Editor in Chief
Jelly Bean Improves Security for Android
Sometimes, whether it is deserved or not, Android has been labeled as less secure than some of the other Mobile operating systems. Still, throughout its revision history, Google has obviously been working hard to constantly improve things. Android 4.0/Ice Cream Sandwich was a pretty big improvement for Android, but the new Android 4.1/Jelly Bean takes things to a whole new level. Apparently, a security functionality called address space layout randomization (ASLR), was introduced in Ice Cream Sandwich, yet was not fully implemented. Jelly Bean supposedly changes that by activating the full randomization process. Here's a quote with additional details,
Everyday it seems like I hear something new about Jelly Bean just makes it that much more impressive. It's comforting that Google continues to evolve the security side of things with the little green robot.
According to the changelog we saw yesterday, the only mention of a security update was that "device encryption" has been made "more reliable". But, some digging by Duo Security has also been looking into the new support for ASLR, which is address space layout randomization. ASLR randomizes the memory locations for most of the data structures in Android. This randomization makes it far more difficult for hackers because it randomizes where potentially malicious code would be written. This combines with Android's existing data execution prevention to make it extremely difficult to load malicious code in Jelly Bean.
ASLR isn't exactly new to Android, as it did exist in ICS, but the problem was that in ICS the support didn't really use the "randomization" part of ASLR. Without the randomization, it's easy to know where code will be deployed, making for much more effective malicious code. Jelly Bean is the first Android update to support full ASLR.
07-17-2012 06:08 PM