Android Hacker: Jelly Bean Tougher To Crack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Hacker: Jelly Bean Tougher To Crack

Android 4.1, code-named Jelly Bean, is first OS from Google to correctly randomize memory, making it tougher for attackers to get a foothold.

Samsung's Android Super Smartphone: Galaxy SIII
Samsung's Android Super Smartphone: Galaxy SIII
(click image for larger view and for slideshow)
Expect some notable security improvements in Android 4.1, code-named Jelly Bean. In particular, it will be the first version of Android to properly implement address space layout randomization (ASLR), thus foiling would-be kernel attackers.

That observation comes via Android security researcher Jon Oberheide, CTO of DUO Security, who's been keeping an eye on the Google Android ASLR-related endeavors, as well as other security improvements.

Using ASLR randomizes memory on a device, which makes it more difficult for developers to craft malicious attacks, because they can't tell their software exactly which address spaces to call when attempting to exploit a device. But when ASLR was introduced in Android with 4.0, a.k.a. Ice Cream Sandwich, Oberheide found that it "did not live up to expectations and is largely ineffective for mitigating real-world attacks" due to it failing to actually randomize large parts of Android memory.

Still, he noted that prior to mid-2010, the Linux kernel hadn't even offered ASLR for the ARM architecture, which is the main hardware platform on which Android devices run. Accordingly, some growing pains were to be expected.

[ Read Android 4.1 Jelly Bean: Does It Measure Up? ]

With Android 4.1, however, when it comes to ASLR, "the deficiencies in [Ice Cream Sandwich] pointed out in our previous blog post have all been addressed," said Oberheide in a blog post. In addition, Jelly Bean also implements some information leakage prevention capabilities "inherited from the upstream Linux kernel," he said. "The end result is denying attackers information sources on the system that may aid in increasing the feasibility--or reliability--of a kernel exploit." That's desirable, because a successful kernel exploit will allow attackers to instruct a system to execute any supplied command.

Despite the ASLR improvements, however, there's still room for Android security improvements. "While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovative exploit mitigation techniques, such as the in-kernel ASLR present in Apple's iOS 6," said Oberheide. "One could claim that iOS is being proactive with such techniques, but in reality, they're simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation."

Beyond potentially adding ASLR to the Android kernel, what else could Google do to enhance Android security? According to Oberheide, Google could require--as Apple does--that all applications submitted to Google Play first be signed. That could help Google better spot malicious applications, instead of only relying on its Bouncer automated code-review tool.

Despite the security improvements on offer with Android Jelly Bean, the bad news is that smartphone and tablet users must wait to see the updated operating system. Although Google has promised to release Android 4.1 to developers later this month, industry watchers expect that mobile device manufacturers won't ship the first commercially available Jelly Bean products for another six months.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll