| Nick Kralevich | cb4c927 | 2013-04-30 17:08:38 -0700 | [diff] [blame] | 1 | page.title=Security Enhancements in Android 4.3 |
| 2 | @jd:body |
| 3 | |
| 4 | <p> |
| 5 | Every Android release includes dozens of security enhancements to protect |
| 6 | users. The following are some of the security enhancements available |
| 7 | in Android 4.3: |
| 8 | </p> |
| 9 | |
| 10 | <ul> |
| 11 | <li><strong>Android sandbox reinforced with SELinux.</strong> |
| Nick Kralevich | 33d8cd6 | 2013-05-07 16:26:50 -0700 | [diff] [blame] | 12 | This release strengthens the Android sandbox using the SELinux |
| 13 | mandatory access control system (MAC) in the Linux kernel. SELinux |
| 14 | reinforcement is invisible to users and developers, and adds robustness |
| 15 | to the existing Android security model while maintaining compatibility |
| 16 | with existing applications. To ensure continued compatibility this release |
| 17 | allows the use of SELinux in a permissive mode. This mode logs any policy |
| 18 | violations, but will not break applications or affect system behavior.</li> |
| Nick Kralevich | cb4c927 | 2013-04-30 17:08:38 -0700 | [diff] [blame] | 19 | |
| 20 | <li><strong>No setuid/setgid programs.</strong> |
| 21 | Added support for filesystem capabilities |
| 22 | to Android system files and removed all setuid/setguid programs. This |
| 23 | reduces root attack surface and the likelihood of potential security |
| 24 | vulnerabilities.</li> |
| 25 | |
| 26 | <li><strong>ADB Authentication.</strong> |
| 27 | Since Android 4.2.2, connections to ADB are |
| 28 | authenticated with an RSA keypair. This prevents unauthorized use of |
| 29 | ADB where the attacker has physical access to a device.</li> |
| 30 | |
| 31 | <li><strong>Restrict Setuid from Android Apps.</strong> |
| 32 | The /system partition is now mounted |
| 33 | nosuid for zygote-spawned processes, preventing Android applications |
| 34 | from executing setuid programs. This reduces root attack surface and |
| 35 | the likelihood of potential security vulnerabilities.</li> |
| 36 | |
| 37 | <li><strong>Capability bounding.</strong> |
| 38 | Android zygote and ADB now use prctl(PR_CAPBSET_DROP) to drop |
| 39 | unnecessary capabilities prior to executing applications. |
| 40 | This prevents Android applications and applications launched from |
| 41 | the shell from acquiring privileged capabilities.</li> |
| 42 | |
| 43 | <li><strong>AndroidKeyStore Provider.</strong> |
| 44 | Android now has a keystore provider that allows |
| 45 | applications to create exclusive use keys. This provides applications |
| 46 | with an API to create or store private keys that cannot be used by |
| 47 | other applications.</li> |
| 48 | |
| 49 | <li><strong>KeyChain isBoundKeyAlgorithm.</strong> |
| 50 | Keychain API now provides a method |
| 51 | (isBoundKeyType) that allows applications to confirm that system-wide keys |
| 52 | are bound to a hardware root of trust for the device. This provides |
| 53 | a place to create or store private keys that cannot be exported off the |
| 54 | device, even in the event of a root compromise.</li> |
| 55 | |
| 56 | <li><strong>NO_NEW_PRIVS.</strong> |
| 57 | Android zygote now uses prctl(PR_SET_NO_NEW_PRIVS) to block addition |
| 58 | of new privileges prior to execution application code. This |
| 59 | prevents Android applications from performing operations which can |
| 60 | elevate privileges via execve. (This requires Linux kernel version 3.5 |
| 61 | or greater).</li> |
| 62 | |
| 63 | <li><strong>FORTIFY_SOURCE enhancements.</strong> |
| 64 | Enabled FORTIFY_SOURCE on Android x86 and MIPS |
| 65 | and fortified strchr(), strrchr(), strlen(), and umask() calls. This |
| 66 | can detect potential memory corruption vulnerabilities or unterminated |
| 67 | string constants.</li> |
| 68 | |
| 69 | <li><strong>Relocation protections.</strong> |
| 70 | Enabled read only relocations (relro) for |
| 71 | statically linked executables and removed all text relocations in Android |
| 72 | code. This provides defense in depth against potential memory corruption |
| 73 | vulnerabilities.</li> |
| 74 | |
| 75 | <li><strong>Improved EntropyMixer.</strong> |
| 76 | EntropyMixer now writes entropy at shutdown / |
| 77 | reboot, in addition to periodic mixing. This allows retention of all |
| 78 | entropy generated while devices are powered on, and is especially useful |
| 79 | for devices that are rebooted immediately after provisioning.</li> |
| 80 | |
| 81 | <li><strong>Security Fixes.</strong> |
| 82 | Android 4.3 also includes fixes for Android-specific |
| 83 | vulnerabilities. Information about these vulnerabilities has been provided |
| 84 | to Open Handset Alliance members and fixes are available in Android Open |
| 85 | Source Project. To improve security, some devices with earlier versions |
| 86 | of Android may also include these fixes.</li> |
| 87 | </ul> |