1 page.title=Security Enhancements in Android 4.2 2 @jd:body 3 4 <p> 5 Android provides a multi-layered security model described in the <a href="{@docRoot}devices/tech/security/index.html">Android 6 Security Overview</a>. Each update to Android includes dozens of 7 security enhancements to protect users. The following are some of the security 8 enhancements introduced in Android 4.2:</p> 9 10 <ul> 11 <li><strong>Application verification</strong> - Users can choose to enable Verify Apps" and 12 have applications screened by an application verifier, prior to installation. 13 App verification can alert the user if they try to install an app that might be 14 harmful; if an application is especially bad, it can block installation.</li> 15 <li><strong>More control of premium SMS</strong> - Android will provide a notification if an 16 application attempts to send SMS to a short code that uses premium services 17 which might cause additional charges. The user can choose whether to allow the 18 application to send the message or block it.</li> 19 20 <li><strong>Always-on VPN</strong> - VPN can be configured so that applications will not have 21 access to the network until a VPN connection is established. This prevents 22 applications from sending data across other networks.</li> 23 24 <li><strong>Certificate Pinning</strong> - The Android core libraries now support 25 <a href="https://developer.android.com/reference/android/net/http/X509TrustManagerExtensions.html">certificate pinning</a>. 26 Pinned domains will receive a certificate validation 27 failure if the certificate does not chain to a set of expected certificates. 28 This protects against possible compromise of Certificate Authorities.</li> 29 30 <li><strong>Improved display of Android permissions</strong> - Permissions have been organized 31 into groups that are more easily understood by users. During review of the 32 permissions, the user can click on the permission to see more detailed 33 information about the permission.</li> 34 35 <li><strong>installd hardening</strong> - The <code>installd</code> daemon does not run as the root user, 36 reducing potential attack surface for root privilege escalation.</li> 37 38 <li><strong>init script hardening</strong> - init scripts now apply <code>O_NOFOLLOW</code> semantics to 39 prevent symlink related attacks.</li> 40 41 <li><strong>FORTIFY_SOURCE</strong> - Android now implements <code>FORTIFY_SOURCE</code>. This is used by 42 system libraries and applications to prevent memory corruption.</li> 43 44 <li><strong>ContentProvider default configuration</strong> - Applications which target API 45 level 17 will have "export" set to "false" by default for each 46 <a href="https://developer.android.com/reference/android/content/ContentProvider.html">Content 47 Provider</a>, reducing default attack surface for applications.</li> 48 49 <li><strong>Cryptography</strong> - Modified the default implementations of SecureRandom and 50 Cipher.RSA to use OpenSSL. Added SSL Socket support for TLSv1.1 and TLSv1.2 51 using OpenSSL 1.0.1</li> 52 53 <li><strong>Security Fixes</strong> - Upgraded open source libraries with security fixes include 54 WebKit, libpng, OpenSSL, and LibXML. Android 4.2 also includes fixes for 55 Android-specific vulnerabilities. Information about these vulnerabilities has 56 been provided to Open Handset Alliance members and fixes are available in 57 Android Open Source Project. To improve security, some devices with earlier 58 versions of Android may also include these fixes.</li> 59 60 </ul>
