Here is an interesting statistic for you – malicious Android apps are anticipated to total more than one million before 2013 is out. Granted, a lot of these apps are “harmlessly” malicious, but it only takes one really harmful app to truly wreck your day, your week, or possibly your entire electronic life. So when we hear tell that Google is adding seven new security features to the latest and greatest version of Android, Jelly Bean 4.3, we feel a need to rejoice just a little bit.
As a result of the additions, Google has been referring to Android 4.3 as a sweeter jelly bean. But we all know what sweeter means – it will attract more flies. For every new such feature, the hacksters will probably come up with 10 new ways to exploit each of them, but we’ll take whatever we can get.
In fact, the word on the street is that the new set of security features is fairly robust. It begins with support for Bluetooth Smart, Restricted Profiles, and support for Wi-Fi configuration on WPA2-Enterprise networks, as well as a variety of internal changes that simply make it more difficult for hackers to take advantage of security vulnerabilities. The key features are tools that, for the most part, developers can take advantage of.
The first noteworthy addition is Google’s strengthening of encryption, with tools that ensure that neither hackers nor other malicious entities can gain access to any device-stored encryption keys. The means for doing this are a set of new APIs, referred to as Keychain/Keystore system APIs, that provide developers with the ability to bind keys to specific hardware. In addition, Keystore APIs allow for the creation of local private key stores that cannot be seen outside of the app, as well as encryption keys that are only usable by a given app. Essentially, hackers will not be able to export these keys even if they’ve otherwise managed to hack their way onto a device.
Next, Google has added a Nousid command that can be set to ensure that no program can manage to give itself root privileges by setting the setuid bit, which more or less means having complete admin control over a device at the system level. With Android jelly bean 4.3, the system area known as the /system partition – the area where most of Android’s core programs are stored – has been completely reconfigured so that it is no longer vulnerable to having the setuid flag set to allow access. This essentially eliminates one of the hacker’s standard malware tools.
One new feature and one specific change to the way Google Play operates will aid any Android system dating back to at least Android 2.3. The first is the long-awaited (and we mean long-awaited) “new” Find my Phone functionality to allow a user to find/locate a lost or stolen device and, depending on the situation the user is in, remotely manage, block, or wipe clean the lost, sort of missing or stolen device. Finally.
Next in this camp, the locally stored Verify Apps feature, which is used to scan apps as they are being installed, is now no longer part of the collection of installed Android apps on a device. Obviously this isn’t a new feature, but it is worth noting as part of the larger collection of security enhancements. Verify Apps is designed to try and capture any apps that may be malicious and look to block them. This is hardly foolproof but is nevertheless a measure of defense. Google has now pushed the app out directly into Google Play’s own set of services. Essentially the move broadens Google Play’s ability to scan and block. As we’ve mentioned, this is nice to have in place but it is not foolproof by any means. Never assume that it is able to protect you from all possibly harmful apps. In fact, always assume the opposite!
Finally, Google has activated what is known as SELinux in jelly bean 4.3. SELinux is new to Android but has been around forever as part of other Linux systems. As far as Android is concerned, it attempts to limit any damage that is liable to result from malicious apps. For that matter, it also tries to resolve issues that can pop up through trusted apps that may have design issues or perform some dumb actions that cause unexpected problems to arise. We’ll leave it at that. Its usefulness is probably more limited than we’re making it appear at this point, and it remains to be seen where Google will go with it.
Finally, let’s return to the new WPA2 Wi-Fi security capabilities Android jelly bean 4.3 now supports. Again, the feature isn’t an end user feature but one that gives programmers the ability to build apps that are able to configure Wi-Fi credentials. Developers can access new APIs to configure Extensible Authentication Protocol (EAP) and Encapsulated EAP credentials. Configuring and connecting to such secured networks through the apps themselves was not something third party apps were previously able to do. It adds an additional layer of security for the enterprise.
As much as these new security features take Android a “tiny” step forward in delivering a more secure operating system, take it all with a grain or two of salt. As we noted earlier, the sweeter the jelly bean, the more hacksters will look to engage with the challenges that present themselves. And in case it isn’t obvious, this is all stuff that is invisible to the user. Aside from the Find my Phone feature – which is absolutely an end user feature, the rest is all “coding stuff” for developers. Nevertheless, thank you Google for taking these security steps.
Edited by
Blaise McNamee