Android 4.3 was released today. Here’s a list of security related changes or new features and some comments, provided by our colleague, John Kozyrakis:
– /system is now mounted as nosuid. Not sure how this makes things more secure since there are no setuid binaries in /system by default afaik
– New system to revoke individual permissions from applications. Seems to gather a list of used permissions at runtime. That list could be useful in testing. http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/
– SELinux mandatory access control system
– KeyChain is now hardware-backed (if appropriate hardware exists). It uses a hardware root of trust (Secure Element/TrustZone/TPM) to encrypt keys, so keychain data would be unusable outside the phone
– There’s now a Keystore Provider API that creates and stores app-private keys for use by applications.
– Multi-user is more polished
– ‘restricted profiles’ can be created on tables – this is basically customised guest accounts with access to specific installed apps
– Capability bounding using prctl(PR_CAPBSET_DROP) to drop sensitive capabilities from apps – should research which ones are dropped
– Apps use prctl(PR_SET_NO_NEW_PRIVS) to block addition of new privileges after application start
– More FORTIFY_SOURCE enhancements
– A number of other undisclosed security fixes
https://developer.android.com/about/versions/jelly-bean.html#android-43
http://developer.android.com/about/versions/android-4.3.html
http://developer.android.com/sdk/api_diff/18/changes.html
http://source.android.com/devices/tech/security/enhancements43.html