Google’s latest Android OS, the Jelly Bean has come out and has brought with it a complete list of awesome features and smooth functions. The new OS is also supposed to be tougher cookie for hackers and installation of malwares in it. This turns Jelly Bean into a well-protected OS from information leakage, buffer overflows and memory vulnerabilities.
So far Jelly Bean is being touted as the most secure OS, after iOS, currently available. Google has made sure the new OS beefs up security of the smartphones and tablets it is installed in.
Jon Oberheide, a security research analyst wrote. “Android has stepped its game up mitigation-wise in the new Jelly Bean release.”
Oberheide explains that the use of Address Space Layout Randomization (ASLR), which randomizes locations in the devices’ memory, along with another security feature called data execution prevention (DEP), makes Jelly Bean better than other Android OS, all of those that do not use it. ASLR together with DEP prevents hackers from locating the malicious code in a device’s memory.
It is an important aspect of security because memory-corrupting bugs are the favoured choice of hackers to get into handsets.
Besides the wondrous pairing of DEP and ASLR, Jelly Bean prevents information leakage, buffer overflows, and additional memory vulnerabilities.
Oberheide also added that unlike iOS, Android does not include code signing, the fortification against unauthorized applications running on the device.
Oberheide explained, “While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovation exploit mitigation techniques, such as the in-kernel ASLR present in Apple’s iOS 6. One could claim that iOS is being proactive with such techniques, but in reality, they’re simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation by employing effective userspace mitigations such NX, ASLR, and mandatory code signing.”
Ars Technica was the first to report this feature and it writes in its report, “Although Android 4.0, aka Ice Cream Sandwich, was the first Android release to offer ASLR, the implementation was largely ineffective at mitigating real-world attacks. One of the chief reasons for the deficiency was Android’s executable region, heap, libraries, and linker were loaded at the same locations each time. This made it significantly easier for attackers designing exploits to predict where in memory their malicious code can be located.
“As long as there’s anything that’s not randomized, then it (ASLR) doesn’t work, because as long as the attacker knows something is in the same spot, they can use that to break out of everything else,” Charlie Miller, a veteran smartphone hacker and principal research consultant at security firm Accuvant, told Ars. “Jelly Bean is going to be the first version of Android that has full ASLR and DEP, so it’s going to be pretty difficult to write exploits for that.”