The newest version of the Android mobile operating system includes a major security upgrade, the presence of address space layout randomization (ASLR), which gives users some better protection against memory-corruption exploits.
The inclusion of ASLR in Android 4.0, also known as “Ice Cream Sandwich”, brings the security model of the operating system up a notch in relation to previous versions. Security researchers have criticized Android for its security shortcomings and have said that the security model offered by Apple’s iOS is more beneficial for users. The iPhone operating system has included ASLR and data execution protection (DEP) for some time now, and iOS also includes a sandbox to help prevent attackers from moving among various applications once they’ve compromised a device.
ASLR is designed to help prevent certain kinds of attacks by making it more difficult for attackers to know which components will be in which memory locations. The technology randomly arranges the positions of various components of a process, which makes it harder to attacks such as buffer overflows and other memory-corruption techniques to succeed. Both ASLR and DEP have been key technologies in desktop operating systems such as Windows Vista and Windows 7 to help prevent common attack techniques.
In addition to the inclusion of ASLR, Android 4.0 also has improved management of user credentials.
“Android 4.0 makes it easier for applications to manage authentication and secure sessions. A new keychain API and underlying encrypted storage let applications store and retrieve private keys and their corresponding certificate chains. Any application can use the keychain API to install and store user certificates and CAs securely,” the Android 4.0 developer notes say.
The new mobile OS also includes an enhanced API for VPNs.
“Developers can now build or extend their own VPN solutions on the platform using a new VPN API and underlying secure credential storage. With user permission, applications can configure addresses and routing rules, process outgoing and incoming packets, and establish secure tunnels to a remote server. Enterprises can also take advantage of a standard VPN client built into the platform that provides access to L2TP and IPSec protocols,” the notes say.