Android's seven best new security features and one lingering security problem

Android's seven best new security features and one lingering security problem

Summary: Android 4.3 added significant new security features, and Google has also added two other new security features to older versions of Android. Now, if only the carriers and OEMs would patch the Bluebox security hole every Android user would be happier.

SHARE:

Google's latest version of Android, Jelly Bean 4.3, has many good features. Under the surface, though, Google added five significant security features. On top of that, Google has added two other new features that work with almost all currently used versions of Android. 

Android-CombinationLock
Android, and not just the latest version, has gotten a lot more secure in recent weeks.

The new 4.3 features are, besides adding restricted profiles:

Android sandbox reinforced with SELinux:

Android 4.3 now includes SELinux, a mandatory access control (MAC) system in the Linux kernel to augment the Unique Identification Number (UID) based application sandbox. This makes almost all apps  with the Android sandbox much more secure.

Some users are wary of SELinux, since the NSA had a large hand in creating it. Since SELinux, just like all of Linux, is open source that seems foolish to me. After all, the code is right in plain sight for anyone to look for security holes.

KeyChain enhancements:

If you're still worried about the NSA snooping on your messages you'll be happy to see Google's new KeyChain API provides a method that enables applications to confirm that system-wide keys are bound to a hardware root of trust. This means that carrier and OEM developers can add private keys that cannot be copied off the device, even if it's otherwise completely compromised.

This won't stop the NSA -- or most major Internet companies -- from using big data, metadata, and traffic analysis to keep an eye on you, but it will eventually help to keep the contents of your messages and apps secure.

Android Keystore Provider:

At the same time, Android 4.3 also introduces a keystore provider and APIs that allow applications to create exclusive-use keys. What that means is that apps can create or store private keys that no other app can see or use.

Restrict Setuid from Android Apps:

Your device's /system partition is now mounted "nosuid" for Zygote-spawned processes. This helps prevent Android applications from executing setuid programs. In turn, this reduces root attack surface and likelihood of potential security vulnerabilities. In English, this means malicious apps will have a much harder time trying  to take over your device's superuser/root privileges.

It sounds good, and it is good. Unfortunately, it's also already obsolete. Chainfire, creator of SuperSU, an Android rooting program, has found a way to root Android 4.3 "by using an "su daemon," which is started from init [A vital Android boot-up program] and not from a Zygote process."

Wi-Fi support for WPA2-Enterprise networks:

New application programming interfaces (API)s can now be used configure the Wi-Fi credentials needed for connections to access points using WPA2 enterprise with Extensible Authentication Protocol (EAP) and Encapsulated EAP (Phase 2). With this, developers will be able to create apps that can join business Access Points (APs) that use EAP and Phase 2 authentication methods.

Beyond Android 4.3:

Google has also been adding improved security features for older versions of Android as well.

First, Verify Apps, a security feature introduced in Android 4.2, is no longer part of the operating system. Instead, it's been incorporated into Google Play Services, which is incorporated on Android 2.3 and higher. This service is client-side process that scans apps for malware as you install them. This works even if you're side-loading your new apps as Android application package files (APKs) from a third-party Android app store and not Google's Play Store.

Second, and boy have we waited a long time for this one, Google has finally added a lost phone finder to Android. Like Verify Apps you don't need a new smartphone to use it. This service will also be available to anyone using an Android device using Android 2.2 or above. With it you can make your little lost phone ring at maximum volume, signal you from a map, or, if worse comes to worse and it's been stolen, you can erase all your data from it remotely.

So much for the good news. The bad news is that OEMs are still being slow as an old dog on a hot day about rolling out Google's Bluebox Security patch. Adding insult to injury, the first malware-infected apps using this security hole have started appearing.

Even with this Android security has been improving this summer. Now, if only Google started forcing vendors and carriers to push security updates to users, I'd be a lot happier and you'd be a lot safer.

Related Stories:

Topics: Security, Android, Google, Linux, Mobility, Smartphones, Tablets

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

52 comments
Log in or register to join the discussion
  • Android's seven best new security features and one lingering security probl

    Kudos to the Android team.

    Hooah!
    RickLively
    • Kudos to the SE for Android project as well

      Here's a link to the merge status for Android 4.3:

      http://selinuxproject.org/page/SEAndroid#Merge_Status

      It's not complete, but it's a start. More on SELinux for Android 4.3 here:

      https://source.android.com/devices/tech/security/se-linux.html

      P.S. Mr. Davidson, you'll love this next bit. In order to get SELinux set to enforcing mode for Android 4.3 (the default is permissive mode), one will have to *compile*.
      Rabid Howler Monkey
    • So what

      now all of the mfg have to update each model phone they have made and currently sell. SO you think these Gingerbread phones they still sell are going to get 4.3?

      What a mess. This is the very reason I won't even consider Android. I don't classify it as an Operating System platform to consider. The absolute worst at updating practices, horrible at supporting security fixes in a timely manner. Sorry, but Android is not even a consideration.
      RichDavis1
      • Re: So what (OR, you could READ the article...)

        "First, Verify Apps, a security feature introduced in Android 4.2, is no longer part of the operating system. Instead, it's been incorporated into Google Play Services, which is incorporated on Android 2.3 and higher. This service is client-side process that scans apps for malware as you install them. This works even if you're side-loading your new apps as Android application package files (APKs) from a third-party Android app store and not Google's Play Store."

        Gee... I wonder what version of Android OS "Gingerbread" might be? You don't suppose it could be Android 2.3, by any chance...?
        bswiss
  • Wow, the new SJVN is fantastic

    Kudos SJVN for another great article.

    Kudos to the Android team as well.

    Big boos and hisses for Android OEMs. Let's face it, the vast majority of Android devices out there will never get 4.3.
    toddbottom3
    • Never get

      And were it offered, a high percentage of users would download is because it might mess up their customizations...
      rphunter1242
    • I really don't know

      why users even bother with Android. The two top things EVERY person should be most concerned about with these things is at the bottom of the list. Security and a best practices approach to updating the OS.

      They have this major security flaw that's existed since 1.6 and Android users have to buy new devices to get out from under it. What a waste of time and money.

      They STILL won't ever have as many apps as iOS and iOS is supported by a LOT of major developers that will NOT touch Android for the very reasons I've identified.

      I have an iT background for many years, a top notch Enterprise customer would dismiss Andriod as an option based on these two things. Lack of attention to security issues and a poor updating practice amongst the OEMS. Nexus isn't an option since those don't really sell that many units, they usually only have one model to choose from and it's got flaws with it and Google doesn't make the darn things, they private label another brands product. Sorry, but I'll still to an iPhone knowing they WILL be coming out with new updates to the OS every year which adds features and they update ALL of their currently supported devices on the same day and Security is a top priority for Apple instead of a bunch of features that aren't always a necessity.

      Android insults my intelligence. Sorry Google, stop making a crap OS and focus on improving your core competencies, for which I still don't know what they are.
      RichDavis1
  • The best feature is to include "verify apps" into Google Play

    This will make 95% os all android devices more secure.
    AleMartin
  • Android's seven best new security features and one lingering security probl

    So the open source android linux is getting more locked down every day. Goes against the very concept of what they stood for. That is irony for you. Too bad it still has linux underneath which is a giant flaw.
    Loverock-Davidson
    • What concept?

      “Goes against the very concept of what they stood for.”
      RickLively
    • Security and freedom are different non-conflicting concepts

      But who ever expected you to understand that?
      Natanael_L
  • Calling Lovedog Rabidson!

    Your Telnet port is open and waiting, Mr Davidson!
    ldo17
    • no -- it is his RPC port

      that is still open...
      jessepollard
  • Buy my devices will never see these updates

    Since Android is so completely fragmented, with each vendor responsible for updates, I'll never see these unless I buy a new device.

    Even then, because vendors control distribution of Android, it may be a year before any vendor offers 4.3.

    Great improvements, but I'll probably never see it.
    Cynical99
    • Did any one think other wise, so cynical

      Bye bye.....So much work for not....

      Bye bye.......
      RickLively
    • each new version of android moves more into being remotely patchable.

      I'd be very surprised if Key lime pie android is not patchable though google play to some degree.

      firstly by making more and more core functionality run though dalvic as apk's that are upgradeable and probably other tricks to perhaps run google signed code on boot if it exists to load patches for lower level code.
      frankieh
    • I Wonder Too

      One of the major attractions to buying Google's Nexus 4 is we'd be 1st up for OS Upgrade. Nothing of the sort. It's Aug. 8 already.
      Two downloads have come to my phone. Both would auto Reboot into Error!
      I'm fortunate. I could then Reboot my phone back to status quo. Googling this issue I found all kinds of the last two Google Phones are inoperable after the Install. I understand they're even replacing phones. This issue needs airing.
      Plus, no Patch available yet for our phones. Not too worried on that note. I'm using ReKey for now. What's with Google.
      PreachJohn
  • Bahahahahaha....

    Android has security? What a joke... Anybody can fiddle with Android and that its biggest weakness...Average user has no idea what android is.... 40 percent of android phones are sold by unknown OEMS, loaded with malware...

    Android is a poorly designed platform... its doesn't matter what Linux it runs and reinforcing it with concrete or iron doesn't really matter...
    OwlllllllNet
    • Sounds like you are talking about Windows again.

      Get the name right.
      jessepollard
      • Actually, he's dead accurate on his description of Android

        Android is now successful, therefore a target for malware writers. People like you that hide from the truth inevitably stay under the rocks for as long as possible and never really admit that a problem exists.

        Enjoy the dark, damp spaces.
        Cynical99