Android is open source, it is customizable and the darling of many mobile application developers. But popularity as they say, comes at a price. In this case, it’s the lack of security. In 2012 alone, 30,000 malicious and high risk Android apps were discovered in June and this increased to almost 175,000 between July and September, as per TrendMicro’s report. Google is now taking some measures to increase security levels of the OS though it’ll probably never (and may not even want to) impose the strict standards of Apple’s Store.
Jelly Bean is being commended as the most secure Android version Google has released as yet. It has many security features including a new real time app scanner for side loaded Android applications. In addition, since February 2012, Google has started automatic scanning of apps submitted to its store.
Scanner app for Jelly Bean (Android 4.2)
With Android 4.2, Google has upped its defense against virus attacks, malicious code and hackers. The OS includes an inbuilt app scanner that scans Android apps downloaded from stores other than Google Play and checks them for malicious or extraneous code. Basically, the security option is available for your Android device.
The new service can be switched on or off by the user. When activated, the service takes a snapshot of the application to be downloaded and compares it against a database of known applications (700,000 apps in Play Store and other apps on the Web). It warns the user if there is any mismatch and the user can choose to continue with the download or not. Best part – the extra check does not cause any lag in the app downloading speed.
Other Android 4.0 security enhancements
Jelly Bean is the first Android version with full Address Space Layout Randomization (ASLR) and Date Execution Prevention (DEP). Charlie Miller, a veteran smartphone hacker and principal research consultant at security firm Accuvant admits that this will make exploiting the code quite difficult. The two features will defend the OS against hackers looking to break into Android devices on the back of memory corruption bugs.
Jelly Bean also provides randomization for position-independent executables making it harder for hackers to exploit buffer overflows and other memory-corruption vulnerabilities that come up in the platform. Additionally, Jelly Bean defends against information leakage exploits that can turn into potentially dangerous security risks.
In contrast, Apple has fully implemented ASLR and DEP since more than a year now. Code signing, protection that prevents unauthorized applications from running on the device by requiring code loaded into memory to carry a valid digital signature before it can be executed, is till absent on Android and has been part of iOS since a long time.
While many Android users may not be too concerned about Android security, it is a big pain point for IT security that has to manage a range of personal smartphones and tablets as part of Bring Your Own Device (BYOD) policy. It’s good to see Android move in the right direction for enterprise users.
So, eager to learn why your business MUST take notice of Mobility ? Or want to decide which app is a right fit for your business? Download your choice !