1 <html devsite> 2 <head> 3 <title>Security Enhancements in Android 4.3</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p> 27 Every Android release includes dozens of security enhancements to protect 28 users. The following are some of the security enhancements available 29 in Android 4.3: 30 </p> 31 32 <ul> 33 <li><strong>Android sandbox reinforced with SELinux.</strong> 34 This release strengthens the Android sandbox using the SELinux 35 mandatory access control system (MAC) in the Linux kernel. SELinux 36 reinforcement is invisible to users and developers, and adds robustness 37 to the existing Android security model while maintaining compatibility 38 with existing applications. To ensure continued compatibility this release 39 allows the use of SELinux in a permissive mode. This mode logs any policy 40 violations, but will not break applications or affect system behavior.</li> 41 42 <li><strong>No setuid/setgid programs.</strong> 43 Added support for filesystem capabilities 44 to Android system files and removed all setuid/setguid programs. This 45 reduces root attack surface and the likelihood of potential security 46 vulnerabilities.</li> 47 48 <li><strong>ADB Authentication.</strong> 49 Since Android 4.2.2, connections to ADB are 50 authenticated with an RSA keypair. This prevents unauthorized use of 51 ADB where the attacker has physical access to a device.</li> 52 53 <li><strong>Restrict Setuid from Android Apps.</strong> 54 The /system partition is now mounted 55 nosuid for zygote-spawned processes, preventing Android applications 56 from executing setuid programs. This reduces root attack surface and 57 the likelihood of potential security vulnerabilities.</li> 58 59 <li><strong>Capability bounding.</strong> 60 Android zygote and ADB now use prctl(PR_CAPBSET_DROP) to drop 61 unnecessary capabilities prior to executing applications. 62 This prevents Android applications and applications launched from 63 the shell from acquiring privileged capabilities.</li> 64 65 <li><strong>AndroidKeyStore Provider.</strong> 66 Android now has a keystore provider that allows 67 applications to create exclusive use keys. This provides applications 68 with an API to create or store private keys that cannot be used by 69 other applications.</li> 70 71 <li><strong>KeyChain isBoundKeyAlgorithm.</strong> 72 Keychain API now provides a method 73 (isBoundKeyType) that allows applications to confirm that system-wide keys 74 are bound to a hardware root of trust for the device. This provides 75 a place to create or store private keys that cannot be exported off the 76 device, even in the event of a root compromise.</li> 77 78 <li><strong>NO_NEW_PRIVS.</strong> 79 Android zygote now uses prctl(PR_SET_NO_NEW_PRIVS) to block addition 80 of new privileges prior to execution application code. This 81 prevents Android applications from performing operations which can 82 elevate privileges via execve. (This requires Linux kernel version 3.5 83 or greater).</li> 84 85 <li><strong>FORTIFY_SOURCE enhancements.</strong> 86 Enabled FORTIFY_SOURCE on Android x86 and MIPS 87 and fortified strchr(), strrchr(), strlen(), and umask() calls. This 88 can detect potential memory corruption vulnerabilities or unterminated 89 string constants.</li> 90 91 <li><strong>Relocation protections.</strong> 92 Enabled read only relocations (relro) for 93 statically linked executables and removed all text relocations in Android 94 code. This provides defense in depth against potential memory corruption 95 vulnerabilities.</li> 96 97 <li><strong>Improved EntropyMixer.</strong> 98 EntropyMixer now writes entropy at shutdown / 99 reboot, in addition to periodic mixing. This allows retention of all 100 entropy generated while devices are powered on, and is especially useful 101 for devices that are rebooted immediately after provisioning.</li> 102 103 <li><strong>Security Fixes.</strong> 104 Android 4.3 also includes fixes for Android-specific 105 vulnerabilities. Information about these vulnerabilities has been provided 106 to Open Handset Alliance members and fixes are available in Android Open 107 Source Project. To improve security, some devices with earlier versions 108 of Android may also include these fixes.</li> 109 </ul> 110 111 </body> 112 </html> 113
