Google Fortifies Android 4.3 Security with SELinux

July 26, 2013 - Written By Abdulsalam Shalash

While it¢â‚¬â„¢s no secret that Android had its challenges with security over the years, Google has spared no effort in maintaining and polishing their operating system¢â‚¬â„¢s security as new versions roll out. Now as Google announced their new OS, Android 4.3, users were excited for new security measures taken that could build up security to a whole new level. Meet SELinux, short for Security Enhanced Linux, which is a feature that provides the mechanism for supporting access control security policies the same way the United States Department of Defense likes it, using mandatory access controls.‚ Mandatory access controls refer to a type of access control by which the operating system constrains the ability of a subject to access or generally perform some sort of operation on an object. In practice, a subject is usually an app; objects are constructs such as files, directories, Internet ports, passwords, etc. The old security relied on a discretionary access control, meaning the OS used to sandbox the app as a means of restricting access to sensitive data, based on the identity of the app, and its signature, so you can see that the new mandatory access control really levels-up our Android¢â‚¬â„¢s security.

jelly bean android 4.3 nexus 7

But Google didn¢â‚¬â„¢t stop there, the new version of Android makes it far more complex to store cryptographic credentials used to access sensitive information and resources on the Android Keychain. These credentials are mostly known for containing digital certificates used to access Wi-Fi networks, and VPNs, so you can see how important this upgrade is especially for companies that value their privacy yet fear‚ that employees¢â‚¬â„¢ phones might get lost or stolen.

“The phone needs to have a secure element, such as a Trusted Platform Module, so that private keys can’t be stolen, even if the phone is rooted and the attacker has full access to the operating system.” – said Pau Oliva Fora, senior mobile security engineer at viaForensics.

Google even boosted security on the Android¢â‚¬â„¢s keystrokes, since a lot of questions had been asked about apps storing keystrokes that allowed malicious users to hide a key logger inside famous keyboard apps like SwiftKey, and then distributing the malicious app on black market.