KitKat Raises Android Security Bar
Improvements in KitKat should give Android's security reputation a boost. "Most users running KitKat will be protected against deep-penetration malware," said Bitdefender's Bogdan Botezatu. However, the strides made in KitKat may be muted by an ecosystem that's notoriously slow to upgrade to new versions of Android, he warned. Phone makers and carriers must commit to providing the latest releases.
Nov 11, 2013 3:13 PM PT
Google's mobile operating system Android has been a whipping boy for some segments of the security community, but the latest version of the software may begin to rehabilitate its reputation.
Android 4.4, or KitKat, contains a number of new and improved features that are garnering the praise of malware fighters. They include improved implementation of SELinux, better warnings about bad website certificates, and a fortified method for blocking potential malicious changes to the operating system.
SELinux is an open source security module developed for the Linux kernel by the NSA. Google incorporated it into the last version of Android, but allowed it to operate only in permissive mode. In that mode, it monitored a system but didn't act on what it saw happening there.
In KitKat, SELinux is running in enforcement mode. In that mode, it can block rogue applications trying to escalate their privileges to take control of a device.
Shadow of NSA
Considering the recent revelations about the NSA fiddling with security standards to give the agency unauthorized access to other people's data, questions might be raised about any code that's tied to the super spooks.
"It's been proven that anything the NSA touches has a way to let them back in," NSS Labs Research Director Chris Morales told TechNewsWorld.
Nevertheless, SELinux is 10 years old and over that time, a lot of open source eyes have looked at it for flaws.
"The assumption is that Google and others would have reviewed the code and seen exactly what it does," Morales said.
Although anyone can look at the SELinux code, realistically, the universe of people who have looked at it is relatively small and the universe of those who can do in-depth technical analysis of the code is even smaller.
"It's like Wikipedia," Tom Keigher, a senior penetration tester with Foreground Security, told TechNewsWorld. "Anybody can edit, but only a small group of people do."
Nevertheless, Keigher was skeptical of any NSA booby traps in SELinux. "I sincerely doubt it, and I've never seen anything to support that to be an issue," he said.
Major Step Forward
KitKat will also wave a red flag when it encounters queer certificates on the Web. A common ploy of Net bandits is to use fraudulent certificates to disguise their fraudulent websites as legitimate ones. When KitKat encounters a dubious certificate, it will warn a user so the bogus website can be avoided.
Google has also added to the KitKat kernel something it calls "Device Mapper Verity." DMV is like a check-sum for an operating system boot-up. It verifies a device's file system by comparing it to a baseline. The technology can stop rootkits from deploying on a device.
With these improvements, Android's security reputation should get a boost.
"Most users running KitKat will be protected against deep-penetration malware," Bogdan Botezatu, a senior e-threat analyst with Bitdefender, told TechNewsWorld.
However, the strides made in KitKat may be muted by an ecosystem that's notoriously slow to upgrade to new versions of Android, he warned.
"In the long run, if the phone makers and carriers aren't committed to supporting the users and providing them with the latest updates, they will be harmed," Botezatu added.
Nevertheless, KitKat's release is a watershed event for Android.
"This is a huge step in the right direction," JD Sherry, vice president of technology and solutions for Trend Micro, told TechNewsWorld.
"This is a step to stay ahead of attackers. That can be difficult in an open source platform," he pointed out.
"This is a big deal for the industry," added Sherry. "With Android having nearly 80 percent of the market, these are required and necessary changes to keep the mobile application ecosystem clean and keep the bad guys out of the mobile platforms."
- Nov. 4. Google Executive Chairman Eric Schmidt calls "outrageous" NSA spying on his company's data centers and "bad public policy" the agency's collection of phone records of 320 million people to identify 300 who might be security risks.
- Nov. 5. Javelin Strategy & Research reports 25 percent of the 16 million Americans who had payment card data compromised in 2012 also suffered identity theft.
- Nov. 5. Apple releases first transparency report on the numbers and types of requests for personal records it has received from law enforcement and government agencies around the world.
- Nov. 5. Consumer survey by ISACA reveals that nearly half of consumers find messages pushed to their phones as they pass a retailers' storefront invasive.
- Nov. 5. DaVita of Denver reports that personal information of some 11,500 patients was on a employee's stolen laptop. Although company policy is to encrypt all data on laptops, encryption was deactivated on the stolen laptop.
- Nov. 7. AT&T announces it will start including Lookout security software with all its Android phones to provide additional security layer for the devices.
- Nov. 7. Minnesota Legislative Auditor releases report finding data breach at the state's healthcare exchange, MNsure, was unintentional, but slack internal procedures contributed directly to the breach, which resulted in 1,600 Social Security numbers being compromised.
Upcoming Security Events
- Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
- Nov. 20. SC Congress Chicago 2013. 8:30 a.m.-7 p.m. CT. Chicago. Full Day Pass: $250.
- Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
- Dec. 9-12. Black Hat Training Sessions. Washington State Convention Center, Seattle, Wash. "The Art of Exploiting Injection Flaws," $1,800 by Oct. 24; $2,000 by Dec. 6; $2,300 thereafter. "The Black Art of Malware Analysis," $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter. "CNSS-4016-I Risk Analysis Course," $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter.
- Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.
- Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; after Dec. 1, $725.
- Feb. 17-20, 2014. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.