1 <html devsite> 2 <head> 3 <title>Security Enhancements in Android 4.2</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p> 27 Android provides a multi-layered security model described in the <a href="/security/index.html">Android 28 Security Overview</a>. Each update to Android includes dozens of 29 security enhancements to protect users. The following are some of the security 30 enhancements introduced in Android 4.2:</p> 31 32 <ul> 33 <li><strong>Application verification</strong> - Users can choose to enable Verify Apps" and 34 have applications screened by an application verifier, prior to installation. 35 App verification can alert the user if they try to install an app that might be 36 harmful; if an application is especially bad, it can block installation.</li> 37 <li><strong>More control of premium SMS</strong> - Android will provide a notification if an 38 application attempts to send SMS to a short code that uses premium services 39 which might cause additional charges. The user can choose whether to allow the 40 application to send the message or block it.</li> 41 42 <li><strong>Always-on VPN</strong> - VPN can be configured so that applications will not have 43 access to the network until a VPN connection is established. This prevents 44 applications from sending data across other networks.</li> 45 46 <li><strong>Certificate Pinning</strong> - The Android core libraries now support 47 <a href="https://developer.android.com/reference/android/net/http/X509TrustManagerExtensions.html">certificate pinning</a>. 48 Pinned domains will receive a certificate validation 49 failure if the certificate does not chain to a set of expected certificates. 50 This protects against possible compromise of Certificate Authorities.</li> 51 52 <li><strong>Improved display of Android permissions</strong> - Permissions have been organized 53 into groups that are more easily understood by users. During review of the 54 permissions, the user can click on the permission to see more detailed 55 information about the permission.</li> 56 57 <li><strong>installd hardening</strong> - The <code>installd</code> daemon does not run as the root user, 58 reducing potential attack surface for root privilege escalation.</li> 59 60 <li><strong>init script hardening</strong> - init scripts now apply <code>O_NOFOLLOW</code> semantics to 61 prevent symlink related attacks.</li> 62 63 <li><strong>FORTIFY_SOURCE</strong> - Android now implements <code>FORTIFY_SOURCE</code>. This is used by 64 system libraries and applications to prevent memory corruption.</li> 65 66 <li><strong>ContentProvider default configuration</strong> - Applications which target API 67 level 17 will have "export" set to "false" by default for each 68 <a href="https://developer.android.com/reference/android/content/ContentProvider.html">Content 69 Provider</a>, reducing default attack surface for applications.</li> 70 71 <li><strong>Cryptography</strong> - Modified the default implementations of SecureRandom and 72 Cipher.RSA to use OpenSSL. Added SSL Socket support for TLSv1.1 and TLSv1.2 73 using OpenSSL 1.0.1</li> 74 75 <li><strong>Security Fixes</strong> - Upgraded open source libraries with security fixes include 76 WebKit, libpng, OpenSSL, and LibXML. Android 4.2 also includes fixes for 77 Android-specific vulnerabilities. Information about these vulnerabilities has 78 been provided to Open Handset Alliance members and fixes are available in 79 Android Open Source Project. To improve security, some devices with earlier 80 versions of Android may also include these fixes.</li> 81 82 </ul> 83 84 </body> 85 </html> 86
