July 19, 2012
Android’s Jelly Bean Beefs Up Security
Derek Walter for redOrbit.com - Your Universe Online
The newest version of Google´s Android operating system has substantially stepped up its security.In an analysis by security researcher Jon Oberheide, Jelly Bean (Android 4.1) has strengthened its vulnerability by more fully implementing a tool called Address Space Layout Randomization (ASLR)
This randomizes the locations of key pockets of data. For example, executables and libraries, which are critical areas for storing information, are less likely to be found if their location is often changing. While this security tool was available in Ice Cream Sandwich (Android 4.0) some pieces of data were not randomized.
Additionally, Data Execution Prevention (DEP) prevents a hacker from executing a piece of code in an area that is established to be non-executable.
A well-known hacker told Ars Technica that Jelly Bean will be difficult to hack.
"As long as there's anything that's not randomized, then it (ASLR) doesn't work, because as long as the attacker knows something is in the same spot, they can use that to break out of everything else," said Charlie Miller, a smartphone hacker and research consultant for security firm Accuvant. "Jelly Bean is going to be the first version of Android that has full ASLR and DEP, so it's going to be pretty difficult to write exploits for that."
While this is welcome news for Android users, it will take some time for this to make its way to the majority of handsets. Jelly Bean is currently only available for the Galaxy Nexus and Nexus 7. Users of non-Nexus Android phones are at the mercy of their device manufacturer and carrier for updates to Google´s mobile operating system.