UPDATED 19:45 EDT / NOVEMBER 08 2013


Security developments on Android KitKat mean more enterprise and more stability

Android KitKat has been out well over a week now (in production on the Nexus 5) and for those that are running it, the new operating system is packed with many new features.  Less obvious to most however are a bunch of security features that are meant for the enterprise, for better security than was ever possible before.  A list of the new features and details are available over at the Android developer site, they include such things as enhanced sandboxing, certificate pinning and boot verification.  Bogdan Botezatu, Senior E-Threat Analyst from the computer security software company Bit Defender produced some very interesting findings in some research done at the Bit Defender labs.

The top new Android KitKat security features:


Among the most interesting things uncovered in the findings:

Rooting phones is gone

A new kernel ability called device-mapper-verity makes rooting the phone a thing of the past.  Android KitKat also utilizes a kernel security module called SELinux, which was developed by the NSA, is now able to prevent privilege escalation attacks such as an application gaining root privileges over the device, regardless of the application’s permissions. The phone modification scene is a rather widespread hobby, with custom ROMs, custom software, overclocking and a whole bunch of other things that hobbyists do on their phones that they’re not supposed to.  While we’ve seen root-prevention methods out there before, they have largely been inevitably defeated.  As Botezatu summarizes:

Another notable change introduced in KitKat is a new kernel ability called device-mapper-verity, an anti-rootkit subsystem system that prevents malware from exploiting. At the same time, by verifying the integrity of the device’s file system at a low level via cryptography, rooting the phone becomes a thing of the past for most devices that come with a locked-down bootloader. This means that alternative ROMs such as CyanogenMod, Paranoid Android or others will have a hard time getting on devices other than developer or Nexus ones running stock Android.

Malware root-elevation will be difficult

Preventing root-level malware to ever take hold is a great security feature, but there will be some frustrated by not being able to get complete control of their own phone.   SELinux was present in prior Android versions, but only there for logging purposes, in KitKat, the “Enforce Mode” has been set in order to prevent privilege escalation attacks.

Cryptography features

Cryptography features have stepped up big on KitKat, with some interesting new features that help prevent man-in-the-middle attacks but will make traffic-scanning SSL more difficult, particularly in enterprise situations.  KitKat has introduced Google Certificate Pinning and SSL CA Certificate warnings.  The new features mean that a better level of assurance of device digital certificates can be achieved and that there’s a notification system that tells the user when there has been a potential substitution in the digital certificate chain.  By matching certificate fingerprints versus what Google has on record, the certificate pinning feature maintains certificate integrity through this validation process.

Buffer overflow detection

Another welcome security feature is the FORTIFY_SOURCE again buffer overflow exploitation.  KitKat basically is able to identify conditions of a buffer overflow within the compiler.   While this may not prevent every possible buffer overflow condition, the elevation of security at this level means buffer overflow attempts at re-allocating memory will be much more difficult.

Per-User VPN for shared devices

The last main feature is one that is very much enterprise-friendly, particularly in shared situations.  Per-user VPN settings have been introduced, which means that each user that is using a shared device can have different VPN settings, including account info and so forth.   However, it is noted by Botezatu that:

..from what we see with the AOSP (Android Open Source Project) build – VPN settings are only available for the first tablet user, while other users have to do without VPN at all.

Missing security feature

Bit Defender’s position also points out one security feature that didn’t make the cut apparently:

Back in Android 4.3 Android introduced a feature that was supposed to let users individually deny or allow permissions for every application installed on the device. The feature, buried inside an activity called App Ops was something both average users and security companies have been demanding for years and it would have been for sure nice to have it introduced in KitKat. However, the activity has been completely removed from the code.

The report also pointed out another key element:

Google Now integration is another key point for Google. In Android 4.4, the service can be invoked by simply calling “OK Google” when the phone is awake, unlocked and on any of the home screens. While this feature is a great selling point in terms of usability and offers an extra layer of interactivity, the phone cannot tell whose voice is passing orders, so chances are that someone in your proximity could order your phone to do various tasks after invoking Google Now.

Android continues to evolve, and they are maturing quite a bit in the demands of the enterprise space with better security with each release.  It’s a track that iOS7 has followed as well, which was long-awaited and a welcome progression.  Android however is on a path towards mobile OS domination, a position they currently hold by a very large margin, and as they move deeper into the realm of enterprise, they have clearly implemented a strategy that is incorporating security features that make the mobile OS as flexible, stable and secure as possible. Android is not letting go of this market dominance any time soon, and the development is a key indicator of that.

photo credit: Nestlé via photopin cc

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.