Android Security Enhancements

This page catalogues how android security has evolved over various versions of android. We strive to catalogue which version introduced a specific security feature or tweaked it as well as which version fixed a specific flaw.

Android VersionSecurity EnhancementDetailsReference / Bypass (if applicable)
5.0Webview : de-coupled from core and OTA based upgradeWebView can now be updated independent of the framework and without a system OTA. This will allow for faster response to potential security issues in WebViewChrome developers G+ Post
WebView for android
5.0Fixed : SQL injection vulnerability in WAPPushManagerIn Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send malformed WAPPush message to launch any activity or service in the victim's phone (need permission check)Fixed commit
POC : CVE-2014-8507
5.0Fixed : Privilege Escalation using ObjectInputStreamIn Android <5.0, java.io.ObjectInputStream did not check whether the
Object that is being deserialized is actually serializable.
Fixed Commit
POC : CVE-2014-7911
5.0Fixed : SMS resend vulnerabilityApplications can send SMS without privilege leading to undesired cost to user or be used for data exfiltration Fixed commit
POC for CVE-2014-8610
5.0FORTIFY_SOURCE improvements Protection against memory-corruption vulnerabilities involving stpcpy(), stpncpy(), read(), recvfrom(), FD_CLR(), FD_SET(), and FD_ISSET() libc functions
5.0non-PIE linker support removedEnhancing Address Space Layout Randomization (ASLR) by requiring all dynamically linked executables to support PIE (Position-Independent Executables)
5.0Cryptography SSL/TLSTLSv1.1 & TLSv1.2 are enabled, Forward Secrecy preferred and disabled weak cipher suits (MD5, 3DES)SSL Socket Reference : Android Developer Site
5.0Guest mode & multiple profile supportGuest mode and support for multiple user profiles Easier for providing easy temporary access to the device
5.0Security Enhanced Linux (SELinux)SELinux Enforcing Mode is required for all applications on the device.
5.0Full Disk Encryption by DefaultDevices shipped with Lollipop will have full disk encryption at first boot, using a unique key.This feature can be turned off by Vendor's.
5.0Smart Lock (screen lock)Unlock your phone using Bluetooth pairing, NFC, Geofence (GPS Location) or simply your smile (Face unlock improvements)
4.4.4Block access to java.lang.Object.getClass in injected Java objectsThrows a java.lang.SecurityException on Browser UI thread when an attempt is
made to execute java.lang.Object.getClass from JavaScript code via an injected
Java object.
Refer : Chromium BugTrack entry
Chromium Issue entry
4.4.4Fix for OpenSSL man-in-the-middleCVE ID : CVE-2014-0224Refer : CVE 2014-0224 Entry
4.4.3Chrome Vulnerability Fix1. timing-based security attack in Chrome

2. fix for CVE-2014-1710
Chromium Bug Tracker Entry

Refer : CVE 2014-1710
4.4.3Lock screen Credentials set vulnerability fixAs per Changelog :
Bug: 9858403 : lock screen credential reset w/o previous credentials

The test asks the user to first set a lock screen password and then
launch an intent to change it, using an EXTRA that was not being properly
validated before the vulnerability was fixed.
reference : AOSP Code Commit entry
4.4.2Removal of the "App Ops" application permissions control systemApp Ops permission system which was available since 4.3 was removed completely from GUI in this releaseBypass : Functionality launcher etc can be restored by an Xposed framework module
4.4dm-veritytransparent integrity checking of block devices. dm-verity helps prevent persistent rootkits that can hold onto root privileges and compromise devices.
4.4SE_Linux => Enforced Modeall root domain binaries are working in enforced mode. remaining still work in permissive modeSE Linux Details
4.4FORTIFY_SOURCELevel 2 : full source code compiled with FORTIFY_SOURCE and clang support added.
4.4SSL CA Certificate WarningsWarns when any certificate is added to the device certificate storeBypass available already
4.3Restrict Setuid from Android AppsNo Zygote spanned process is allowed to execute setuid program. /system is mounted with nosetuid
Bypassed by Chainfire
4.3FORTIFY_SOURCEAndroid x86 and MIPS and fortified strchr(), strrchr(), strlen(), and umask() calls
4.3SE_Linux => Permissiveallows logging but doesn't restrict actions
4.3Trusted Platform Module (TPM) supportHardware backed storage for KeyChain making keys unavailable for extraction
4.2.2ADB AuthenticationPrevents unauthorised use of ADB by the use of RSA keypair for authentication
Android 4.3 Security Enhancement Announcement
4.2FORTIFY_SOURCELevel 1 : This is used by system libraries and applications to prevent memory corruption
4.2Application verificationuser can opt for client side bouncer instance and google can verify malacious applications before installation.
4.2Certificate Pinningif chain of certs doesn't match an error message is added.
4.2installd configinstalld runs as non root from start.
4.2ContentProvider securityby default contentprovider will be set to false for API <=17
4.2init configO_NOFOLLOW added to init to avoid symbolic link attacks.
4.2premium SMS notificationSMS to premium numbers now display a notification and only allow needing when explicitely accepted.
4.2SecureRandom implementationSecureRandom implementation based on OpenSSL, Bounty castle implementation removed.details here
4.2JavascriptInterface annotationJavascriptInterface needs to be annotated for webviewexploit possible for <4.2 devices. and applications using API < 17
Reference :
Metasploit Module
Test Page : identifies if browser or webview is vulnerable.
Additional Details
4.2CryptographySSLSocket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1
4.1PIE (Position Independent Executable) supportSupport for binaries compiled with GCC's -pie -fPIE flags
(executables to be position independent)
4.1Read-only relocations / immediate binding(-Wl,-z,relro -Wl,-z,now)
4.1kernel address leakage preventiondmesg_restrict and kptr_restrict enabledkptr_restrict mitigates Levitator Exploit
4.1ELF HardeningRELRO / BIND_NOW flag default. This hardens those binaries against attacks that may attempt to overwrite the GOT and other sensitive ELF structures by making them read-only at startup.breaks Gingerbreak Exploit
more details on RELRO here
4.1ASLR supportFull ASLR support
4.0.3Randomize Heap/brk mappingkernel.randomize_va_space is set to 2
4.0ASLR supportASLR support started appearing although not fully. Multiple flaws were present dynamic linker didn't had ASLR and many more outlined in reference linkASLR support review by duo security
3.0full filesystem encryptionFull disk encryption addedDetails on this archive link
2.3format string vulnerability protectionadded -Wformat-security -Werror=format-security
2.3code execution prevention on stack and heapHardware-based No eXecute (NX)
2.3null pointer dereference protectionmmap_min_addr
2.2Device AdministrationAndroid Device Administration API addedDevice Adminstration Guide
1.5Stack / buffer overrun protectionProPolice to prevent stack buffer overruns (-fstack-protector)Memory Management Enhancement : Old Archive link
1.5Integer overflow protectionsafe_iop
1.5Integer overflow memory allocationOpenBSD calloc
1.5chunk consolidation attackExtensions to OpenBSD dlmalloc() to prevent double free()

This page is an ongoing effort and we will try to maintain it in up to date condition to the best of our abilities.

Credits :

This list is aggregated by Anant Shrivastava and Prashant Mahajan. References where ever applicable are properly placed in the reference section.

Thanks to following folks for helping us with additional inputs.

Feel free to suggest corrections / additions in the list.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>