Android KitKat Security Teardown: 4 Hits, 1 Miss - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Android KitKat Security Teardown: 4 Hits, 1 Miss

Google sweetens Android with SELinux, plus anti-rootkit technology that makes life difficult for malware -- but also for Android modders.

Samsung's New Gadgets: Visual Tour
Samsung's New Gadgets: Visual Tour
(click image for larger view)
The latest version of Google's Android operating system (version 4.4) -- known as "KitKat" and released last week -- includes a slew of changes: a streamlined footprint so it can run on devices with scant RAM, better animations and graphics acceleration, plus snappier device-wide search and a new phone dialer app. But what's new on the information security front?

According to Google's developer overview, KitKat packs in "dozens of security enhancements to protect users" -- meaning bug fixes -- plus an experimental boot verification feature and better sandbox. Those features, plus the patches, have already been shared with handset manufacturers, carriers and the Android Open Source Project (AOSP).

Based on teardowns of that code, here's a rundown of the Android security changes -- including why they're important, and what they'll offer users -- as well as one glaring omission:

1. Verified Boot Combats Rootkits

Android 4.4 builds an optional -- and "experimental" -- verified-boot capability into the kernel. According to Google, the feature, dubbed device-mapper-verity (dm-verity), "helps prevent persistent rootkits that can hold onto root privileges and compromise devices."

[ Do you think BYOD presents special security challenges? See It's Not 'Mobile Security,' It's Just Security. ]

In particular, the feature can spot rootkits that have a more privileged access level than security tools, and which are thus able to fool those malware-detection programs. "The dm-verity feature lets you look at a block device, the underlying storage layer of the file system, and determine if it matches its expected configuration," according to Google. If the cryptographic hash of a program has changed, it means malware is likely at work.

While this feature is great news for stopping malware, kernel-level file system integrity validation could make life difficult for Android modders. "By verifying the integrity of the device's file system at a low level via cryptography, rooting the phone becomes a thing of the past for most devices that come with a locked-down bootloader," according a study of Android 4.4 conducted by the Romanian information security firm BitDefender. "This means that alternative ROMs such as CyanogenMod, Paranoid Android or others will have a hard time getting on devices other than developer or Nexus ones running stock Android."

2. Android Sandbox Gets SELinux Boost

Android 4.3 (Jelly Bean) saw the addition of the Linux security module known as security-enhanced Linux (SELinux), which was developed by the National Security Agency more than 10 years ago, and which allows a number of security policies -- including access controls -- to be enforced in Linux.

In Android 4.3, SELinux was available only in "permissive mode," meaning it was could only be used for logging purposes, rather than policy enforcement. With Android 4.4, however, SELinux can be used in "enforcing" mode, meaning its use can be made mandatory. As a result, the module can be used "to prevent privilege escalation attacks such as an application gaining root privileges over the device, regardless of the application's permissions," according to BitDefender.

3. Strong Crypto Improvements

Android 4.4 now has certificate pinning, which Google said "detects and prevents the use of fraudulent Google certificates used in secure SSL/TLS communications." In addition, Android now flashes a warning "if any certificate has been added to the device certificate store that could allow monitoring of encrypted network traffic."

Both features are designed to ensure that a digital certificate is the real deal -- not a fake planted to allow a third party to eavesdrop on the device. "Long story short, if a digital certificate for a specific site has been fraudulently obtained by either breaking into the [certificate authority] or by just tricking them into issuing a new certificate on somebody else's behalf, Android will notify the user that the certificate's fingerprint does not match what Google has on record," according to BitDefender.

But that security improvement may also make life difficult for intrusion detection systems. "This is a welcome mitigation against man-in-the-middle attacks, but will also make traffic scanning via SSL more difficult for security solutions running in enterprises," said BitDefender.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BethArv
100%
0%
BethArv,
User Rank: Apprentice
1/4/2015 | 1:06:37 PM
Secure?
My "smart phones" have been hacked, so to speak, for 2 months now. Someone managed to set up an Advanced VPN in our devices and complete factory resets do not get them out. They are using the IP addresses. I had no idea these devices were so easy for someone to overtake. I've spent hours on the phone trying to get someone to track the hackers rather than simply flash the devices.
cbabcock
50%
50%
cbabcock,
User Rank: Strategist
11/6/2013 | 3:09:43 AM
re: Android KitKat Security Teardown: 4 Hits, 1 Miss
I'm glad to see Android get smarter about security. It needed to.
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll