Jelly Bean. In particular, it will be the first version of Android to properly implement address space layout randomization (ASLR), thus foiling would-be kernel attackers.

That observation comes via Android security researcher Jon Oberheide, CTO of DUO Security, who's been keeping an eye on the Google Android ASLR-related endeavors, as well as other security improvements.

Using ASLR randomizes memory on a device, which makes it more difficult for developers to craft malicious attacks, because they can't tell their software exactly which address spaces to call when attempting to exploit a device. But when ASLR was introduced in Android with 4.0, a.k.a. Ice Cream Sandwich, Oberheide found that it "did not live up to expectations and is largely ineffective for mitigating real-world attacks" due to it failing to actually randomize large parts of Android memory.

Still, he noted that prior to mid-2010, the Linux kernel hadn't even offered ASLR for the ARM architecture, which is the main hardware platform on which Android devices run. Accordingly, some growing pains were to be expected.

[ Read Android 4.1 Jelly Bean: Does It Measure Up? ]

With Android 4.1, however, when it comes to ASLR, "the deficiencies in [Ice Cream Sandwich] pointed out in our previous blog post have all been addressed," said Oberheide in a blog post. In addition, Jelly Bean also implements some information leakage prevention capabilities "inherited from the upstream Linux kernel," he said. "The end result is denying attackers information sources on the system that may aid in increasing the feasibility--or reliability--of a kernel exploit." That's desirable, because a successful kernel exploit will allow attackers to instruct a system to execute any supplied command.

Despite the ASLR improvements, however, there's still room for Android security improvements. "While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovative exploit mitigation techniques, such as the in-kernel ASLR present in Apple's iOS 6," said Oberheide. "One could claim that iOS is being proactive with such techniques, but in reality, they're simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation."

Beyond potentially adding ASLR to the Android kernel, what else could Google do to enhance Android security? According to Oberheide, Google could require--as Apple does--that all applications submitted to Google Play first be signed. That could help Google better spot malicious applications, instead of only relying on its Bouncer automated code-review tool.

Despite the security improvements on offer with Android Jelly Bean, the bad news is that smartphone and tablet users must wait to see the updated operating system. Although Google has promised to release Android 4.1 to developers later this month, industry watchers expect that mobile device manufacturers won't ship the first commercially available Jelly Bean products for another six months.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/21/2012 | 12:26:40 PM
re: Android Hacker: Jelly Bean Tougher To Crack
Now all we need to do is get the product developers to allow you to update your tablets/phones. The model of the vendor pushing the update is getting old as you end up sitting on an old OS if the gatekeeper won't send you the link. I know there are those who say - just root the device and update, but that's is a rather daunting task for many.
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll