As Google gears up to release the next version of its mobile operating system, Android 4.1, code-named Jelly Bean, security experts aver that the operating system is well-bolstered against hacking and malware exploits.
An InformationWeek report has cited how security improvements in the latest Android, including the Address Space Layout Randomization (ASLR) feature, can foil any attempts from hackers.
The InformationWeek report cites the observation made by Android security researcher Jon Oberheide, CTO, DUO Security, who has been tracking Google Android ASLR endeavors and other security enhancements on Android 4.1.
Though ASLR was introduced in Android 4.0, Oberheide found it did not live up to expectations and is largely ineffective for mitigating real-world attacks. In 4.0, the attribute failed to randomize large parts of memory.
How ASLR Fortifies Security
The ASLR randomizes the memory locations of key data areas of library, stack, heap and several other OS data structures in a process address space. This apart, ASLR combined with defence mechanism, known as Data Execution Prevention (DEP), makes life difficult for hackers who target memory corruption bugs that occur in the code. DEP blocks code execution from a non-executable memory region. Thereby, hackers find it difficult to identify where their malicious payload will be uploaded.
In the blog post, published July 16, Jon Oberheide examines the different versions of Android OS from the security perspective, highlights salient features of Jelly Bean and suggests a road map that Google may consider for further strengthening the security of the OS.
Charlie Miller, a veteran smartphone hacker and principal research consultant at security firm Accuvant, has told Ars Technica: Jelly Bean is going to be the first version of Android that has full ASLR and DEP, so it's going to be pretty difficult to write exploits for that.
How iOS 6 Scores Over Android 4.1
While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovative exploit mitigation techniques such as the in-kerney ASLR present in Apple iOS 6, Oberheide has observed in his blog post.
One could claim that iOS is being proactive with such techniques, but in reality, they're simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation by employing effective userspace mitigations such NX, ASLR, and mandatory code signing. Thankfully, Android is getting there, and Jelly Bean is a major step towards that goal, he adds.
There is still some catch-up game that Android smartphone users have to do though, as many continue to use handsets subsisting on Android 4.0, or the earlier version of the OS, Gingerbread.