A report released by popular security researcher Jon Oberheide has branded the latest version of Google’s operating system, Android 4.1 (better known as Jelly Bean) as the most secure version of Android operating system yet. Google will be rolling out Jelly Bean as a successor to Ice Cream Sandwich (Android 4.0) this month. The implementation of address space layout randomization (ASLR) security has been carried out for the new version of this OS. This new protocol (ASLR) will make matters very difficult for malware merchants and hackers, as the randomized memory mapping being exercised for different OS processes will reduce the odds of vulnerability as hackers would only be left guessing as to where their hazardous payloads should attack.
The combined qualities of ASLR and data execution prevention technologies (which is also built into the Jelly bean framework) has made Android’s security robust and one of the most secure operating systems in the contemporary world. According to Oberheide, even though Ice Cream Sandwich was the first Android version to make use of the ASLR algorithm, there weren’t many real world attacks it was able to defend itself from. He asserted that the same won’t be the case with Jelly Bean. The reason behind the failure of ASLR in ICS was mainly attributed to the executable mapping process address space which wasn’t randomized. As a result there was an increased possibility of ROP style attacks. The same won’t apply to Jelly Bean, as majority of binaries will be compiled with the PIE flag, which would ensure that the executable mapping is rightly randomized during runtime or execution.
Oberheide further added that other randomization sections of the ASLR puzzle weren’t implemented properly in Ice Cream Sandwich, but have been completely built into Jelly Bean. This will give it a fully executable ASLR with several other added advantages. Furthermore, defences against stray or harmful code execution would be stronger and information leakage would be at a bare minimum. However, Oberheide wasn’t all praise for Google’s latest update as he pointed out several weaknesses in the 32 bit ASLR that Google will use in Jelly Bean. He said that Apple’s iOS 6 Operating System (the beta version of which has been released) has an even more secure form of a similar technology, called in-kernel ASLR. This is expected to become a gold standard for Mobile operating systems in the future. He added that Apple was only reactive (and not proactive) to the many exploits that targets the iOS platform. Android may still be a shade behind the iOS platform, but the fight for mobile monopoly has become very interesting especially after the outside threat of the Windows Mobile platform.