Security Gurus: Jelly Bean Is Super Chewy

The latest version of Google’s Android mobile operating system, Jelly Bean, is much harder to hack than its predecessors, according to research from Duo Security.

Google beefed up security for Jelly Bean significantly, said Jon Oberheide, security researcher at Duo. The OS will come with an updated address space layout randomization (ASLR), which randomizes memory on a device. That way, it’s more difficult for hackers to program a targeted malicious attack when attempting to exploit a device.

When ASLR is combined with data execution prevention (DEP), the pair make exploiting vulnerabilities based on memory corruption difficult.

Android’s 4.0 version of its mobile OS, Ice Cream Sandwich, was the first to launch with ASLR, but Oberheide said that it failed to live up to expectations and called it “largely ineffective for mitigating real-world attacks,” since hackers could pinpoint spots in a device’s memory where their malicious code could be located. These improvements are designed to make doing that nearly impossible.

Needed an Upgrade

Android’s ramped-up security measures were a step in the right direction, Oberheide said, although the platform still has areas of security it should address, such as strengthening its exploit mitigation mechanisms. Code signing support that more closely resembles that of Apple’s iOS is another thing he’d like to see. Android, he noted, has been playing a game of catch-up to get where it is, but other vulnerabilities still exist in the Android OS.

While the changes found in Android’s latest version buffer a device against targeted outsider attacks, rogue apps and malware are still a large part of security breaches within Android’s system, said Dan Rosenberg, security consultant at Virtual Security Research.

“Every piece of Android malware to date has not relied on exploitation of known or unknown vulnerabilities to gain access to a victim’s device, but has instead relied on the user to install the malware, often disguised as a legitimate application from the Android market,” he told LinuxInsider.

There are plenty of cyberattacks that can take sensitive data without using an exploit, said David Campbell, founder and principal consultant at Electric Alchemy, told LinuxInsider.

“You can have ASLR and DEP and all of that until the cows come home, but it doesn’t matter if someone can still target an executive with spearfishing attacks and read all their e-mails and have all their contact information,” he said. “

However, Google has made strides in addressing that type of cyberattack as well, said Rosenberg and Campbell. The company implemented Bouncer, an automated testing framework that is supposed to detect malware before an app gets published to the Andoird Market to help weed out rogue apps before they spread.

In addition, Android is working to make consumers more aware about every action they take on their device. One such addition is the elimination of the ‘Read Logs’ permission on Jelly Bean, which would have given an app the ability to read centralized system logs that could have contained data that rogue apps could exploit.

“Google’s biggest challenge is its inability to provide quality assurance in the app marketplace,” said Campbell. “So I’m excited by some of these recent improvements they’ve made in those areas.”

Don’t Hold Your Breath

While Android’s emphasis on security is likely to cut down on attacks, customers might not be able to reap the benefits for quite some time, said Rosenberg. Unlike a mobile system like Apple’s iOS, which runs on a single device and is upgraded periodically as new iPhones come out, Android’s system runs on multiple models, manufactured by multiple companies worldwide. That variation makes major OS upgrades more difficult to implement.

“The sum of these improvements definitely represents a step forward in the overall security posture of the Android platform, but in a way these changes also highlight another central problem,” he said. “The fragmentation of the Android ecosystem among dozens of carriers and manufacturers.”

Google’s new Nexus 7 tablet ships with Jelly Bean, though the company hasn’t released information about when the OS will be available on other consumer devices. Google has said it will release a version of the OS to developers this month, but it could still be months before other devices that run on the new system hit shelves. When it does, the improvements will be welcome, said Rosenberg, but customers shouldn’t hold their breaths.

“Because of this fragmentation, only about 10 percent of current Android devices run the previous latest version, Ice Cream Sandwich, so it’s reasonable to assume that it may be many months before most of these security enhancements actually reach users,” he said.