Android's seven best new security features and one lingering security problem
Android 4.3 added significant new security features, and Google has also added two other new security features to older versions of Android. Now, if only the carriers and OEMs would patch the Bluebox security hole every Android user would be happier.
The new 4.3 features are, besides adding restricted profiles:
Android sandbox reinforced with SELinux:
Android 4.3 now includes SELinux, a mandatory access control (MAC) system in the Linux kernel to augment the Unique Identification Number (UID) based application sandbox. This makes almost all apps with the Android sandbox much more secure.
If you're still worried about the NSA snooping on your messages you'll be happy to see Google's new KeyChain API provides a method that enables applications to confirm that system-wide keys are bound to a hardware root of trust. This means that carrier and OEM developers can add private keys that cannot be copied off the device, even if it's otherwise completely compromised.
At the same time, Android 4.3 also introduces a keystore provider and APIs that allow applications to create exclusive-use keys. What that means is that apps can create or store private keys that no other app can see or use.
Restrict Setuid from Android Apps:
Your device's /system partition is now mounted "nosuid" for Zygote-spawned processes. This helps prevent Android applications from executing setuid programs. In turn, this reduces root attack surface and likelihood of potential security vulnerabilities. In English, this means malicious apps will have a much harder time trying to take over your device's superuser/root privileges.
It sounds good, and it is good. Unfortunately, it's also already obsolete. Chainfire, creator of SuperSU, an Android rooting program, has found a way to root Android 4.3 "by using an "su daemon," which is started from init [A vital Android boot-up program] and not from a Zygote process."
Wi-Fi support for WPA2-Enterprise networks:
New application programming interfaces (API)s can now be used configure the Wi-Fi credentials needed for connections to access points using WPA2 enterprise with Extensible Authentication Protocol (EAP) and Encapsulated EAP (Phase 2). With this, developers will be able to create apps that can join business Access Points (APs) that use EAP and Phase 2 authentication methods.
Beyond Android 4.3:
Google has also been adding improved security features for older versions of Android as well.
Second, and boy have we waited a long time for this one, Google has finally added a lost phone finder to Android. Like Verify Apps you don't need a new smartphone to use it. This service will also be available to anyone using an Android device using Android 2.2 or above. With it you can make your little lost phone ring at maximum volume, signal you from a map, or, if worse comes to worse and it's been stolen, you can erase all your data from it remotely.