Upload File

andoid-4.4-security

2
Android KitKat Security Teardown: 4 Hits, 1 Miss Google sweetens Android with SELinux, plus anti-rootkit technology that makes life difficult for malware -- but also for Android modders. By Mathew J. Schwartz, InformationWeek November 05, 2013 URL: http://www.informationweek.com/security/mobile/android-kitkat-security-teardown-4-hits/240163560 Samsung's New Gadgets: Visual Tour (click image for larger view) The latest version of Google's Android operating system (version 4.4) -- known as "KitKat" and released last week -- includes a slew of changes: a streamlined footprint so it can run on devices with scant RAM, better animations and graphics acceleration, plus snappier device-wide search and a new phone dialer app. But what's new on the information security front? According to Google's developer overview, KitKat packs in "dozens of security enhancements to protect users" -- meaning bug fixes -- plus an experimental boot verification feature and better sandbox. Those features, plus the patches, have already been shared with handset manufacturers, carriers and the Android Open Source Project (AOSP). Based on teardowns of that code, here's a rundown of the Android security changes -- including why they're important, and what they'll offer users -- as well as one glaring omission: 1. Verified Boot Combats Rootkits Android 4.4 builds an optional -- and "experimental" -- verified-boot capability into the kernel. According to Google, the feature, dubbed device-mapper-verity (dm-verity), "helps prevent persistent rootkits that can hold onto root privileges and compromise devices." [ Do you think BYOD presents special security challenges? See It's Not 'Mobile Security,' It's Just Security. ] In particular, the feature can spot rootkits that have a more privileged access level than security tools, and which are thus able to fool those malware-detection programs. "The dm-verity feature lets you look at a block device, the underlying storage layer of the file system, and determine if it matches its expected configuration," according to Google. If the cryptographic hash of a program has changed, it means malware is likely at work. While this feature is great news for stopping malware, kernel-level file system integrity validation could make life difficult for Android modders. "By verifying the integrity of the device's file system at a low level via cryptography, rooting the phone becomes a thing of the past for most devices that come with a locked-down bootloader," according a study of Android 4.4 conducted by the Romanian information security firm BitDefender. "This means that alternative ROMs such as CyanogenMod, Paranoid Android or others will have a hard time getting on devices other than developer or Nexus ones running stock Android." 2. Android Sandbox Gets SELinux Boost Android 4.3 (Jelly Bean) saw the addition of the Linux security module known as security-enhanced Linux (SELinux), which was http://www.informationweek.com/security/mobile/android-kitkat-sec... 1 of 2 11/11/2013 10:41 PM

Upload: mihai-darstaru

Post on 16-Dec-2015

225 views

Category:

Documents


3 download

Report

DESCRIPTION

Google sweetens Android with SELinux, plus anti-rootkit technology that makes life difficult for malware -- but alsofor Android modders.

TRANSCRIPT

  • Android KitKat Security Teardown: 4 Hits, 1 MissGoogle sweetens Android with SELinux, plus anti-rootkit technology that makes life difficult for malware -- but alsofor Android modders.By Mathew J. Schwartz, InformationWeekNovember 05, 2013URL: http://www.informationweek.com/security/mobile/android-kitkat-security-teardown-4-hits/240163560

    Samsung's New Gadgets: Visual Tour(click image for larger view)The latest version of Google's Android operating system (version 4.4) -- known as "KitKat" and released last week -- includes a slewof changes: a streamlined footprint so it can run on devices with scant RAM, better animations and graphics acceleration, plussnappier device-wide search and a new phone dialer app. But what's new on the information security front?

    According to Google's developer overview, KitKat packs in "dozens of security enhancements to protect users" -- meaning bug fixes-- plus an experimental boot verification feature and better sandbox. Those features, plus the patches, have already been sharedwith handset manufacturers, carriers and the Android Open Source Project (AOSP).Based on teardowns of that code, here's a rundown of the Android security changes -- including why they're important, and whatthey'll offer users -- as well as one glaring omission:

    1. Verified Boot Combats Rootkits

    Android 4.4 builds an optional -- and "experimental" -- verified-boot capability into the kernel. According to Google, the feature,dubbed device-mapper-verity (dm-verity), "helps prevent persistent rootkits that can hold onto root privileges and compromisedevices."

    [ Do you think BYOD presents special security challenges? See It's Not 'Mobile Security,' It's Just Security. ]In particular, the feature can spot rootkits that have a more privileged access level than security tools, and which are thus able to foolthose malware-detection programs. "The dm-verity feature lets you look at a block device, the underlying storage layer of the filesystem, and determine if it matches its expected configuration," according to Google. If the cryptographic hash of a program haschanged, it means malware is likely at work.

    While this feature is great news for stopping malware, kernel-level file system integrity validation could make life difficult for Androidmodders. "By verifying the integrity of the device's file system at a low level via cryptography, rooting the phone becomes a thing ofthe past for most devices that come with a locked-down bootloader," according a study of Android 4.4 conducted by the Romanianinformation security firm BitDefender. "This means that alternative ROMs such as CyanogenMod, Paranoid Android or others willhave a hard time getting on devices other than developer or Nexus ones running stock Android."

    2. Android Sandbox Gets SELinux Boost

    Android 4.3 (Jelly Bean) saw the addition of the Linux security module known as security-enhanced Linux (SELinux), which was

    http://www.informationweek.com/security/mobile/android-kitkat-sec...

    1 of 2 11/11/2013 10:41 PM

  • developed by the National Security Agency more than 10 years ago, and which allows a number of security policies -- includingaccess controls -- to be enforced in Linux.

    In Android 4.3, SELinux was available only in "permissive mode," meaning it was could only be used for logging purposes, rather thanpolicy enforcement. With Android 4.4, however, SELinux can be used in "enforcing" mode, meaning its use can be made mandatory.As a result, the module can be used "to prevent privilege escalation attacks such as an application gaining root privileges over thedevice, regardless of the application's permissions," according to BitDefender.

    3. Strong Crypto Improvements

    Android 4.4 now has certificate pinning, which Google said "detects and prevents the use of fraudulent Google certificates used insecure SSL/TLS communications." In addition, Android now flashes a warning "if any certificate has been added to the devicecertificate store that could allow monitoring of encrypted network traffic."

    Both features are designed to ensure that a digital certificate is the real deal -- not a fake planted to allow a third party to eavesdropon the device. "Long story short, if a digital certificate for a specific site has been fraudulently obtained by either breaking into the[certificate authority] or by just tricking them into issuing a new certificate on somebody else's behalf, Android will notify the user thatthe certificate's fingerprint does not match what Google has on record," according to BitDefender.

    But that security improvement may also make life difficult for intrusion detection systems. "This is a welcome mitigation againstman-in-the-middle attacks, but will also make traffic scanning via SSL more difficult for security solutions running in enterprises," saidBitDefender.

    4. Per-User VPN

    Another security improvement is the inclusion of a VPN which -- on multiuser devices, meaning tablets -- can be applied on aper-user basis. "This can allow a user to route all network traffic through a VPN without affecting other users on the device,"according to Google.

    But there is a caveat. "The downside is that -- from what we see with the AOSP build -- VPN settings are only available for the firsttablet user, while other users have to do without VPN at all," according to BitDefender.

    5. Finally, Individual App Permission Controls -- Not

    One notable omission from Android 4.4 was the promised ability to review the permissions being used by apps, and to revoke themon an app-by-app basis.

    "Back in Android 4.3, Android introduced a feature that was supposed to let users individually deny or allow permissions for everyapplication installed on the device," according to BitDefender. "The feature, buried inside an activity called App Ops, was somethingboth average users and security companies have been demanding for years and it would have been for sure nice to have itintroduced in KitKat."

    Now, however, App Ops appears to have been excised completely, following an Aug. 2, "completely remove app ops activity" changeto the Android code base made by Google.

    A Google spokeswoman didn't immediately respond to an emailed request for comment on the status of the App Ops feature.

    Numerous Security Upsides

    The uncertain status of App Ops notwithstanding, the KitKat security enhancements are good news for Android fans. As always,users of older Android devices may have to wait for weeks or months -- or forever, in the case of some particularly laggard carriersand manufacturers -- to see a KitKat update for their devices. But everyone else, including buyers of many new Android smartphonesand tablets, will get KitKat installed by default, and from a security standpoint, benefit accordingly.

    http://www.informationweek.com/security/mobile/android-kitkat-sec...

    2 of 2 11/11/2013 10:41 PM


1. A.Présentation de la plate-forme B.Le kit de développement Andoid en détails

Vampire 4.4

Open Source Used In Cisco Security Manager 4 · OL-28981-01 Open Source Used In Cisco Security Manager 4.4 1 Open Source Used In Cisco Security Manager 4.4 This document contains

MARISOL MALDONADO RUIZ DN13 ANDOID

4.4 lipids

VALORACIÓN DE LA EMPRESA SECURITY … · 4.3.2 Metodología de valoración de empresas en liquidación 22 4.4 ... Flujo de efectivo histórico de Security Limitada de 1996 a 2001

ENR 4.4 Navnekoder for meldepunkter ENR 4.4 … NORGE / NORWAY Avinor ENR 4.4 - 1 NORSK ENGLISH ENR 4.4 Navnekoder for meldepunkter ENR 4.4 Name-code designators for reporting points

Hoofdstuk 4.4

4.4. Miljøpolitikk

Create your.own Andoid Apps Inventor

Desarrollo de Aplicaciones Móviles para Andoid 2020cisco-espol.info/planificacion/PDF/Desarrollo de...Desarrollo Desarrollo de Aplicaciones Móviles para Android 8.1. Introducción

“Lessons Learnt” from Integrated Food Security … Integrated Food Security Programs in South ... 4.4 Co-operation management with other projects and development ... learnt”

EWELINK GUIDE Andoid - ssigjern.dkssigjern.dk/manuals/60000701_Ewelink_Instructions Android.pdf · EWELINK GUIDE Andoid Overview ... Download the Android version from the Google Play

2020 in May withdrawn was · Figure 4.4 Crude security screen at the downstream end of a small culvert 25 Figure 4.5 A security screen on the outlet of a culvert 25 Figure 4.6 Security

4.4 -- BIO

Izvedba Andoid mobilne aplikacije s primjenom lokacijskih

Leçon 4 OVNI - eu-acerforeducation.acer.comeu-acerforeducation.acer.com/wp-content/uploads/Lesson-4_FR_pg.pdf · OVNI 1 Aduino Leonado Shield Andoid odon US. 1. anchez l’alimentation

Security Target McAfee Database Security 4.4...ST Title Security Target: McAfee Database Security 4.4.3 ST Revision 1.4 ST Publication Date June 18, 2013 Author Apex Assurance Group

4.4 Security and Accountability - NASA · This section describes the security and accountability tools used by DAAC operators: 1. TCP Wrappers 2. ... 4.4.1.7 Event and Error Messages

4.4 EQUIPOS

Security Concept Version 4.4 Siemens Remote Service

Llb ii pil u 4.4 security council and hijacking

AUTOSAR 4.4 Security Enhancements - Vector€¦ · 5 Goal: The Security Event Memory (SEM) manages records that provide documentary evidence of security-relevant events. Basic Functions

4.4 multivibradores

Andoid ppt

Andoid auto

OpenNebula 4.14 Administration Guidedocs.opennebula.org/pdf/4.14/opennebula_4.14_administration_guide… · 2.2 The System Datastore ... 4.4 Security Groups ... OpenNebula 4.14 Administration

Chapter 4.4

projet final-andoid-Jiun2013.doc

OpenNebula 4.4 Release Notes 4docs.opennebula.io/pdf/4.4/opennebula_4.4_release_notes... · 2014-02-05 · OpenNebula 4.4 Release Notes 4.4, • Many improvements in ceph drivers,

Paranoid Andoid Partituras -Radiohead

Android 4.4

Plan Bilingüe Plan elebiduna - Berango...4.4.A Emakumeen eta gizonen berdintasunerako gobernantza 4.4.B Ahalduntzea eta balioak aldatzea 4.4.C Antolaketa sozial erantzukidea 4.4.D

Memory management in Andoid

ARM Cortex-A53 Errata on Andoid