Android Security Enhancements

This page list’s security enhancements introduced in android updates

Android VersionSecurity EnhancementDetailsReference / Bypass (if applicable)
4.4.4Block access to java.lang.Object.getClass in injected Java objectsThrows a java.lang.SecurityException on Browser UI thread when an attempt is
made to execute java.lang.Object.getClass from JavaScript code via an injected
Java object.
Refer : Chromium BugTrack entry
Chromium Issue entry
4.4.4Fix for OpenSSL man-in-the-middleCVE ID : CVE-2014-0224Refer : CVE 2014-0224 Entry
4.4.3Chrome Vulnerability Fix1. timing-based security attack in Chrome

2. fix for CVE-2014-1710

Refer : CVE 2014-1710
4.4.3Lock screen Credentials set vulnerability fixAs per Changelog :
Bug: 9858403 : lock screen credential reset w/o previous credentials

The test asks the user to first set a lock screen password and then
launch an intent to change it, using an EXTRA that was not being properly
validated before the vulnerability was fixed.
reference : AOSP Code Commit entry
4.4.2Removal of the "App Ops" application permissions control systemApp Ops permission system which was available since 4.3 was removed completely from GUI in this releaseBypass : Functionality launcher etc can be restored by an Xposed framework module
4.4dm-veritytransparent integrity checking of block devices. dm-verity helps prevent persistent rootkits that can hold onto root privileges and compromise devices.
4.4SE_Linux => Enforced Modeall root domain binaries are working in enforced mode. remaining still work in permissive modeSE Linux Details
4.4FORTIFY_SOURCELevel 2 : full source code compiled with FORTIFY_SOURCE and clang support added.
4.4SSL CA Certificate WarningsWarns when any certificate is added to the device certificate storeBypass available already
4.3Restrict Setuid from Android AppsNo Zygote spanned process is allowed to execute setuid program. /system is mounted with nosetuid
Bypassed by Chainfire
4.3FORTIFY_SOURCEAndroid x86 and MIPS and fortified strchr(), strrchr(), strlen(), and umask() calls
4.3SE_Linux => Permissiveallows logging but doesn't restrict actions
4.3Trusted Platform Module (TPM) supportHardware backed storage for KeyChain making keys unavailable for extraction
4.2.2ADB AuthenticationPrevents unauthorised use of ADB by the use of RSA keypair for authentication
Android 4.3 Security Enhancement Announcement
4.2FORTIFY_SOURCELevel 1 : This is used by system libraries and applications to prevent memory corruption
4.2Application verificationuser can opt for client side bouncer instance and google can verify malacious applications before installation.
4.2Certificate Pinningif chain of certs doesn't match an error message is added.
4.2installd configinstalld runs as non root from start.
4.2ContentProvider securityby default contentprovider will be set to false for API <=17
4.2init configO_NOFOLLOW added to init to avoid symbolic link attacks.
4.2premium SMS notificationSMS to premium numbers now display a notification and only allow needing when explicitely accepted.
4.2SecureRandom implementationSecureRandom implementation based on OpenSSL, Bounty castle implementation removed.details here
4.2JavascriptInterface annotationJavascriptInterface needs to be annotated for webviewexploit possible for <4.2 devices. and applications using API < 17
Reference :
Metasploit Module
Test Page : identifies if browser or webview is vulnerable.
Additional Details
4.2CryptographySSLSocket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1
4.1PIE (Position Independent Executable) supportSupport for binaries compiled with GCC's -pie -fPIE flags
(executables to be position independent)
4.1Read-only relocations / immediate binding(-Wl,-z,relro -Wl,-z,now)
4.1kernel address leakage preventiondmesg_restrict and kptr_restrict enabledkptr_restrict mitigates Levitator Exploit
4.1ELF HardeningRELRO / BIND_NOW flag default. This hardens those binaries against attacks that may attempt to overwrite the GOT and other sensitive ELF structures by making them read-only at startup.breaks Gingerbreak Exploit
more details on RELRO here
4.1ASLR supportFull ASLR support
4.0.3Randomize Heap/brk mappingkernel.randomize_va_space is set to 2
4.0ASLR supportASLR support started appearing although not fully. Multiple flaws were present dynamic linker didn't had ASLR and many more outlined in reference linkASLR support review by duo security
3.0full filesystem encryptionFull disk encryption addedDetails on this archive link
2.3format string vulnerability protectionadded -Wformat-security -Werror=format-security
2.3code execution prevention on stack and heapHardware-based No eXecute (NX)
2.3null pointer dereference protectionmmap_min_addr
2.2Device AdministrationAndroid Device Administration API addedDevice Adminstration Guide
1.5Stack / buffer overrun protectionProPolice to prevent stack buffer overruns (-fstack-protector)Memory Management Enhancement : Old Archive link
1.5Integer overflow protectionsafe_iop
1.5Integer overflow memory allocationOpenBSD calloc
1.5chunk consolidation attackExtensions to OpenBSD dlmalloc() to prevent double free()

This page is an ongoing effort and we will try to maintain it in up to date condition to the best of our abilities.

Credits :

This list is aggregated by Anant Shrivastava and Prashant Mahajan. References where ever applicable are properly placed in the reference section.

Thanks to following folks for helping us with additional inputs.

Feel free to suggest corrections / additions or updations in the list.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>