Google announced earlier today here at the Google I/O 2012 event, the arrival of Android 4.1 (Jelly Bean). At the time of writing it isn’t known which Android devices will be getting Android 4.1. Here are two security features that I picked up that Google is hoping developers will incorporate into their 4.1 app development cycle.
The first security improvement involves something called READ_EXTERNAL_STORAGE permission. This is a new permission that will be required in a future release for apps that want to read the contents of the SD card. Up to now, anybody could read the SD card. It’s not enforced in Jelly Bean unless you turn on a special developer option. Google strongly encourages all developers whose apps read from the SD card should include this permission right away.
The introduction of SD card permission control is welcome, but does this mean yet another pop up message to remind us an app is about to read the SD card? Also, why isn’t Google enforcing this change on developers?
The second security improvement concerns app anti-privacy measures. Starting in JellyBean, apps will be encrypted with a device-specific key (no idea as yet on what encryption level they will be using – tokenless probably not) so they can’t simply be copied and uploaded to the Internet. Google is hoping this will stop the security problem of app piggybacking. To reduce the piggyback app threat very much depends on whether Google takes a more proactive stance when it comes to reviewing and code signing apps. Right now, it’s uncertain whether Google has any plans to do this.
Safe surfing folks!