This is a brief security and privacy analysis of vanilla Android 4.3 running on Samsung Galaxy Nexus and Asus Nexus 7. Both devices were upgraded from 4.2.x and on non-rooted devices early last week. Here is a high-level review:
- SELinux – Android sandbox includes SELinux (MAC) in the Linux kernel to support the UID based app sandbox. Enforces Mandatory Access Control (MAC) policies (enforcing mode). This allows varying levels of trust to each app while also dictating what data can be accessed inside the contained domain. This security improvement includes a more robust method of storing cryptographic credentials – sensitive data and resources* (see below). Note: In order to get SELinux set to enforcing mode for Android 4.3 (the default is permissive mode), we would have to *compile*
- *Android KeyChain API – stores digital credentials for access to Wi-Fi networks and VPNs – rooting a device could allow access to this data. System-wide keys are bound t hardware-based root of trust process. Carrier and OEM developers can add private keys that cannot be copied off the device.
HARDWARE SECURITY: Secure element at TPM chipset level would stop the keys in the keychain from being read/write. Trustonic springs to mind here.
- Android Keystore – also stores credentials – users can create keys that can be accessed and used by a single app. 4.3 will allow an app to create and store private keys that cannot be seen or used by other apps. These keys can also be added to the keystore without any user interaction.
- Create secondary restricted profiles – these isolate and secure space with its own local storage i.e. home screen, widgets, settings etc. Access to the owner’s account is disabled by default. Linux provides multi-user environment – Android however, delivers single-user.
- Configure Wi-Fi credentials based on WPA2 access points (uses the extensible authentication protocol). New API’s have been added to enable apps to join APs and use EAP and Phase 2 authentication methods. This is an important security enhancement.
- **Scanning always available – Google has also hidden an advanced Wi-Fi capability, whereby a user can enable Google’s location service and other apps for networks. The privacy issue for some might be that this works even when Wi-Fi is off. Note: Galaxy Nexus device didn’t have this feature enabled by default when we upgraded from 4.2 last week, but the Nexus 7 did. Google is most likely using this feature to collect information on Wi-Fi hotspots for location data to build a map of hotspot name locations (SSID)* as well as conserve battery power. Wi-Fi is battery hungry. **Most likely has something to do with Fused Location Provider & Activity recognition.
- Android now only mounts “nosuid” for these Zygote processes – Init processes spawn hardware daemons i.e. adb, USB etc. Once the init processes have finished launching the daemons, init launches a zygote process, which in turn launches the DVM. This stops app from executing setuid programs and also reduces the chances of a malicious app gaining superuser/root privileges. A hacker could use su daemon to bypass the Zygote process and boot up from init.
- App Ops – hidden permission tool – not enabled by default but you can download and install Permission Manager app from the Play Store. The app allows you to configure which permissions your installed apps use. A glance at the package installer code and we confirmed what Android Police found <string name=”grant_confirm_question”>Do you want to grant the following permissions? This looks like users will also be able to allow/deny permissions on install. It will get access to:</string>App Ops isn’t fully tested/rolled out by Google right now. Google will most likely enable this with Key Lime Pie.
- Find your lost phone with Android Device Manager – available later this month on devices running Android 2.2 or above; to use it, you also will need to be signed into your Google Account. There will also be an Android app to allow you to easily find and manage your devices. This will partially work. Remote locate, lock and wipe should be coded into the firmware instead – more secure and resistant to device wiping.
Safe surfing folks!