Berliner Str. 164
65205 Wiesbaden, de
Android KitKat Security: The Good, the Bad and the Downright HilariousWiesbaden, )
1. SELinux set to Enforce Mode
SELinux is a kernel security module that has been in Linux for more than 10 years, but which has been integrated into Android in version 4.3. The mandatory access control module was developed by the NSA, and has only been used in permissive mode in the previous version of Android for logging purposes only. The new implementation runs SELinux into enforcing mode, which means that it is now able to prevent privilege escalation attacks such as an application gaining root privileges over the device, regardless of the application's permissions.
2. Crypto-stuff: Google Certificate Pinning and SSL CA Certificate Warnings
Following the post-Snowden era disclosures, cryptography has become increasingly important for mobile users. These two new features introduced in Android 4.4 make sure that the digital certificates your device trusts are genuine and not some substitutions. Long story short, if a digital certificate for a specific site has been fraudulently obtained by either breaking into the CA or by just tricking them into issuing a new certificate on somebody else's behalf, Android will notify the user that the certificate's fingerprint does not match what Google has on record. This is a welcome mitigation against man-in-the-middle attacks, but will also make traffic scanning via SSL more difficult for security solutions running in enterprises.
3. FORTIFY_SOURCE against buffer overflow exploitation
Buffer overflows have been a great issue for basically every piece of code where programmers need to allocate memory by hand. The new KitKat compiles with FORTIFY_SOURCE running at level 2, which means that the compiler attempts to identify buffer overflow conditions on compilation, but take this with a grain of salt: if compilers could identify all buffer overflow conditions, the world would be a better place.
4. Per-User VPN
In case of tablets that are configured to be shared by multiple users, KitKat supports per-user VPN settings. This means that and user can configure and route his/her traffic through a VPN, but the downside is that - from what we see with the AOSP build - VPN settings are only available for the first tablet user, while other users have to do without VPN at all.
5. No more rootkits, no more rooting
Another notable change introduced in KitKat is a new kernel ability called device-mapper-verity, an anti-rootkit subsystem system that prevents malware from exploiting. At the same time, by verifying the integrity of the device's file system at a low level via cryptography, rooting the phone becomes a thing of the past for most devices that come with a locked-down bootloader. This means that alternative ROMs such as CyanogenMod, Paranoid Android or others will have a hard time getting on devices other than developer or Nexus ones running stock Android.
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an firstname.lastname@example.org.