A sneak peek at security features in the upcoming Android L release
Fix It

Google says the upcoming Android L release will be far more secure than its predecessors.
Despite the immense popularity of the Android mobile operating system, one significant damper on the euphoria is the lingering sense that Android devices lack security. Although virtually any business laptop today comes with convenient features for encrypting the hard disk, comparable features in Android smartphones are rare. Smartphone security in general, and security of Android phones in particular, is not good if you believe the media reports.
Kaspersky Lab had already discovered the 10-millionth Android malware app by the end of January 2014, despite the fact that Google Play lists hardly more than a million apps. Of the 350,000 unique mobile threats and more than 840 threat families, 98-99 percent now target Android.
The full gamut of Windows malware also exists in the Android universe: worms, adware, backdoors, monitors, risk tools, malicious remote admin tools, SMS flooders, and a full set of trojans: downloaders, droppers, fake AV, PSW, SMS, spyware, clickers, bankers, and ransom tools.
According to Christian Funk, a senior virus analyst with Kaspersky, the reasons for Android's security issues are wrapped up in developer practices and program verification. "The way access privileges for interfaces and user information have been implemented on Android is okay in principle. But what we see is that app programmers very often ask for access to areas that have nothing to do with the way their app works. Attackers take such permissive apps, inject malicious code, and offer them on sites other than Google Play."
To give users some peace of mind, Google plans nothing less than a total revamp of the security features for the upcoming Android L release (Figure 1). Although the L release is still a work in progress, and it doesn't even have a dessert name yet (although Lollipop is a likely candidate), many details of the new security architecture have already reached the public (Figure 2).

Opportunity Knox
One of the more interesting developments is that Samsung is helping Google implement additional security for the L version. The fact that Google is leaving it to Samsung is not surprising: Unlike most other manufacturers of Android phones, Samsung has offered its proprietary security framework for Android for some time; it goes by the name of Knox [1] (Figure 3). The Knox framework is named for Fort Knox, the super-secure facility where the United States government stores its gold.

Knox offers many features that are of critical importance in the enterprise. One important principle is establishing a "secure path" for the execution of programs. As long as UEFI is enabled, the BIOS executes only operating systems that a well-known manufacturer has digitally signed. Verifying the identity of the app could theoretically prevent an attacker from doctoring up an app with malicious code and posting it independently for download. (One could possibly work around this protection and still have a working device, but you would void the warranty, and, obviously, you would be foregoing the security benefits of the new feature.)
Knox offers many more security features, such as TIMA, the Trust zone-based Integrity Measurement Architecture [2]. TIMA combines several tools that protect the system kernel at run time. Options for biometric or smartcard authentication prevent unauthorized access, especially if the device falls into the wrong hands.
And then there are the managed profiles: Knox lets you separate business data from personal information on smartphones. Users can do whatever they want in the private part of the profile, but any business data is kept safe on the same smartphone. You'll find profiles along with other (fairly unsurprising) security features in the Android Settings app below Settings | Security (Figure 4).
At last: SE Linux becomes Android SE
Android also integrates the SE Linux [3] security feature, in the form of Android SE. The SE Linux tool, which provides sophisticated policy-based access control for Linux desktop and server systems, plays a central role in the security architecture of Android L.
SE Linux prevent programs from executing functions that they are not allowed to run, and if a program does gain unauthorized access, the protections integrated through SE Linux will help prevent privilege escalation. (A side effect is that you might have a more difficult time rooting your own phone.) Clamping down on the privileges assigned to a application at the policy level should help prevent attackers from modifying programs to do things they were never intended to do.
Updates
Security updates for older devices have been an issue with Android in the past. Porting these modifications to new versions of Android costs a lot of money, and because new Android smartphones are continually pouring onto the market, updates are regularly discontinued for devices that sometimes are little more than a year old. Even maintenance updates for patching well-known vulnerabilities sometimes don't find their way to users. Devices that don't receive regular updates pose a problem regardless of how many new security features you add to the operating system. Integrating SE Linux features could certainly add an additional barrier for malware slipping onto the system, but any way you look at it, a system that isn't receiving updates is still vulnerable.
Users have the option of installing aftermarket firmware. Tools such as Cyanogenmod [4], Paranoid Android [5], or Mokee [6] offer users an alternative to the update dead-end, but these solutions can sometimes have nasty side effects. Also, installing aftermarket firmware invalidates any form of app verification, because you first need to unlock the bootloader.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
News
-
Danielle Foré Has an Update for elementary OS 7
Now that Ubuntu 22.04 has been released, the team behind elementary OS is preparing for the upcoming 7.0 release.
-
Linux New Media Launches Open Source JobHub
New job website focuses on connecting technical and non-technical professionals with organizations in open source.
-
Ubuntu Cinnamon 22.04 Now Available
Ubuntu Cinnamon 22.04 has been released with all the additions from upstream as well as other features and improvements.
-
Pop!_OS 22.04 Has Officially Been Released
From the makers of some of the finest Linux-powered desktop and laptop computers on the market comes the latest version of their Ubuntu-based distribution, Pop!_OS 22.04.
-
Star Labs Unveils a New Small Format Linux PC
The Byte Mk I is an AMD-powered mini Linux PC with Coreboot support and plenty of power.
-
MX Linux Verison 21.1 “Wildflower” Now Available
The latest release of the systemd-less MX Linux is now ready for public consumption.
-
Microsoft Expands Their Windows Subsystem for Linux Offerings With AlmaLinux
Anyone who works with Windows Subsystem for Linux (WSL) will now find a new addition to the available distributions, one that’s become the front-runner replacement for CentOS.
-
Debian 11.3 Released wIth Numerous Bug and Security Fixes
The latest point release for Debian Bullseye is now available with some very important updates.
-
The First Alpha of Asahi Linux is Available
Asahi Linux is the first distribution to fully support Apple Silicon and is now available for testing.
-
Zorin OS 16.1 Released with a New Kernel For Better Hardware Compatibility
The developers of Zorin OS have released the latest version of their beautiful desktop Linux OS.