Android began as a mobile operating system years ago as and just like smartphone capabilities grew by leaps and bounds over the years, it adjusted itself to changing needs of customers and brought in a large number of new features as well as security settings to protect users’ privacy and data security. Based on the Linux platform, the operating system goes through a constant cycle of modifications and updates which are necessary to prevent its vulnerability from attacks. A couple of days ago, developers working on the Android platform charted out their next course of action to enhance the platform’s security which included a two pronged approach, namely memory protections and attack surface reductions.
The basic Linux kernel puts a number of its tasks within one address space. As such, any tiny vulnerability can quickly spread to other portions of the memory, thus increasing the critical nature of the system. To counter this, the developers are segregating the kernel memory into different sections and activating access permissions to ‘read-only’ or ‘read/write’ to keep each section insulated from others and to prevent it from spreading its vulnerability to other sections as well. At the same time, the developers are also preventing the kernel from accessing userspace memory directly, making it difficult for attackers to access the memory or to alter it. The new stack-protector-strong feature also offers protection against stack buffer overflows as well as for more array types.
As far as reducing attack surface is concerned, the developers are taking steps to block out access to the kernel’s perf system which is normally used for analysing applications and measuring performance and which used to be a major attack surface for hackers until now. Only genuine developers will henceforth be able to access the system by enabling developer settings and setting up a property using adb. At the same time, a number of third party apps accessed IOCTL commands, all of which were unrestricted. With Android Nougat, those IOCTL commands which are not accessed by apps will be restricted so as not to interfere with normal functionality and reduce attack surface at the same time. Earlier this year, it came to light that a security bug in the Linux kernel could compromise over half of all Android devices and given that such vulnerabilities keep arising from time to time, frequent upgrades of the kernel’s security settings and fixing of other vulnerabilities will go a long way towards ensuring privacy and data security for all users.